WEB APPLICATION FIREWALL FortiWeb™ 5.
FortiWeb 5.0 Patch 6 Administration Guide February 19, 2014 2nd Edition Copyright© 2014 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard® are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary.
Table of contents Introduction..................................................................................................... 13 Benefits .................................................................................................................. 13 Architecture ........................................................................................................... 14 Scope.....................................................................................................................
Planning the network topology .............................................................................. How to choose the operation mode ................................................................ Supported features in each operation mode ............................................. Matching topology with operation mode & HA mode................................ Topology for reverse proxy mode....................................................................
Auto-learning ....................................................................................................... How to adapt auto-learning to dynamic URLs & unusual parameters .......... Configuring URL interpreters ................................................................... Example: URL interpreter for a JSP application ................................ Example: URL interpreter for Microsoft Outlook Web App 2007....... Example: URL interpreter for WordPress.....................................
Users.............................................................................................................. 221 Authentication styles............................................................................................ Via the “Authorization:” header in the HTTP/HTTPS protocol....................... Via forms embedded in the HTML ................................................................. Via a personal certificate.........................................................................
How to offload or inspect HTTPS ........................................................................ Generating a certificate signing request ........................................................ Uploading a server certificate ........................................................................ Supplementing a server certificate with its signing chain........................ 283 285 289 291 How to apply PKI client authentication (personal certificates) ............................
Rewriting & redirecting ................................................................................ 367 Example: HTTP-to-HTTPS redirect ..................................................................... 373 Example: Full host name/URL translation ........................................................... 376 Example: Sanitizing poisoned HTML................................................................... 380 Example: Inserting & deleting body text ................................................
Configuring a server policy .................................................................................. 483 Enabling or disabling a policy ........................................................................ 497 Anti-defacement ........................................................................................... 498 Reverting a defaced web site .............................................................................. 503 Compliance ....................................................
Logging ................................................................................................................ 542 About logs & logging...................................................................................... 543 Log types ................................................................................................. 543 Log severity levels.................................................................................... 544 Log rate limits ........................................
Fine-tuning & best practices ....................................................................... 608 Hardening security............................................................................................... Topology ........................................................................................................ Administrator access ..................................................................................... User access ............................................................
Solutions by issue type........................................................................................ Connectivity issues ........................................................................................ Checking hardware connections ............................................................. Examining the ARP table ......................................................................... Checking routing.....................................................................................
Introduction Welcome, and thank you for selecting Fortinet products for your network. FortiWeb hardware and FortiWeb-VM virtual appliance models are available that are suitable for medium and large enterprises, as well as service providers. Benefits FortiWeb is designed specifically to protect web servers.
* On VM models, acceleration is due to offloading the cryptography burden from the back-end server. On hardware models, cryptography is also hardware-accelerated via ASIC chips. FortiWeb significantly reduces deployment costs by consolidating WAF, hardware acceleration, load balancing, and vulnerability scanning into a single device with no per-user pricing.
After completing “How to set up your FortiWeb” on page 60: • You will have administrative access to the web UI and/or CLI. • You will have completed firmware updates, if any. • The system time, DNS settings, administrator password, and network interfaces will be configured. • You will have set the operation mode. • You will have configured basic logging. • You will have created at least one server policy. • You may have completed at least one phase of auto-learning to jump-start your configuration.
What’s new The list below contains features new or changed since FortiWeb 5.0. For upgrade information, see the Release Notes available with the firmware and “Updating the firmware” on page 77. FortiWeb 5.0 Patch 6 • No new features. Bug fixes only. FortiWeb 5.0 Patch 5 • RADIUS vendor-specific attributes for access profiles — If your administrator accounts authenticate via a RADIUS query, you can assign their access profile using RFC 2548 Microsoft Vendor-specific RADIUS Attributes.
FortiWeb 5.0 Patch 1 • Site publishing— You can now easily publish Microsoft Outlook Web Access (OWA), SharePoint, Lync and other web applications. FortiWeb streamlines access to the applications by providing offloaded authentication with optional single sign-on (SSO) functionality. See Site Publish and “Single sign-on (SSO)” on page 243. • “Alert Only” action for individual signatures — To provide better flexibility, you can now choose an Alert Only action for individual attack signatures.
• IPv6 support— If FortiWeb is operating in reverse proxy mode, the following features now support IPv6-to-IPv6 forwarding, as well as NAT64, to support environments where legacy back-end equipment only supports IPv4.
• X-Forwarded-For • Shared IP • Policy bypasses for known search engines • Geo IP • DoS Protection • IP Reputation • URL Rewriting (also redirection) • HTTP Authentication and LDAP, RADIUS, and NTLM profiles • Data Analytics • Log-based reports • Alert email • Syslog and FortiAnalyzer IP addresses • NTP • FTP immediate/scheduled • OCSP/SCEP • Anti-defacement • HA/Configuration sync • exec restore • exec backup • exec traceroute • exec telnet • Challenge action for application-level anti-DoS — Rather than si
FortiWeb returns to clients when blocking violation traffic. See Error Page Return Code in “Configuring a server policy” on page 483. • Seamless FortiWeb-VM vCPU license upgrades— Now you can increase the capacity of FortiWeb-VM to 2, 4, or 8 vCPUs without first invalidating the license. Previously, a new license could be uploaded only while the current license was invalid, thereby temporarily interrupting service. See the FortiWeb-VM Install Guide.
• Static routes moved— It is now located under the System > Network menu. See “Adding a gateway” on page 125. • FortiGuard updates moved— It is now located under the System > Config menu, similar to FortiGate 5.0. Configuration of the antivirus database has also moved. See “Choosing the virus signature database & decompression buffer” on page 138. • LDAP, RADIUS, NTLM profiles moved— They are now located under the new User > Remote Server menu to make obvious the dichotomy versus local authentication.
Key concepts This chapter defines basic FortiWeb concepts and terms. If you are new to FortiWeb, or new to security, this chapter can help you to quickly understand. See also • Appliance vs. VMware Workflow Begin with “How to set up your FortiWeb” on page 60 for your initial deployment. These instructions will guide you to the point where you have a simple, verifiably working installation. Ongoing use is located in the chapters after “How to set up your FortiWeb”.
Except for features independent of policies such as anti-defacement, most features are configured before policies. Policies link protection components together and apply them. As such, policies usually should be configured last, not first. Sequence of scans FortiWeb appliances apply protection rules and perform protection profile scans in the following order of execution, which varies by whether you have applied a web protection profile.
Table 1: Execution sequence (web protection profile) Scan/action Involves Block Period Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers” on page 266) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:) IP List * Source IP address of the client in the IP layer (individual client IP black list or white list) Add X-Forwarded-For: Source IP address of
Table 1: Execution sequence (web protection profile) Scan/action Involves HTTP Request Limit/sec (Standalone IP) • ID field of the IP header (HTTP Access Limit) • Source IP address of the client (depending on your configuration of X-header rules (see “Defining your proxies, clients, & X-headers” on page 266) this could be derived from either the SRC field in the IP header, or an HTTP header such as X-Forwarded-For: or X-Real-IP:) HTTP Authentication Authorization: Global White List • Cookie: cookie
Table 1: Execution sequence (web protection profile) Scan/action Involves Trojans HTTP body Bad Robot User-Agent: Parameter Validation • Host: • URL in the HTTP header • Name, data type, and length of tags except Cross Site Scripting, SQL Injection, Generic Attacks (attack signatures) • Cookie: • Parameters in the URL in the HTTP header, or in the HTTP body (depending on the HTTP method) for tags except • XML content in the HTTP body (if E
Table 1: Execution sequence (web protection profile) Scan/action Involves URL Rewriting • Host: (rewriting) • Referer: • Location: • URL in HTTP header • HTTP body File Compress Accept-Encoding: * If a source IP is white listed, subsequent checks will be skipped. Solutions for specific web attacks The types of attacks that web servers are vulnerable to are varied, and evolve as attackers try new strategies.
Table 2: Web-related threats Attack Technique Description Protection FortiWeb Solution Adobe Flash binary (AMF) protocol attacks Attackers attempt XSS, SQL injection or other common exploits through an Adobe Flash client. Decode and scan Flash action message format (AMF) binary data for matches with attack signatures.
Table 2: Web-related threats Fortinet Attack Technique Description Protection Credit card theft Attackers read users’ credit card Detect and sanitize information in replies from a web credit card data leaks. server. Helps you comply with credit card protection standards, such as PCI DSS 6.6. Cross-site request forgery (CSRF) A script causes a browser to access a web site on which the browser has already been authenticated, giving a third party access to a user’s session on that site.
Table 2: Web-related threats Attack Technique Description Protection FortiWeb Solution Local file inclusion (LFI) LFI is a type of injection attack. Block directory traversal Generic Attacks However, unlike SQL injection commands. attacks, a database is not always involved. In an LFI, a client includes directory traversal commands (such as ../../for web servers on Linux, Apple Mac OS X, or Unix distributions) when submitting input.
Table 2: Web-related threats Attack Technique Description Protection FortiWeb Solution Remote file inclusion (RFI) RFI is a type of injection attack. Prevent inclusion of However, unlike SQL injection references to files on attacks, a database is not always other web servers. involved. In an RFI, a client includes a URL to a file on a remote host, such as source code or scripts, when submitting input. This causes vulnerable web servers to either execute it or include it in its own web pages.
Table 2: Web-related threats Attack Technique Description Protection FortiWeb Solution SQL injection The web application inadvertently accepts SQL queries as input. These are executed directly against the database for unauthorized disclosure and modification of data. Rely on key word searches, restrictive context-sensitive filtering and data sanitization techniques.
For more information on policy creation, see “DoS prevention” on page 338 and “Blacklisting source IPs with poor reputation” on page 329. Table 3: DoS-related threats Attack Technique Description FortiWeb Solution Botnet Utilizes zombies previously exploited or IP Reputation infected (or willingly participating), distributed usually globally, to simultaneously overwhelm the target when directed by the command and control server(s). Well-known examples include LOIC, HOIC, and Zeus.
Table 3: DoS-related threats Attack Technique Description FortiWeb Solution Slowloris Slowly but steadily consumes all available sockets by sending partial HTTP requests sent at regular intervals. Each HTTP header is never finished by a new line (/r/n) according to the specification, and therefore the server waits for the client to finish, keeping its socket open. This slowly consumes all sockets on a web server without a noticeable spike on new TCP/IP connections or bandwidth.
At each time, some inputs/actions are known to be valid and possible, while others are not. Without memory of history to define the current context, which actions are valid and possible, and therefore how it should function, cannot be known. When software cannot function without memory, it is stateful.
Figure 3: Invalid state transition in a vending machine Similar to the working vending machine, in the TCP protocol, a connection cannot be acknowledged (ACK) or data sent (PSH) before the connection has been initiated (SYN). There is a definite order to valid operations, based upon the operation that preceded it. If a connection is not already established — not in a state to receive data — then the receiver will disregard it.
Figure 4: Attack bypassing logical state transitions in a session If they do not enforce valid state transitions and guard session IDs and cookies from fraud (including sidejacking attacks made famous by Firesheep) or cookie poisoning, web applications become vulnerable to state transition-based attacks — attacks where pages are requested out of the expected order, by a different client, or where inputs used for the next page are not as expected.
How can FortiWeb know if a request is the client’s first HTTP request? If FortiWeb were to treat each request independently, without knowledge of anything previous, it would not be able to remember the authentication request, and therefore could not enforce page order. To fill this need for context, enable Session Management. When enabled: 1. For the first HTTP/HTTPS request from a client, FortiWeb embeds a cookie in the response’s Set-Cookie: field in the HTTP header. It is named cookiesession1.
Sessions & FortiWeb HA The table of FortiWeb client session histories is not synchronized between HA members. If a failover occurs, the new active appliance will recognize that old session cookies are from a FortiWeb, and will allow existing FortiWeb sessions to continue. Clients’ existing sessions will not be interrupted.
After the failover, FortiWeb B would receive the next HTTP request in the session. Because it was previously the standby when the client initiated the session, and FortiWeb session tables are not synchronized, FortiWeb B has no knowledge of the FortiWeb session cookie in this request. As a result, it cannot enforce sequence-specific features such as page order, since it does not know the session history. However, a FortiWeb session cookie is present.
Failover is triggered by any interruption to either the heartbeat or a port monitored network interface whose length of time exceeds your configured limits (Detection Interval x Heartbeat Lost Threshold). When the active (“main”) appliance becomes unresponsive, the standby appliance: 1. Notifies the network via ARP that the network interface IP addresses (including the IP address of the bridge, if any) are now associated with its virtual MAC addresses 2.
to request volume, and therefore can change very rapidly. To minimize the performance impact on an HA cluster, this data is not synchronized. Failover will not break web applications’ existing sessions, which do not reside on the FortiWeb, and are not the same thing as FortiWeb’s own HTTP sessions. The new active appliance will allow existing web application sessions to continue. For more information, see “FortiWeb sessions vs. web application sessions” on page 37.
Setting Explanation Network interfaces Only the FortiWeb appliance acting as the main appliance, actively scanning web traffic, is configured with IP addresses on its network (reverse proxy or interfaces (or bridge). offline protection The standby appliance will only use the configured IP addresses if a mode only) failover occurs, and the standby appliance therefore must assume the or role of the main appliance.
How HA chooses the active appliance An HA pair may or may not resume their active and standby roles when the failed appliance resumes responsiveness to the heartbeat. Since the current active appliance will by definition have a greater uptime than a failed previous active appliance that has just returned online, assuming each has the same number of available ports, the current active appliance usually retains its status as the active appliance, unless Override is enabled.
How to use the web UI This topic describes aspects that are general to the use of the web UI, a graphical user interface (GUI) that provides access the FortiWeb appliance from within a web browser.
For first-time connection, see “Connecting to the web UI” on page 72. The default URL to access the web UI through the network interface on port1 is: https://192.168.1.99/ If the network interfaces were configured during installation of the FortiWeb appliance (see “Configuring the network settings” on page 111), the URL and/or permitted administrative access protocols may no longer be in their default state.
For example, when configuring DoS protection, configuration must occur in this order: 1.
to each area of the FortiWeb software. For more information on configuring the access profile for an administrator account can use, see “Configuring access profiles” on page 216. Table 4: Areas of control in access profiles Access profile setting Grants access to* Admin Users System > Admin ... except Settings Web UI admingrp config system admin config system accprofile CLI Auth Users User ... Web UI authusergrp config user ...
Table 4: Areas of control in access profiles Access profile setting Grants access to* System Configuration System ... except Network, Admin, and Maintenance tabs sysgrp config system except accprofile, admin, dns, interface, and v-zone Web UI CLI diagnose hardware ... diagnose network sniffer ... diagnose system ... except flash ... execute date ... execute ha ... execute ping ... execute ping-options ... execute traceroute ... execute time ...
Table 4: Areas of control in access profiles Access profile setting Grants access to* Web Protection Configuration Policy > Web Protection ... Web UI Web Protection ... DoS Protection ... wafgrp config system dos-prevention CLI config waf except: • config waf file-compress-rule • config waf file-uncompress-rule • config waf http-authen ... • config waf url-rewrite ...
See also • Configuring access profiles • Administrators • Trusted hosts Trusted hosts As their name implies, trusted hosts are assumed to be (to a reasonable degree) safe sources of administrative login attempts. Configuring the trusted hosts of your administrator accounts (Trusted Host #1, Trusted Host #2, and Trusted Host #3) hardens the security of your FortiWeb appliance by further restricting administrative access.
2. Configure these settings: Setting name Description Web Administration Ports HTTP Type the TCP port number on which the FortiWeb appliance will listen for HTTP administrative access. The default is 80. This setting has an effect only if HTTP is enabled as an administrative access protocol on at least one network interface. For details, see “Configuring the network interfaces” on page 113. HTTPS Type the TCP port number on which the FortiWeb appliance will listen for HTTPS administrative access.
Setting name Description Language Web Administration Select which language to use when displaying the web UI. Languages currently supported by the web UI are: • English • simplified Chinese • traditional Chinese • Japanese The display’s web pages will use UTF-8 encoding, regardless of which language you choose. UTF-8 supports multiple languages, and allows them to display correctly, even when multiple languages are used on the same web page.
Setting name Description Security Settings Enable Single Admin User login To prevent inadvertent configuration overwrites or conflicts, enable to allow only one session from one administrator account to be logged in at any given time.
Buttons, menus, & the displays Figure 8: Web UI parts Navigation menu Submenu Toolbar Content pane (may contain tabs or sub-panes) Dashboard widget A navigation menu is located on the left side of the web UI. To expand a menu item, simply click it. To expand a submenu item click the + button located next to the submenu name, or click the submenu name itself. To view the pages located within a submenu, click the name of the page.
Each tab or pane (per “Permissions” on page 47) displays or allows you to modify settings, using a similar set of buttons. Table 5: Common buttons and menus Icon Description Click to collapse a visible area. Click to expand a hidden area. Click to view the first page’s worth of records within the tab. or pane If this button is grey, you are already viewing the first page. Click to view the page’s worth of records that is 10 pages previous to the currently displayed page.
Table 5: Common buttons and menus Icon Description Click to create a new entry by duplicating an existing entry. Clone To use this button, you must first mark a check box to select an existing entry upon which the new entry will be based. Click to remove an existing entry. Delete To use this button, you must first mark a check box to select which existing entry you want to remove. To delete multiple entries, either mark the check boxes of each entry that you want to delete, then click Delete.
See also • Buttons, menus, & the displays • Renaming entries Renaming entries In the web UI, each entry’s name is not editable after you create and save it. For example, let’s say you create a policy whose Name is “PolicyA”. While configuring the policy, you change your mind about the policy’s name a few times, and ultimately you change the Name to “Blog-Policy”. Finally, you click OK to save the policy. Afterwards, if you edit the policy, most settings can be changed.
To power off the FortiWeb appliance 1. Access the CLI or web UI. For details, see “Connecting to the web UI or CLI” on page 71. 2. From the CLI console, enter the following command: execute shutdown Alternatively, if you are connected to the web UI, go to System > Status > Status, and in the Operation widget, click ShutDown. You may be able to hear the appliance become more quiet when the appliance halts its hardware and operating system, indicating that power can be safely disconnected. 3.
How to set up your FortiWeb These instructions will guide you to the point where you have a simple, verifiably working installation. From there, you can begin to use optional features and fine-tune your configuration. If you are deploying gradually, you may want to initially install your FortiWeb in offline protection mode during the transition phase.
Planning the network topology To receive traffic intended for web servers that your FortiWeb appliance will protect, you usually must install the FortiWeb appliance between the web servers and all clients that access them. The network configuration should make sure that all network traffic destined for the web servers must first pass to or through the FortiWeb appliance (depending on your operation mode).
Because this is such a pivotal factor, consider the implications carefully before you make your choice. It can be time-consuming to reconfigure your network if you switch modes later. If you are not sure which operation mode is best for you, you can deploy in offline protection mode temporarily. This will allow you to implement some features and gather auto-learning data while you decide. Supported features in each operation mode Many features work regardless of the operation mode that you choose.
Table 6: Feature support that varies by operation mode Feature Operation mode Reverse proxy True transparent proxy HTTP HTTPS Transparent Offline inspection protection Page Order Rules Yes Yes Yes No No Rewriting / Redirection Yes Yes Yes No No Session Management Yes Yes * Yes * Yes * Yes * Site Publishing Yes Yes Yes No No SSL/TLS Offloading Yes N/A No No No SSLv3 Support Yes N/A Yes ~ Yes ~¶ Yes ~¶ SSLv2 Support Yes N/A No No No Start Page Enforcement Yes Y
Requests are destined for a virtual server’s network interface and IP address on the FortiWeb appliance, not a web server directly. FortiWeb applies full NAT. DNS A record changes may be required in reverse proxy mode due to NAT. Also, servers will see the IP of FortiWeb, not the source IP of clients, so verify that the server does not apply source IP-based features such as rate limiting or geographical analysis.
which is connected to the web servers. The FortiWeb appliance provides load-balancing between the two web servers. Alternatively, you could connect the web servers directly to the FortiWeb appliance: Web Server 1 could have been connected to port3, and Web Server 2 could have been connected to port4. Virtual servers can be on the same subnet as physical servers. This configuration creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could forward to the physical server 10.0.0.2.
Figure 11:Example network topology: transparent modes Figure 11 shows one example of network topology for either true transparent proxy or transparent inspection mode. A client accesses a web server over the Internet through a FortiWeb appliance. A firewall is installed between the FortiWeb appliance and the Internet to regulate non-HTTP/HTTPS traffic. Port1 is connected to the administrator’s computer. Port3 is connected to the firewall. Port4 is connected to the web servers.
Topology for offline protection mode “Out-of-band” is an appropriate descriptor for this mode. Minimal changes are required. It does not introduce any latency. However, many features are not supported (see “Supported features in each operation mode” on page 62). Most organizations do not permanently deploy their FortiWeb in offline protection mode.
If you select offline protection mode, you can configure Blocking Port to select the port from which TCP RST (reset) commands are sent to block traffic that violates a policy. Figure 12 shows an example one-arm network topology for offline protection mode. A client accesses two web servers over the Internet through a FortiWeb appliance. A firewall is installed between the FortiWeb appliance and the Internet to regulate non-HTTP/HTTPS traffic. Port1 is connected to the administrator’s computer.
Figure 13:Example network topology: reverse proxy mode with HA If you use a switch to connect the heartbeat interfaces, they must be reachable by Layer 2 multicast. If FortiWeb will not be operating in reverse proxy mode (such as for either true transparent proxy mode or transparent inspection mode), typically you would not use FortiWeb HA — this could require changes to your network scheme, which defeats one of the key benefits of the transparent modes: it requires no IP changes.
Figure 14:Example network topology: transparent proxy mode with configuration synchronization and external HA via FortiADC Unlike with FortiWeb HA, with external HA, that HA device must itself detect when a FortiWeb has failed in order to redirect the traffic stream. (FortiWeb has no way of actively notifying the external HA device.
Connecting to the web UI or CLI To configure, maintain, and administer the FortiWeb appliance, you need to connect to it. There are two methods: • Web UI — A graphical user interface (GUI), from within a web browser. It can display reports and logs, but lacks many advanced diagnostic commands. For usage, see “How to use the web UI” on page 45.
Access to the CLI and/or web UI through your network is not yet configured if: • you are connecting for the first time • you have just reset the configuration to its default state • you have just restored the firmware In these cases, you must initially connect your computer directly to FortiWeb, using the default settings. If you are installing a FortiWeb-VM virtual appliance, you should have already connected if you followed the instructions in the FortiWeb-VM Install Guide.
Requirements • a computer with an RJ-45 Ethernet network port • a web browser such as Microsoft Internet Explorer version 6.0 or greater, or Mozilla Firefox 3.5 or greater • a crossover Ethernet cable To connect to the web UI 1. On your management computer, configure the Ethernet port with the static IP address 192.168.1.2 with a netmask of 255.255.255.0. 2. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiWeb appliance’s port1. 3.
“Updating the firmware” on page 77. Otherwise, to continue by setting an administrative password, see “Changing the “admin” account password” on page 90. If 3 incorrect login or password attempts occur in a row, your IP address will be temporarily blacklisted from the GUI and CLI (network, not console). This is to protect the appliance from brute force login attacks. Wait 1 minute, then attempt the login again.
2. Verify that the FortiWeb appliance is powered on. 3. On your management computer, start PuTTY. 4. In the Category tree on the left, go to Connection > Serial and configure the following: Serial line to connect to COM1 (or, if your computer has multiple serial ports, the name of the connected serial port) Speed (baud) 9600 Data bits 8 Stop bits 1 Parity None Flow control None 5. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select Serial.
8. Select Open. The SSH client connects to the FortiWeb appliance. The SSH client may display a warning if this is the first time you are connecting to the FortiWeb appliance and its SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiWeb appliance but it used a different IP address or SSH key. If your management computer is directly connected to the FortiWeb appliance with no network hosts between them, this is normal. 9.
Updating the firmware Your new FortiWeb appliance comes with the latest operating system (firmware) when shipped. However, if a new version has been released since your appliance was shipped, you should install it before you continue the installation. Fortinet periodically releases FortiWeb firmware updates to include enhancements and address issues. After you register your FortiWeb appliance, FortiWeb firmware is available for download at: https://support.fortinet.
5. Copy the new firmware image file to the root directory of the TFTP server. 6. If necessary, start your TFTP server. (If you do not have one, you can temporarily install and run one such as tftpd (Windows, Mac OS X, or Linux) on your management computer.) Because TFTP is not secure, and because it does not support authentication and could allow anyone to have read and write access, you should only run it on trusted administrator-only networks, never on computers directly connected to the Internet.
14.Type the firmware image file name and press Enter. The FortiWeb appliance downloads the firmware image file from the TFTP server and displays a message similar to the following: MAC:00219B8F0D94 ########################### Total 28385179 bytes data downloaded. Verifying the integrity of the firmware image..
an earlier build number (530) and date (110929 means September 29, 2011), indicates that you are reverting. Back up all parts of your configuration before beginning this procedure. Some backup types do not include the full configuration. For full backup instructions, see “Backups” on page 206. Reverting to an earlier firmware version could reset settings that are not compatible with the new firmware. For example, FortiWeb 5.0 configuration files are not compatible with previous firmware versions.
6. Click OK. Your management computer uploads the firmware image to the FortiWeb appliance. The FortiWeb appliance installs the firmware and restarts. The time required varies by the size of the file and the speed of your network connection. If you are downgrading the firmware to a previous version, and the settings are not fully backwards compatible, the FortiWeb appliance may either remove incompatible settings, or use the feature’s default values for that version of the firmware.
6. If necessary, start your TFTP server. (If you do not have one, you can temporarily install and run one such as tftpd (Windows, Mac OS X, or Linux) on your management computer.) Because TFTP is not secure, and because it does not support authentication and could allow anyone to have read and write access, you should only run it on trusted administrator-only networks, never on computers directly connected to the Internet. If possible, immediately turn off tftpd off when you are done. 7.
The time required varies by the size of the file and the speed of your network connection. If you are downgrading the firmware to a previous version, the FortiWeb appliance reverts the configuration to default values for that version of the firmware. You will need to reconfigure the FortiWeb appliance or restore the configuration file from a backup. For details, see “Connecting to the web UI or CLI” on page 71 and, if you opt to restore the configuration, “Restoring a previous configuration” on page 210.
To update the firmware of an HA pair 1. Verify that both of the members in the HA pair are powered on and available on all of the network interfaces that you have configured. If required ports are not available, HA port monitoring could inadvertently trigger an additional failover and traffic interruption during the firmware update. 2. Log in to the web UI of the primary appliance as the admin administrator. (You cannot connect to an appliance while it is the standby.
To install alternate firmware via the web UI 1. Download the firmware file from the Fortinet Technical Support web site: https://support.fortinet.com/ 2. Log in to the web UI of the FortiWeb appliance as the admin administrator, or an administrator account whose access profile contains Read and Write permissions in the Maintenance category. Updating firmware on an HA pair requires some additions to the usual steps for a standalone appliance. For details, see “Updating firmware on an HA pair” on page 83. 3.
8. To verify that the firmware was successfully installed, log in to the web UI and go to System > System > Status. In the System Information widget, the Firmware Version row indicates the currently installed firmware version. To install alternate firmware via the CLI 1. Download the firmware file from the Fortinet Technical Support web site: https://support.fortinet.com/ 2. Connect your management computer to the FortiWeb console port using a RJ-45-to-DB-9 serial cable or a null-modem cable. 3.
Please connect TFTP server to Ethernet port "1". 11.Type G to get the firmware image from the TFTP server. The following message appears: Enter TFTP server address [192.168.1.168]: 12.Type the IP address of the TFTP server and press Enter. The following message appears: Enter local address [192.168.1.188]: 13.Type a temporary IP address that can be used by the FortiWeb appliance to connect to the TFTP server. The following message appears: Enter firmware image file name [image.out]: 14.
2. Go to System > Maintenance > Backup & Restore. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see “Permissions” on page 47. 3. In the Firmware area, click Boot alternate firmware. A warning message appears. 4. Click OK. A message appears instructing you to refresh your browser in a few minutes after the appliance has booted the other firmware.
If you successfully interrupt the startup process, the following messages appears: [G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter G,F,B,Q,or H: Please connect TFTP server to Ethernet port "1". 6. Type B to reboot and use the backup firmware. See also • Installing alternate firmware Fortinet 89 FortiWeb 5.
Changing the “admin” account password The default administrator account, named admin, initially has no password. Unlike other administrator accounts, the admin administrator account exists by default and cannot be deleted. The admin administrator account is similar to a root administrator account. This administrator account always has full permission to view and change all FortiWeb configuration options, including viewing and changing all other administrator accounts.
Setting the system time & date You can either manually set the FortiWeb system time or configure the FortiWeb appliance to automatically keep its system time correct by synchronizing with a Network Time Protocol (NTP) server. For many features to work, including scheduling, logging, and SSL/TLS-dependent features, the FortiWeb system time must be accurate. To configure the system time via the web UI 1. Go to System > Maintenance > System Time. The Time Settings dialog appears in a pop-up window.
3. If you want FortiWeb to automatically synchronize its clock with an NTP server (recommended), configure these settings: Setting name Description Synchronize with NTP Server Select this option to automatically synchronize the date and time of the FortiWeb appliance’s clock with an NTP server, then configure the Server and Sync Interval fields before you click Apply. Server Type the IP address or domain name of an NTP server or pool, such as pool.ntp.org.
To configure NTP via the CLI To synchronize with an NTP server, enter the following commands: config system global set ntpsync enable set timezone set ntpserver { | } end where: • is the index number of the time zone in which the FortiWeb appliance is located (to view the list of valid time zones and their associated index numbers, enter a question mark) • { | } is a choice of either the IP address or fully qualified domai
Setting the operation mode Once the FortiWeb appliance is mounted and powered on, you have physically connected the FortiWeb appliance to your overall network, and you have connected to either the FortiWeb appliance’s web UI or CLI, you must configure the operation mode. You will usually set the operation mode once, during installation or when using the Setup Wizard.
Figure 15:Operation mode (reverse proxy) Figure 16:Operation mode (true transparent proxy) If you are changing to true transparent proxy or transparent inspection mode, also configure Default Gateway with the IP address of the next hop router, and configure Management IP with the IP address of port1. 3. Click Apply. 4. If you have not yet adjusted the physical topology to suit the new operation mode, see “Planning the network topology” on page 61.
3. If you have not yet adjusted the physical topology to suit the new operation mode, see “Planning the network topology” on page 61. You may also need to reconfigure IP addresses, static routes, bridges, and virtual servers, and enable or disable SSL/TLS on your web servers.
Configuring a high availability (HA) FortiWeb cluster By default, FortiWeb appliances are each a single, standalone appliance. They operate independently. If you have purchased more than one, however, you can configure the FortiWeb appliances to form an active-passive high availability (HA) FortiWeb cluster. This improves availability so that you can achieve 99.999% service level agreement (SLA) uptimes regardless of, for example, hardware failure or maintenance periods.
Figure 17:HA topology and failover — IP address transfer to the new active appliance For best fault tolerance, make sure that your topology is fully redundant, with no single points of failure. For example, in Figure 17, the switch, firewall, and Internet connection are all single points of failure. If any should fail, web sites would be unavailable, despite the HA cluster.
For example, if: • Detection Interval is 3 (i.e. 0.3 seconds) • Heartbeat Lost Threshold is 2 • ARP Packet Numbers is 3 • ARP Packet Interval is 1 • Network switches etc. take 2 seconds to acknowledge and redirect traffic flow then the total time between the first unacknowledged heartbeat and traffic redirection could be up to 5.6 seconds. When the former active appliance comes back online, it may or may not assume its former active role.
3. Physically link the FortiWeb appliances that will be members of the HA cluster. You must link at least one of their ports (e.g. port4 to port4) for heartbeat and synchronization traffic between members of the cluster. You can either: • link two appliances directly via a crossover cable • link the appliances through a switch If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must be reachable by Layer 2 multicast. Maintain the heartbeat link(s).
7. Configure these settings: Setting name Description Group-name Type a name to identify the HA pair if you have more than one. This setting is optional, and does not affect HA function. The maximum length is 35 characters. Device Priority Type the priority of the appliance when electing the primary appliance in the HA pair. (On standby devices, this setting can be reconfigured using the CLI command execute ha manage . For details, see the FortiWeb CLI Reference.
Setting name Description Group ID Type a number that identifies the HA pair. Both members of the HA pair must have the same group ID. If you have more than one HA pair on the same network, each HA pair must have a different group ID. Changing the group ID changes the cluster’s virtual MAC address. The valid range is 0 to 63. The default value is 0.
Setting name Description Port Monitor Mark the check boxes of one or more network interfaces that each directly correlate with a physical link. These ports will be monitored for link failure. Port monitoring (also called interface monitoring) monitors physical network ports to verify that they are functioning properly and linked to their networks. If the physical port fails or the cable becomes disconnected, a failover occurs.
8. Click Apply. Both appliances join the HA cluster by matching their Group ID. They begin to send heartbeat and synchronization traffic to each other through their heartbeat links. To determine which appliance currently has the role of the main appliance, on System > Config > HA-Config, in the HA Member table, view the HA Role column: • main — The appliance in this row is currently active. The active appliance applies policies to govern the traffic passing to your web servers.
Reference. • For debugging logs, use the diagnose system ha status and diagnose debug application hatalk level commands. For details, see the FortiWeb CLI Reference. Fortinet 105 FortiWeb 5.
9. To monitor the HA cluster for failover, you can use SNMP (see “Configuring an SNMP community” on page 581), log messages, and alert email (see “Configuring logging” on page 545). If failover time is too long, adjust the following: Setting name Description ARP Packet Numbers Type the number of times that the FortiWeb appliance will broadcast extra address resolution protocol (ARP) packets when it takes on the main role.
See also • Updating firmware on an HA pair • SNMP traps & queries • HA heartbeat & synchronization • How HA chooses the active appliance • Configuration settings that are not synchronized by HA • Fail-to-wire for power loss/reboots • Topologies for high availability (HA) clustering • Replicating the configuration without FortiWeb HA (external HA) Replicating the configuration without FortiWeb HA (external HA) Configuration synchronization provides the ability to duplicate the configuration from another For
Figure 18:Example network topology: Configuration synchronization with multiple identical FortiWeb appliances (non-HA) Configuration synchronization is not a complete replacement for HA. Each synchronized FortiWeb does not keep any heartbeat link (no failover will occur and availability will not be increased) nor does it balance load with the other.
1. Go to System > Config > Config-Synchronization. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Network Configuration category. For details, see “Permissions” on page 47. 2. In Peer FortiWeb IP, type the IP address of the remote FortiWeb appliance that you want to receive configuration items from your local FortiWeb appliance. 3.
To test the connection settings, click Test. Results appear in a pop-up window. If the configuration sync test connection succeeds, this message should appear: Service is available... If the following message appears: Service isn't available...
Configuring the network settings When shipped, each of the FortiWeb appliance’s physical network adapter ports (or, for FortiWeb-VM, vNICs) has a default IP address and netmask. If these IP addresses and netmasks are not compatible with the design of your unique network, you must configure them. Table 9: Default IP addresses and netmasks Network Interface* IPv4 Address/Netmask IPv6 Address/Netmask port1 192.168.1.99/24 ::/0 port2 0.0.0.0/0 ::/0 port3 0.0.0.0/0 ::/0 port4 0.0.0.
and vice versa (“redundant interfaces”/”NIC teaming”/”NIC bonding” or “aggregated links”). These can provide features such as link failure resilience or multi-network links. FortiWeb does not currently support IPSec VPN virtual interfaces nor redundant links. If you require these features, implement them separately on your FortiGate, VPN appliance, or firewall. Usually, each network interface has at least one IP address and netmask. However, this is not true for bridges.
See also • Configuring the network interfaces • Adding VLAN subinterfaces • Link aggregation • Configuring a bridge (V-zone) Configuring the network interfaces You can configure network interfaces either via the web UI or the CLI. If your network uses VLANs, you can also configure VLAN subinterfaces. For details, see “Adding VLAN subinterfaces” on page 117.
This Status column is not the detected physical link status; it is the administrative status that indicates whether you permit network interface to receive and/or transmit packets. For example, if the cable is physically unplugged, diagnose hardware nic list port1 or “Operation widget” on page 540 may indicate that the link is down, even though you have administratively enabled it by clicking Bring Up. By definition, HA heartbeat and synchronization links should always be “up.
3. Configure these settings: Setting name Description IP/Netmask Type the IP address and subnet mask, separated by a forward slash ( / ), such as 192.0.2.2/24 for an IPv4 address or 2001:0db8:85a3:::8a2e:0370:7334/64 for an IPv6 address. The IP address must be on the same subnet as the network to which the interface connects. Two network interfaces cannot have IP addresses on the same subnet. Administrative Access Enable the types of administrative access that you want to permit to this interface.
Setting name PING Description Enable to allow: • ICMP type 8 (ECHO_REQUEST) • UDP ports 33434 to 33534 for ping and traceroute to be received on this network interface. When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with ICMP type 0 (ECHO_RESPONSE or “pong”). Note: Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_REQUEST) and traceroute-related UDP. It does not disable FortiWeb CLI commands such as execute ping or execute traceroute that send such traffic.
To configure a network interface’s IPv4 address via the CLI Enter the following commands: config system interface edit set ip set allowaccess {http https ping snmp ssh telnet} end where: • is the name of a network interface • is the IP address assigned to the network interface • is its netmask in dotted decimal format • {http https ping snmp ssh telnet} is a space-delimited list of zero or more administ
whether the device receiving a packet operates at Layer 2 or Layer 3 of the network, this tag may be added, removed, or rewritten before forwarding to other nodes on the network. For example, a Layer 2 switch or FortiWeb appliance operating in true transparent proxy mode would typically add or remove a tag when forwarding traffic among members of the VLAN, but would not route tagged traffic to a different VLAN ID.
Setting name Description VLAN ID Type the VLAN ID , such as 100, of packets that belong to this VLAN subinterface. • If one physical network port (that is, a VLAN trunk) will handle multiple VLANs, create multiple VLAN subinterfaces on that port, one for each VLAN ID that will be received. • If multiple different physical network ports will handle the same VLANs, on each of the ports, create VLAN subinterfaces that have the same VLAN IDs.
Link aggregation You can configure a network interface that is the bundle of several physical links via either the web UI or the CLI. Link aggregation is currently supported only when FortiWeb is deployed in reverse proxy mode. It cannot be applied to VLAN subinterfaces, nor to ports that are used for the HA heartbeat. It is not supported in FortiWeb-VM.
3. Click Create New. A dialog appears. 4. Configure these settings: Setting name Description Name Type the name (such as agg) of this logical interface that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 15 characters. Tip: The name cannot be changed once you save the entry. For a workaround, see “Renaming entries” on page 58. Type Select 802.3ad Aggregate.
To configure an IPv4link aggregate via the CLI 1.
To configure a bridge via the web UI 1. If you have installed a physical FortiWeb appliance, plug in network cables to connect one of the physical ports in the bridge to your protected web servers, and the other port to the Internet or your internal network.
5. Configure these settings: Setting name Description Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 15 characters. The name cannot be changed once you save the entry. See “Renaming entries” on page 58. IP/Netmask To create a virtual network interface that can respond to ICMP ECHO_REQUEST (ping) requests, enter an IP address/subnet mask for the virtual network interface.
To configure an IPv4 bridge in the CLI 1. If you have installed a physical FortiWeb appliance, connect one of the physical ports in the bridge to your protected web servers, and the other port to the Internet or your internal network.
subset of IP addresses), redundant routers (e.g. redundant Internet/ISP links), or other special routing cases. However, often you will only need to configure one route: a default route. True transparent and transparent inspection operation modes require that you specify the gateway when configuring the operation mode. In that case, you have already configured a static route. You do not need to repeat this step.
3. Configure these settings: Setting name Description Destination IP/Mask Type the destination IP address and network mask of packets that will be subject to this static route, separated by a slash ( / ). The value 0.0.0.0/0.0.0.0 or ::/0 results in a default route, which matches the DST field in the IP header of all packets. Gateway Type the IP address of the next-hop router where the FortiWeb appliance will forward packets subject to this static route.
you have not yet configured a policy, and therefore, if in reverse proxy mode, cannot test connectivity through the FortiWeb.) By default, in reverse proxy mode, FortiWeb’s virtual servers will not forward non-HTTP/HTTPS traffic from virtual servers to your protected web servers. (Only traffic picked up and allowed by the HTTP reverse proxy will be forwarded.
To add a default route via the CLI 1. Enter the following commands: config router static edit set gateway set device end where: • is the index number of the route in the list of static routes • is the IP address of the gateway router • is the name of the network interface through which packets will egress, such as port1 The FortiWeb appliance should now be reachable to connections with networks indicated by the mask.
host (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to the FortiWeb. • If these tests fail, or if you do not want to enable PING, first examine the static route configuration on both the host and FortiWeb.
To configure DNS settings via the web UI 1. Go to System > Network > DNS. To change settings in this part of the web UI, your administrator's account access profile must have Write permission to items in the Network Configuration category. For details, see “Permissions” on page 47. 2. In Primary DNS Server, type the IP address of the primary DNS server. 3. In Secondary DNS Server, type the IP address of the secondary DNS server. 4.
To configure DNS settings via the CLI 1. Enter the following commands: config system dns set primary set secondary set domain end where: • is the IP address of a DNS server • is the name of the local domain to which the FortiWeb appliance belongs, if any The local domain name is optional. It will not appear in the Host: field of HTTP headers for connections to protected web servers.
See also • Configuring the network interfaces • Configuring a bridge (V-zone) • Adding a gateway Fortinet 133 FortiWeb 5.
Connecting to FortiGuard services Most exploits and virus exposures occur within the first 2 months of a known vulnerability. Most botnets consist of thousands of zombie computers whose IP addresses are continuously changing. To keep your defenses effective against the evolving threat landscape, Fortinet recommends FortiGuard services. New vulnerabilities and botnets are discovered and new signatures are built by Fortinet researchers every day.
Figure 19:FortiGuard Information widget • Valid — At the last attempt, the FortiWeb appliance was able to successfully contact the FDN and validate its FortiGuard license. Continue with “Scheduling automatic signature updates” on page 141. • Expired — At the last attempt, the license was either expired or FortiWeb was unable to determine license status due to network connection errors with the FDN.
• On FortiWeb, use execute ping and execute traceroute to verify that connectivity from FortiWeb to the Internet and FortiGuard is possible. Check the configuration of any NAT or firewall devices that exist between the FortiWeb appliance and the FDN or FDS server override. FortiWeb # exec traceroute update.fortiguard.net traceroute to update.fortiguard.net (209.66.81.150), 32 hops max, 84 byte packets 1 192.0.2.2 0 ms 0 ms 0 ms 2 209.87.254.221 4 ms 2 ms 3 ms 3 209.87.239.
2. Go to System > Config > FortiGuard. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see “Permissions” on page 47. 3. If you want your FortiWeb appliance to connect to a specific FDS other than the default for its time zone, enable Use override server address, and enter the IP address and port number of an FDS in the format :, such as 10.0.0.1:443.
4. Click Apply. 5. Click Update Now. The FortiWeb appliance tests the connection to the FDN and, if any, the server you specified to override the default FDN server. Time required varies by the speed of the FortiWeb appliance’s network connection, and by the number of timeouts that occur before the connection attempt is successful or the FortiWeb appliance determines that it cannot connect.
If your FortiWeb’s performance is more critical than the risk of these dormant viruses, you can choose to omit signatures for obsolete viruses by selecting the “Regular” database on System > Config > FortiGuard. Table 10: Selecting the virus database and buffer size on System > Config > FortiGuard Setting Name Description Regular Virus Database Select to use only the signatures of viruses and greyware that have been detected by FortiGuard’s networks to be recently spreading in the wild.
Accessing FortiGuard via a web proxy Using the CLI, you can configure the FortiWeb appliance to connect through an explicit (non-transparent) web proxy server to the FortiGuard Distribution Network (FDN) for signature updates. For example, you might enter the following commands: config system autoupdate tunneling set status enable set address 192.168.1.10 set port 8080 set username FortiWeb set password myPassword1 end For details, see the FortiWeb CLI Reference.
See also • Blocking known attacks & data leaks • Validating parameters (“input rules”) • Preventing tampering with hidden inputs • Limiting file uploads • Predefined data types • Predefined suspicious request URLs • Blacklisting source IPs with poor reputation • Blacklisting countries & regions • Updating data analytics definitions Scheduling automatic signature updates Your FortiWeb appliance uses signatures, IP lists, and data type definitions for many features, including to detect attacks such as: • cro
3. Enable Scheduled Update. 4. Select either: • Every — Select to request to update once every 1 to 23 hours, then select the number of hours between each update request. • Daily — Select to update once every day, then select the hour. The update attempt occurs at a randomly determined time within the selected hour. • Weekly — Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates.
Fortinet 143 FortiWeb 5.
5. Click Apply. The FortiWeb appliance next requests an update according to the schedule. Results appear in FortiWeb Security Service in the FortiGuard Information widget.
2. Go to System > Config > FortiGuard. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see “Permissions” on page 47. Fortinet 145 FortiWeb 5.
3. Click Update Now. The web UI displays a message similar to the following: Your update request has been sent. Your database will be updated in a few minutes. Please check your update page for the status of the update. 4. After a few minutes, click the FortiGuard submenu to refresh the page, or go to System > Status > Status and look at the FortiWeb Update Service row in the FortiGuard Information widget. If an update was available, the packages that were updated have new version numbers.
5. Click the Browse button (its name varies by browser) and select the signatures file, then click OK. Your browser uploads the file. Time required varies by the size of the file and the speed of your network connection. Once the attack signature update is complete, FortiWeb will immediately begin to use them. No reboot is required. See also • Restoring firmware (“clean install”) Fortinet 147 FortiWeb 5.
Configuring basic policies As the last step in the setup sequence, you must configure at least one policy.
3. Create a new policy (Policy > Server Policy > Server Policy). • In Name, type a unique name for the policy. • In Virtual Server or Data Capture Port, select your virtual server. • In HTTP Service, select the predefined HTTP service. • In Physical Server, select your physical server. • In Physical Server Port, if your web server does not listen on the standard port 80, type its port number for incoming HTTP traffic. • From WAF Auto Learn Profile, select the predefined auto-learning profile.
3. Modify the server policy (Policy > Server Policy > Server Policy). • In HTTPS Service, select the predefined HTTPS service. • In Physical Server Port, if your web server does not listen on the standard port 443, type its port number for incoming HTTPS traffic. • In Certificate, select your web server’s certificate. Also select, if applicable, Certificate Verification and Certificate Intermediate Group. • Enable SSL Server. Traffic should now pass through the FortiWeb appliance to your server.
Auto-learning Protection settings can be configured manually or with assistance from auto-learning. Auto-learning can teach you a great deal about the threats your web assets face. It also helps you to understand your web applications’ structures, and how end-users use them. Most importantly, though, auto-learning can help you to quickly tailor FortiWeb’s configuration to suit your web applications.
For example, the page at: /app/main always has that same path. After a person logs in, the page’s URL doesn’t become: /app/marco/main or /app#deepa For another example, the URL does not dynamically reflect inventory, such as: /app/sprockets/widget1024894 Some web applications, however, embed parameters within the path structure of the URL, or use unusual or non-uniform parameter separator characters.
URL replacers match the URL as it appears in the HTTP header of the client’s request (using the regular expression in URL Path) and interpret it into this standard URL formulation: New URL?New Param=Param Change For example, if the URL is: /application/value and the URL replacer settings are: Table 11: Setting name Value Type Custom-Defined URL Path (/application)/([^/]+) New URL $0 Param Change $1 New Param setting $0 holds this part of the matched URL: /application and $1 holds this part of the
3. Configure these settings: Setting name Description Name Type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. Type Select either: • Predefined — Use one of the predefined URL replacers which you select in Application Type. • Custom-Defined — Define your own URL replacer by configuring URL Path, New URL, Param Change, and New Param. 4.
5. If you selected Custom-Defined in Type, configure these settings: Setting name Description URL Path Type a regular expression, such as (^/[^/]+)/(.*), matching all and only the URLs to which the URL replacer should apply. The maximum length is 255 characters. The pattern does not require a backslash ( / ). However, it must at least match URLs that begin with a slash as they appear in the HTTP header, such as /index.html. Do not include the domain name, such as www.example.com.
Example: URL interpreter for a JSP application The HTTP request URL from a client is: /app/login.jsp;jsessionid=xxx;p1=111;p2=123?p3=5555&p4=66aaaaa which uses semi-colons as parameter separators ( ; ) in the URL, a behavior typical to JSP applications. You would create a URL replacer to recognize the JSP application’s parameters: the semi-colons.
Table 13: Example: URL replacer for Microsoft Outlook Web App — User name structure #1 Capture group 2 Capture group 1 Capture group 0 Table 14: URL interpreter Setting name Value Name OWAusername1 Type Custom-Defined URL Path (/exchange/)([^/]+)/(.*) New URL $0$2 Param Change $1 New Param username1 Then the URLs would be recognized by auto-learning as if OWA used a more conventional parameter structure like this: /exchange/index.html?username1=tom /exchange/memo.EML?username1=jane.
Table 15: Example: URL replacer for Microsoft Outlook Web App — Folder name structure #1 Capture group 2 Capture group 1 Capture group 0 Table 16: Sample URL /exchange/archive-folders/2011 URL interpreter Setting name Value Fortinet Name OWAfoldername1 Type Custom-Defined URL Path (/exchange/)([^/]+/)(.*) New URL $0 Param Change $1$2 New Param folder1 Results /exchange/?folder1=archive-folders/2011 158 FortiWeb 5.
Table 17: Example: URL replacer for Microsoft Outlook Web App — User name structure #2 Capture group 1 Capture group 0 Table 18: Sample URL /exchange/jane.doe URL interpreter Setting name Value Fortinet Name OWAusername2 Type Custom-Defined URL Path (/exchange/)([^/]+\.[^/]+) New URL $0 Param Change $1 New Param username2 Results /exchange/?username2=jane.doe 159 FortiWeb 5.
Table 19: Example: URL replacer Microsoft Outlook Web App — Folder name structure #2 Capture group 2 Capture group 1 Capture group 0 Table 20: Sample URL /public/imap-share-folders/memos URL interpreter Setting name Value Name OWAfoldername2 Type Custom-Defined URL Path (/public/)([^/]+/)(.
In this URL format, there are 3 parameter values (with or without their names) in the URL: • param1 • param2 • param3 Because each interpreter can only extract a single parameter, you would create 3 URL interpreters, and group them into a set where they are used sequentially — a chain.
Table 21: Example: URL replacer 1 for slash-separated parameters Table 22: Setting name Value Name slash-parameter3 Type Custom-Defined URL Path /index/param1/(.*)/param2/(.*)/param3/(.*)/ New URL /index/param1/$0/param2/$1/ Param Change $2 New Param param3 Table 23: Example: URL replacer 2 for slash-separated parameters Table 24: Setting name Value Fortinet Name slash-parameter2 Type Custom-Defined URL Path /index/param1/(.*)/param2/(.*)/ 162 FortiWeb 5.
Table 24: Setting name Value New URL /index/param1/$0/ Param Change $1 New Param param2 Table 25: Example: URL replacer 3 for slash-separated parameters Table 26: Setting name Value Name slash-parameter1 Type Custom-Defined URL Path /index/param1/(.*)/ New URL /index Param Change $0 New Param param1 Until you add the URL interpreters to a group, FortiWeb doesn’t know the sequential order.
Table 27: Example: URL replacer group for slash-separated parameters — entry 1 Setting name Value Priority 0 Type URL REPLACER Plugin Name slash-parameter3 Table 28: Example: URL replacer group for slash-separated parameters — entry 2 Setting name Value Priority 1 Type URL REPLACER Plugin Name slash-parameter2 Table 29: Example: URL replacer group for slash-separated parameters — entry 3 Setting name Value Priority 2 Type URL REPLACER Plugin Name slash-parameter1 Then the URL will be inter
Grouping URL interpreters In order to use URL interpreters with an auto-learning profile, you must group URL replacers into sets.
7. From Plugin Name, select an existing URL replacer from the drop-down list. Rule order affects URL replacer matching and behavior. FortiWeb appliances evaluate URLs for a matching URL replacer starting with the smallest ID number (greatest priority) rule in the list, and continue towards the largest number in the list. • If no rule matches, parameters in the URL will not be interpreted.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “Permissions” on page 47. Setting name Description Fortinet Pattern The regular expression used to detect the presence of the data type. Parameter values must match the regular expression in order for an auto-learning profile to successfully detect the data type, or for an input rule to allow the input.
Setting name Description Name Select the blue arrow beside a pattern to expand the entry and display the individual rules contained in the entry. Displays the name of the data type. • Address — Canadian postal codes and United States ZIP code and ZIP + 4 codes. • Canadian Postal Code — Canadian postal codes such as K2H 7B8. • Canadian Province Name and Abbrev.
Setting name Description • Level 1 Password — A string of at least 6 characters, with one or more each of lower-case characters, upper-case characters, and digits, such as aBc123. Level 1 passwords are “weak” passwords, generally easier to crack than level 2 passwords. • Level 2 Password — A string of at least 8 characters, with one or more each of lower-case characters, upper-case characters, digits, and special characters, such as aBc123$%. Level 2 passwords are moderately strong.
Setting name Description • Swedish Personal Number — Personal identification number (“personnummer”) for Sweden, such as 19811116-7845. Must be hyphenated. Does not match PINs for persons whose age is 100 or greater. • UAE Land Phone — Telephone number for the United Arab Emirates, such as 04 - 3452499 or 04 3452499. Does not match phone numbers beginning with 01 or 08. • UK Bank Sort Code — Bank sort codes for the United Kingdom, such as 09-01-29. Must be hyphenated.
For example, if you include the Email data type in the data type group, auto-learning profiles that use the data type group might discover that your web applications use a parameter named username whose value is an email address. The predefined data type group, named predefine-data-type-group, cannot be edited or deleted. To configure a predefined data type group 1. Go to Auto Learn > Predefined Pattern > Data Type Group.
Web applications’ administrative URLs often should not be accessible by clients on the Internet, and therefore any request for those URLs from source IP addresses on the Internet may represent an attempt to scout your web servers in advance of an attack. (Exceptions include hosting providers, whose clients may span the globe and often configure their own web applications.
Table 30: Auto Learn > Predefined Pattern > URL Pattern (image cropped) Setting name Description Name The name of the predefined suspicious URL pattern set. To display the patterns it contains, click the blue arrow next to the name. Pattern When you click a blue arrow to expand a suspicious URL pattern, this column displays the regular expression used to detect the presence of the suspicious URL in a client’s request.
2. Click Create New. A dialog appears. 3. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. 4. In URL Expression, enter a regular expression that defines this suspicious URL, such as ^/my_admin_panel.jsp. To test the regular expression against sample text, click the >> (test) icon.
3. Click Create New. A dialog appears. 4. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. 5. Click OK. 6. Click Create New to add an entry to the set. A dialog appears. 7. From Suspicious URL Name, select the name of a custom suspicious URL rule. 8. Click OK. 9. Repeat the previous steps for each custom suspicious URL rule you want added to the policy. 10.
3. Click Create New. Alternatively, to clone an existing pattern as the basis for a new group, mark the check box next to it, then click the Clone icon. A dialog appears. 4. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. Fortinet 176 FortiWeb 5.
5. In Server Type, enable one or more of the predefined, web server-specific suspicious URL sets that you want to detect. To view detailed descriptions of the types of patterns that each suspicious URL type will detect, see “Predefined suspicious request URLs” on page 172. If you know that your network’ does not rely on one or more of the listed web server types, disable scans for suspicious access to their administrative URLs in order to improve performance. 6.
1. Before creating an auto-learning profile, you must configure its components: • a data type group (see “Grouping predefined data types” on page 170) • suspicious request URLs (see “Grouping all suspicious request URLs” on page 175) • if required, URL interpreters (see “Grouping URL interpreters” on page 165) 2. Go to Auto Learn > Auto Learn Profile > Auto Learn Profile.
Setting name Description Server Protection Threshold Enter a percentage of detected attacks, relative to total hits, that will be interpreted as a false positive for the entire web host. When you use auto-learning to generate a protection profile (see “Blocking known attacks & data leaks” on page 387), attack signatures meeting or exceeding this overall threshold will be disabled.
7. To ensure that the appliance can learn about HTTP/HTTPS requests’ usual page order and other session-related attacks and features, enable the Session Management option in the protection profile. 8. Continue with “Running auto-learning” on page 180.
4. Gauge progress by periodically reviewing the auto-learning report, which is kept up-to-date during auto-learning (see “Viewing auto-learning reports” on page 182 and “Generating a profile from auto-learning data” on page 196). If parameters are missing, auto-learning is not done. Auto-learning consider URLs up to approximately 128 characters long (assuming single-byte character encoding, after FortiWeb has decoded any nested hexadecimal or other URL encoding — therefore, the limit is somewhat dynamic).
Viewing auto-learning reports Auto Learn > Auto Learn Report > Auto Learn Report displays the list of reports that the FortiWeb appliance has automatically generated from information gathered by auto-learning profiles.
Figure 21:Parts of auto-learning reports Display pane Navigation pane See also • Removing old auto-learning data • Using the report navigation pane • Using the report display pane • Configuring an auto-learning profile • Generating a profile from auto-learning data Using the report navigation pane To view report data, click the expand icon ( + ) next to items in the navigation tree and click items to see applicable information. Different tree levels provide different report data.
If the tree contains many URLs that are actually forms of the same URL, or includes sessions IDs, such as: /app/login.asp;jsessionid=xxx;p1=111;p2=123?p3=5555&p4=66aaaaa the web application may use dynamic URLs or unusual parameter separators, and require a URL interpreter for auto-learning to function normally. For details, see “How to adapt auto-learning to dynamic URLs & unusual parameters” on page 151 You can change the display and content of data using the context menu.
Figure 23:Filtering an auto-learning report Depending on its level in the navigation tree, an item may be either a server policy observing multiple hosts, a single host, a common part of a path contained in multiple URLs, or a single requested file.
Using the report display pane Tabs, statistics and charts appear on the report display (right-hand) pane. Their appearance varies depending on which level you selected in the navigation tree. The report display pane contains several feature buttons above the report.
Table 32: Auto-learning report Overview tab Setting name Description Edit Protected Click to open a dialog where you can select or deselect IP addresses and/or domain names that will be members of the protected hosts group for the Servers generated profile. This button appears only when you select the policy in the navigation pane.
Setting name Description Hits Count Click the link to go to the Visits tab. This row appears in the Item column of the Overview table. Attack Count Click the link to go to the Attacks tab. This row appears in the Item column of the Overview table. Attacks tab The Attacks tab provides statistics in both tabular and graphical format on HTTP sessions that contained one of the types of attacks that the web protection profile was configured to detect.
Figure 24:Auto-learning report Attacks tab Depending on the level of the item selected in the navigation pane, the Action and Enable columns may appear. Using these settings, you can override the FortiWeb’s statistically suggested attack protection settings. To display a pop-up list of an attack type’s protection profile settings estimated from current auto-learning data, click the Detail icon. The dialog that appears may vary by the attack type. You can use it to manually override the estimated settings.
2. If you selected Custom from Type, from each drop-down list in the Custom column, select one of these options: • On — Manually override the suggestion. In step 3, select which attack prevention signatures to enable. (Non-selected signatures will be disabled.) • Off — Manually override the suggestion, and disable all attack prevention signatures for this type. If the URL is not susceptible to a specific type of attack, select Off to improve performance.
6. From each drop-down list in the Action column, select one of the following options: • Alert — Accept the request and generate an alert email and/or log message. • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that will be returned to the client with the HTTP status code. See “Uploading a custom error page” on page 467 or Error Message.
Table 33: Auto-learning report Visits tab (image truncated) Fortinet 192 FortiWeb 5.
Setting name Description Edit Allow Method Click this button to open a dialog where you can select which HTTP request methods to allow in the generated profile. Then in the Status drop-down list, select either: • On — Manually override the suggestion, and enable the method. • Off — Manually override the suggestion, and disable the method. • Default — Do not override the suggestion.
Setting name Description Click this button to open a dialog where you can select which pages will be included in a URL access rule whose Action is Alert & Deny (i.e. block the request and generate an alert email and/or attack log message). To include (In the Least hit the URL, click and drag it from the column named Available on the right into URL table and the column on the left, named URL Access rules with action 'Alert & Deny'.
The Name column contains the name of the parameter, exactly as it was observed in the parameter or (for parameters extracted by URL replacers) within the URL. If the Name column contains part of a URL or the parameter’s value instead of its name, verify the regular expression and back references used in your URL replacer.
See also • Removing old auto-learning data • Using the report navigation pane • Configuring an auto-learning profile • Generating a profile from auto-learning data Generating a profile from auto-learning data When viewing a report generated from auto-learning data, you can generate an inline protection profile or an offline protection profile suitable for the HTTP sessions observed.
Buttons and drop-down lists in the report display pane may vary. For most URLs, they enable you to adjust the profile that will be generated. Auto-learning suggests an appropriate configuration based upon the traffic that it observed. If auto-learning has not suggested appropriately, however, you can manually override each of auto-learning’s suggestions. Configure these settings: Setting name Description Overview tab Edit Protected Servers Click to open a pop-up dialog.
Setting name Description Edit Exception Method Click to open a pop-up dialog. This appears only if you have selected a URL in the navigation pane. Set Type the data type and maximum length of the parameter, and indicate whether or not the parameter is required input. These settings will appear in the generated parameter validation rule and input rules. For details, see “Validating parameters (“input rules”)” on page 421 and “Preventing zero-day attacks” on page 421.
If you do not configure any settings, by default, the FortiWeb appliance will generate a profile that allows the HTTP GET method and any other methods whose usage exceeded the threshold, and will add the remaining methods to an allowed method exception. It will also create start page rules and trusted IP rules for the most commonly requested URLs, and blacklist IP addresses that commonly requested suspicious URLs.
Removing old auto-learning data There are many reasons why you may want to delete old auto-learning data. • You want to free disk space and system resources. • You installed different web applications on your web servers, and old auto-learning data, based upon the previous installations, no longer applies. • You initiated auto-learning while its URL replacer was misconfigured, and old auto-learning data is malstructured, such as being split between many instances of a dynamic URL, or missing parameters.
Testing your installation When the configuration is complete, test it by forming connections between legitimate clients and servers at various points within your network topology. In offline protection mode and transparent inspection mode, if your web server applies SSL and you need to support Google Chrome browsers, you must disable Diffie-Hellman key exchanges on the web server. These sessions cannot be inspected.
protection and maintenance features you can use. For details, see the other chapters in this Administration Guide. Reducing false positives If the dashboard indicates that you are getting dozens or hundreds of nearly identical attacks, they may actually be legitimate requests that were mistakenly identified as attacks (i.e. false positives). Many of the signatures, rules, and policies that make up protection profiles are based, at least in part, on regular expressions.
Testing for vulnerabilities & exposure Even if you are not a merchant, hospital, or other agency that is required by law to demonstrate compliance with basic security diligence to a regulatory body, you still may want to verify your security. • Denial of service attacks can tarnish your reputation and jeopardize service income. • Hacked servers can behave erratically, decreasing uptime. • Malicious traffic can decrease performance.
Figure 30:Attack Event History section of the Policy Summary widget • Examine the Attack Log widget on System > Status > Status. If the list includes many identical entries, it likely indicates false positives. If there are many entries of a different nature, it likely indicates real attacks. If there are no attack log entries but the Attack Event History shows attacks, it likely means you have not correctly configured logging. See “Configuring logging” on page 545.
Switching out of offline protection mode Switch only if you chose offline protection mode for evaluation or transition purposes when you first set up your FortiWeb appliance, and now want to transition to a full deployment. To switch the operation mode 1. Back up your configuration. See “Backups” on page 206. Back up your system before changing the operation mode. Changing modes deletes policies not applicable to the new mode, static routes, and V-zone IP addresses.
Backups Once you have tested your basic installation and verified that it functions correctly, create a backup.
To back up the configuration via the web UI This method does not include uploaded files such as: • private keys • certificates • error pages • vulnerability scan settings If your configuration has these files, use either a full TFTP or FTP/SFTP backup instead. See “To back up the configuration via the web UI to an FTP/SFTP server” on page 208 or “To back up the configuration via the CLI to a TFTP server” on page 209. 1. Log in to the web UI as the admin administrator.
5. If you would like to password-encrypt the backup files using 128-bit AES before downloading them, enable Encryption and type a password in Password. 6. Click Backup. If your browser prompts you, navigate to the folder where you want to save the configuration file. Click Save. Your browser downloads the configuration file. Time required varies by the size of the configuration and the specifications of the appliance’s hardware as well as the speed of your network connection, but could take several minutes.
Setting name Description FTP Authentication Enable if the server requires that you provide a user name and password for authentication, rather than allowing anonymous connections. FTP User Type the user name that the FortiWeb appliance will use to authenticate with the server. The maximum length is 127 characters. This field appears only if you enable FTP Authentication. FTP Password Type the password corresponding to the user account on the server. The maximum length is 127 characters.
1. If necessary, start your TFTP server. (If you do not have one, you can temporarily install and run one such as tftpd (Windows, Mac OS X, or Linux) on your management computer.) Because TFTP is not secure, and because it does not support authentication and could allow anyone to have read and write access, you should only run it on trusted administrator-only networks, never on computers directly connected to the Internet. If possible, immediately turn off tftpd off when you are done. 2.
To upload a configuration via the web UI 1. Go to System > Maintenance > Backup & Restore. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Maintenance category. For details, see “Permissions” on page 47. If you have made a configuration backup to an FTP server (see “To back up the configuration via the web UI to an FTP/SFTP server” on page 208), you cannot restore it here.
Administrators In its factory default configuration, FortiWeb has one administrator account named admin. This administrator has permissions that grant full access to FortiWeb’s features. To prevent accidental changes to the configuration, it’s best if only network administrators — and if possible, only a single person — use the admin account. You can use the admin administrator account to configure more accounts for other people. Accounts can be made with different scopes of access.
4. Configure these settings: Setting name Description Administrator Type the name of the administrator account, such as admin1 or admin@example.com, that can be referenced in other parts of the configuration. Do not use spaces or special characters except the ‘at’ symbol ( @ ). The maximum length is 35 characters. Note: This is the user name that the administrator must provide when logging in to the CLI or web UI.
Setting name Description Password Type a password for the administrator account. This field is available only when Type is Local User. Tip: Set a strong password for every administrator account, and change the password regularly. Failure to maintain the password of every administrator account could compromise the security of your FortiWeb appliance. As such, it can constitute a violation of PCI DSS compliance and is against best practices.
Setting name Description Trusted Host #1 Trusted Host #2 Trusted Host #3 Type the source IP address(es) and netmask from which the administrator is allowed to log in to the FortiWeb appliance. If PING is enabled, this is also a source IP address to which FortiWeb will respond when it receives a ping or traceroute signal. Trusted areas can be single hosts, subnets, or a mixture. For more information, see “Trusted hosts” on page 51.
Setting name Description Access Profile Select an existing access profile that indicates the permissions for this administrator account. For more information on permissions, see “Permissions” on page 47. You can select prof_admin, a special access profile used by the admin administrator account. However, selecting this access profile will not confer all permissions of the admin administrator. For example, the new administrator would not be able to reset lost administrator passwords.
In larger companies where multiple administrators divide the share of work, access profiles often reflect the specific job that each administrator does (“role”), such as user account creation or log auditing. Access profiles can limit each administrator account to their assigned role. This is sometimes called role-based access control (RBAC). The prof_admin access profile, a special access profile assigned to the admin administrator account and required by it, does not appear in the list of access profiles.
4. Configure the permissions options. For each row associated with an area of the configuration, mark either the None, Read Only, or Read-Write radio buttons to grant that type of permission. For a list of features governed by each access control area, see “Permissions” on page 47. Click the Read Only check box to select or deselect all read categories. Click the Read-Write check box select or deselect all write categories.
3. Click Create New. A dialog appears. 4. In Name, type a name that can be referenced by other parts of the configuration, such as admin-remote-auth1. Do not use special characters. The maximum length is 35 characters. 5. Click OK. The Create New button for this item, below its name, will no longer be greyed out, indicating that it has become available. 6. Click Create New. A dialog appears that enables you to add queries to the group. 7.
1. Log in as the admin administrator account. Alternatively, if you know the current password for the account whose password you want to change, you may log in with any administrator account whose access profile permits Read and Write access to items in the Admin Users category. 2. Go to System > Admin > Administrators. 3. Mark the check box in the row of the account whose password you want to change. 4. Click Change Password. A dialog appears. 5.
Users On FortiWeb, user accounts do not log in to the administrative web UI. Instead, they are used to add HTTP-based authentication and authorize each request from clients that are connecting through FortiWeb to your protected web servers. Best practices dictate that each person accessing your web sites should have his or her own account so that security audits can reliably associate a login event with a specific person. Accounts should be restricted to URLs for which they are authorized.
Figure 32:An HTTP authentication prompt in the Google Chrome browser If the user supplies credentials, his or her web browser includes them in a second request for the same page. If the credentials are valid, the web server returns the requested URL; otherwise, it repeats its 401 Authorization Required response. This type of authorization is handled at the web server layer of the host’s software stack, independently of the static HTML, dynamic pages and runtime interpreters (PHP, ColdFusion, Python, etc.
Figure 33:An authentication form on the Fortinet Technical Support login web page This method does not rely on the mechanism defined in the HTTP protocol. Instead, when the user submits the form, the web application uses form inputs to construct server-side sessions, client-side session cookies, or parameters in the URL such as JSPSESSIONID in order to create statefulness. This type of authorization occurs at the web application layer of the server’s software stack.
input rule. Depending on your operation mode (see “Supported features in each operation mode” on page 62), you might want to see: • “Cookie Poisoning Detection” on page 473 • “Blocking known attacks & data leaks” on page 387 • “Validating parameters (“input rules”)” on page 421 • “Preventing tampering with hidden inputs” on page 430 • “Preventing brute force logins” on page 362 • “Specifying URLs allowed to initiate sessions” on page 415 If used within the content of HTTP, it is not as secure as HTTPS.
Offloading HTTP authentication & authorization If a web site does not support RFC 2617 HTTP authentication on its own, nor does it provide HTML form-based authentication, you can use a FortiWeb appliance to authenticate HTTP/HTTPS clients before they are permitted to access a web page. User authentication is not supported in all operation modes. See “Supported features in each operation mode” on page 62.
3. Configure authorization rules for each user group. See “Applying user groups to an authorization realm” on page 238. 4. Group authorization rules into an authorization policy. See “Grouping authorization rules” on page 240. 5. Select the authorization policy in an inline protection profile. See “Configuring a protection profile for inline topologies” on page 468 6. Select the inline protection profile in a server policy. See “Configuring a server policy” on page 483.
4. If the client authenticates successfully, the FortiWeb appliance forwards the original request to the server. If the client does not authenticate successfully, the FortiWeb appliance repeats its HTTP 401 Authorization Required response to the client, asking again for valid credentials. 5. Once the client has authenticated with the FortiWeb appliance, if FortiWeb applies no other restrictions and the URL is found, it returns the web server’s reply to the client.
3. Configure these settings: Setting name Description Name Type a name that can be referenced in other parts of the configuration, such as Jane Doe. Do not use special characters. The maximum length is 35 characters. Note: This is not the user name that the person must provide when logging in to the CLI or web UI. User Name Type the user name that the client must provide when logging in, such as user1. The maximum length is 63 characters. Password Type a password for the user account.
web UI or CLI. For details, see “Grouping remote authentication queries for administrators” on page 218. If you use an LDAP query for administrators, separate it from the queries for regular users. Do not combine administrator and user queries into a single entry. Failure to separate queries will allow end-users to have administrative access the FortiWeb web UI and CLI.
4. Configure these settings: Setting name Description Name Type a unique name that can be referenced in other parts of the configuration. Do not use special characters. The maximum length is 35 characters. Note: This is the name of the query only, not the administrator or end-user’s account name/login. Administrator account names are defined in Administrator. Server IP Type the IP address of the LDAP server. Server Port Type the port number where the LDAP server listens.
Setting name Description Distinguished Name Type the distinguished name (DN), such as: ou=People,dc=example,dc=com or cn=users,dc=example,dc=com that forms the full path in the directory to the user account objects. Bind Type Select one of the following LDAP query binding styles: • Simple — Bind using the client-supplied password and a bind DN assembled from the Common Name Identifier, Distinguished Name, and the client-supplied user name.
Setting name Description Group Type Indicate the schema of your LDAP directory, either: • OpenLDAP — The directory uses a schema where each user object’s group membership is recorded in an attribute named gidNumber. This is usually an OpenLDAP directory, or another directory where the object class inetOrgPerson or posixAccount. • Windows-AD — The directory uses a schema where each user object’s group membership is recorded in an attribute named memberOf.
See also • Configuring RADIUS queries • Configuring NTLM queries Configuring RADIUS queries FortiWeb can use RADIUS queries to authenticate and authorize end-users’ HTTP requests (see “Offloading HTTP authentication & authorization” on page 225). FortiWeb can also use RADIUS queries to authenticate administrators’ access to the web UI or CLI (see “Grouping remote authentication queries for administrators” on page 218).
4. Configure these settings: Setting name Description Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. Note: This is the name of the query only, not the administrator or end-user’s account name/login. Administrator account names are defined in Administrator. End-user names are not defined in the configuration; credentials provided by the person during login will be used for the query.
Setting name Description Authentication Scheme Select either: • Default to authenticate with the default method. The default authentication scheme uses PAP, MS-CHAP-V2, and CHAP, in that order. • MS-CHAP-V2, CHAP, MS-CHAP, or PAP, depending on what your RADIUS server requires. NAS IP Type the NAS IP address and Called Station ID (for more information about RADIUS Attribute 31, see RFC 2548 Microsoft Vendor-specific RADIUS Attributes).
To configure an NTLM query 1. Go to User > Remote Server > NTLM Server. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see “Permissions” on page 47. 2. Click Create New. A dialog appears. 3. In Name, type a unique name that can be referenced by other parts of the configuration. This is the name of the query only, not the end-user’s account name/login.
3. Click Create New. A dialog appears. 4. In Name, type a name that can be referenced by other parts of the configuration. Do not use special characters. The maximum length is 35 characters. 5. In Auth Type, select one of the authentication types: • Basic — Clear text. This is the original and most compatible authentication scheme for HTTP. However, it is also the least secure as it sends the user name and password unencrypted to the server.
See also • Configuring local end-user accounts • Configuring LDAP queries • Configuring RADIUS queries • Configuring NTLM queries • Offloading HTTP authentication & authorization Applying user groups to an authorization realm Authentication rules are used by the HTTP authentication policy to define sets of request URLs that will be authorized for each end-user group.
5. If you want to require that the Host: field of the HTTP request matches a protected host entry in order to match the HTTP authentication rule, do the following: • Enable Host Status. • From Host, select which protected host entry (either a web host name or IP address) the Host: field of the HTTP request must be. The list contains hosts configured in a protected servers group. For details, see “Defining your protected/allowed HTTP “Host:” header names” on page 249. 6. Click OK. 7. Click Create New.
Setting name Description User Realm Type the realm, such as Restricted Area, to which the Auth Path belongs. The realm is often used by browsers: • It may appear in the browser’s prompt for the user’s credentials. Especially if a user has multiple logins, and only one login is valid for that specific realm, displaying the realm helps to indicate which user name and password should be supplied.
To configure an authentication policy 1.
Setting name Description Cache Enable if you want to cache authentication query results. Tip: This can improve performance, especially if the connection to the remote authentication server is slow or experiences latency. Alert Type Select whether to log authentication failures and/or successes: • None — Do not generate an alert email and/or log message. • Failed Only — Alert email and/or log messages are caused only by HTTP authentication failures.
11.To apply the authentication policy, select it in an inline protection profile that is included in a policy (see “Configuring a protection profile for inline topologies” on page 468). If you have enabled logging, you can also make reports such as “Top Failed Authentication Events By Day” and “Top Authentication Events By User” to identify hijacked accounts or slow brute force attacks. See “Reports” on page 586.
to the same or other web applications in the same domain do not require the client to authenticate. For example, you may prefer SSO if you are using FortiWeb to replace your discontinued Microsoft Threat Management Gateway, using it as a portal for multiple applications such as SharePoint, Outlook Web Application, Lync, and/or IIS. Your users will only need to authenticate once while using any or all of those resources. To configure offloaded authentication with optional SSO 1.
3. Click Create New and configure the settings: Setting name Description Published Site Type a unique name that can be referenced in other parts of the configuration, such as sharepoint.example.com or Outlook. Do not use spaces or special characters. The maximum length is 35 characters. Path Type the URL of the request for the web application, such as /owa. It must begin with a forward slash ( / ).
Setting name Description Authentication Select what FortiWeb should do after the client successfully Delegation authenticates with the authentication server, either: • HTTP Basic — Use HTTP Authorization: headers with Base64 encoding to forward the client’s credentials to the web application. Typically you should select this option if the web application supports HTTP protocol-based authentication. • No Delegation — Do not send the client’s credentials to the web application.
11.Select the site publishing policy in an inline web protection profile (see “Configuring a protection profile for inline topologies” on page 468). The profile must be used in the policy applying your domain’s virtual servers. 12.To verify the configuration, log in to one of the web applications, then log in to another web application in the same domain that should be part of the SSO domain. See also • Offloading HTTP authentication & authorization Example: Enforcing complex passwords Example Co.
Defining your web servers & load balancers To apply policies correctly and log accurately, it is important that FortiWeb is aware of certain other points on your network. In order to scan traffic for your web servers, first FortiWeb must know which IP addresses and HTTP Host: names to protect. If there are proxies and load balancers in the network stream between your client and your FortiWeb, you will also want to define them.
Defining your protected/allowed HTTP “Host:” header names A protected host group (also called “allowed hosts” or “protected hosts”, depending on how the host name is used in each context) defines one or more IP addresses or fully qualified domain names (FQDNs). Each entry in the group defines a virtual or real web host, according to the Host: field in the HTTP header of requests.
The virtual hosts would be added to the list of FortiWeb’s protected hosts, while the network adapters’ IP addresses would be added to the list of physical servers. To configure a protected host group 1. Go to Server Objects > Protected Servers > Protected Servers. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “Permissions” on page 47. 2. Click Create New.
7. In Host, enter the IP address or FQDN of a real or virtual host, according to the Host: field in HTTP requests. If clients connect to your web servers through the IP address of a virtual server on the FortiWeb appliance, this should be the IP address of that virtual server or any domain name to which it resolves, not the IP address of the protected web server. For example, if a virtual server 10.0.2.1/24 forwards traffic to the physical server 192.0.2.1, for protected hosts, you would enter: • 10.0.2.
settings. Alternatively, you can use domain names to define the protected web servers. For details, see “Defining your web server by its DNS domain name” on page 253. A physical server is usually not the same as a protected hosts group. See “Protected web servers vs. protected/allowed host names” on page 248. To configure a physical server 1. Go to Server Objects > Server > Physical Server.
Defining your web server by its DNS domain name “Domain servers” use DNS A record domain names to define a web server, while “physical servers” use IP addresses.
4. In Domain, type the domain name of the domain server, such as example.com. If a policy has any domain servers whose DNS names resolve to IPv6 addresses, it will not apply features that do not yet support IPv6, even if they are selected. 5. Click OK. 6. To use the domain server, either select it within a server policy, or group it into a server farm that is selected in a server policy. For details, see “Configuring a server policy” on page 483 or “Grouping your web servers into server farms” on page 256.
2. Go to Server Objects > Server Health Check > Server Health Check. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see “Permissions” on page 47. The Details column displays the URL used in the GET request if the server health check Type is HTTP/HTTPS. 3. Click Create New. A dialog appears. 4.
Setting name Description URL Path Type the URL, such as /index.html, that will be used in the HTTP/HTTPS GET request to verify the responsiveness of the server. If the web server successfully returns this URL, and its content matches your expression in Matched Content, it is considered to be responsive. This option appears only if Protocol Type is HTTP/HTTPS. The maximum length is 127 characters. Timeout Type the maximum number of seconds that can pass after the server health check.
receives the connection depends on your configuration of load-balancing algorithm, weight, server health checking, or content routing by either HTTP header-based routing. To prevent traffic from being forwarded to unavailable web servers, the availability of physical and domain servers in a server farm can be verified using a server health check.
Setting name Description Type Select the method of distribution that the FortiWeb appliance will use when forwarding connections to the web servers in this server farm. • Server Balance — Uses a load-balancing algorithm when distributing TCP connections amongst the web servers in a server farm. If a web server is unresponsive to the server health check, the FortiWeb appliance forwards subsequent connections to another web server in the server farm.
7. Configure these settings: Setting name Description ID Type the index number of the web server entry within the server farm, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number. The first web server will receive connections if you have configured HTTP content routing and the other server is unavailable. For round robin-style load-balancing, the index number indicates the order in which connections will be distributed.
Setting name Description SSL Enable if: • connections to the server use SSL, and • the FortiWeb appliance is operating in a mode other than reverse proxy Also configure Certificate File. Unlike HTTPS Service in policies, when you enable this option, the FortiWeb appliance will not apply SSL. Instead, it will use the certificate to decrypt and scan connections before passing the encrypted traffic through to the web servers or clients (SSL inspection). See “Offloading vs. inspection” on page 277. SSL 3.
Setting name Description Certificate Verification Select the name of a certificate verifier, if any, to use when an HTTP client presents their personal certificate. (If you do not select one, the client is not required to present a personal certificate. See also “How to apply PKI client authentication (personal certificates)” on page 293.) Personal certificates, sometimes also called user certificates, establish the identity of the person connecting to the web site.
Setting name Description Weight If the server farm will be used with the weighted round-robin load-balancing algorithm in the policy, type the numerical weight of the web server to be used when proportionately distributing TCP connections. Web servers with a greater weight will received a greater proportion of connections.
HTTP header-based routes (called “HTTP content routing policies” in the web UI) each define a set of requests that will be routed to a specific back-end web server in your server farm, based upon the URL and/or Host: field in the HTTP header. Configure one HTTP content routing policy per web server. If you have configured request rewriting, configure HTTP content-based routing using the original request URL and/or Host: name, as it appears before FortiWeb has rewritten it.
Setting name Description Type Indicate whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression). URL Pattern Depending on your selection in the Type field, enter either: • the literal URL, such as /index.php, that the HTTP request must contain in order to match the rule. The URL must begin with a backslash ( / ). • a regular expression, such as ^/*.
Example: Routing according to URL/path Your FortiWeb appliance might have one virtual server (the front end) protecting three physical web servers (the back end). From the perspective of clients connecting to the front end, there is one domain name: www.example.com. At this host name, there are three top-level URLs: • /games — Game application • /school — School application • /work — Work application In a client’s web browser, therefore, they might go to the location: http://www.example.
alias. When configuring FortiWeb, each web server was defined using its DNS alias, rather than its IP address: • www1.example.com — Hosts www.example.com, plus all other host names’ content, in case the other web servers fail or have scheduled down time • www2.example.com — Hosts www.example.de • www3.example.com — Hosts www.example.cn & www.example.co.
attack logs and reports to show the IP of the actual attacker, rather than misleadingly blaming the load balancer. • The web server needs the client’s source IP address for purposes such as analytics, but FortiWeb is operating in reverse proxy mode, which applies NAT, and therefore all requests appear to come from FortiWeb’s IP address.
2. Configure these settings: Setting Description Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. Note: The name cannot be changed after this part of the configuration is saved. To rename a part of the configuration, clone it, select it in all parts of the configuration that reference the old name, then delete the item with the old name.
3. Click OK. 4. To apply the X-header rule, select it when configuring an inline protection profile (see “Configuring a protection profile for inline topologies” on page 468). Indicating to back-end web servers that the client’s request was HTTPS Usually if your FortiWeb is receiving HTTPS requests from clients, and it is operating in reverse proxy mode, SSL/TLS is being offloaded.
FortiWeb will also use the original source IP as the basis for blocking when using some features that operate on the source IP: • DoS prevention • brute force login prevention • period block Like addresses at the IP layer, attackers can spoof and alter addresses in the HTTP layer. Do not assume that they are 100% accurate, unless there are anti-spoofing measures in place such as defining trusted providers of X-headers.
2. Configure these settings: Setting Description Use X-Header to Identify Original Client’s IP If FortiWeb is deployed behind a device that applies NAT, enable this option to derive the original client’s source IP address from an HTTP X-header, instead of the SRC field in the IP layer. Then type the key such as X-Forwarded-For or X-Real-IP, without the colon ( : ), of the X-header that contains the original source IP address of the client.
4. Click Create New. A sub-dialog appears. 5. In IP, type the IP address of the external proxy or load balancer according to packets’ SRC field in the IP layer when received by FortiWeb. To apply anti-spoofing measures and improve security, FortiWeb will trust the contents of the HTTP header that you specified in Use X-Header to Identify Original Client’s IP only if the packet arrived from one of the IP addresses you specify here. Other packets’ X-headers will be regarded as potentially spoofed. 6.
When the FortiWeb appliance receives traffic destined for a virtual server, it can then forward the traffic to a web server or a server farm.
5. In Interface, select the network interface or bridge to which the virtual server is bound, and where traffic destined for the virtual server will arrive. To configure an interface or bridge, see “Network interface or bridge?” on page 111. 6. Click OK. 7. To define the listening port of the virtual server, create a custom service (see “Defining your network services” on page 274). 8.
5. Click OK. 6. To use the custom service definition to define the listening port of a virtual server on the FortiWeb, select it as the HTTP Service or HTTPS Service when configuring a policy (see “Configuring a server policy” on page 483). See also • Predefined services • Configuring a server policy Predefined services Server Objects > Service > Predefined displays the list of predefined services.
Disabled virtual servers can be selected in a server policy, but will result in a policy that is unable to forward traffic until the virtual server is enabled. You can select disabled physical and domain servers for a server farm, but they will not be used when forwarding traffic. By default, physical and domain servers are enabled and the FortiWeb appliance can forward traffic to them.
Secure connections (SSL/TLS) When a FortiWeb appliance initiates or receives an SSL or TLS connection, it will use certificates. Certificates can be used in HTTPS connections for: • encryption • decryption and inspection • authentication of clients • authentication of servers FortiWeb may require you to provide certificates and CRLs even if your web sites’ clients do not use HTTPS to connect to the web sites.
When SSL offloading, the web server does not use its own server certificate. Instead, FortiWeb acts like an SSL proxy for the web server, possessing the web server’s certificate and using it to: • authenticate itself to clients • decrypt requests • encrypt responses whenever a client requests an HTTPS connection to that web server. As a side effect of being an SSL terminator, the FortiWeb is in possession of both the HTTP request and reply in their decrypted state.
Supported cipher suites & protocol versions How secure is an HTTPS connection? This is partially physical considerations such as restricting access to private keys and decrypted traffic (see “Offloading vs. inspection” on page 277). Another part is the encryption. A secure connection’s protocol version and cipher suite, including encryption bit strength and encryption algorithms, is negotiated between the client and the SSL/TLS terminator during the handshake.
Generally speaking, for security reasons, TLS 1.1, AES-256 or ECC, and SHA-1 are preferable., although you may not be able to use them for client compatibility reasons. Avoid using: • SSL 2.0 • TLS 1.0 • Older hash algorithms, such as MD5. (On modern computers, these can be cracked quickly.) • Ciphers with known vulnerabilities, such as some implementations of RC4, AES and DES (e.g. To protect clients with incorrect CBC implementations for AES and DES, configure Prioritize RC4 Cipher Suite.
To upload a CA’s certificate 1. Obtain a copy of your CA’s certificate file. If you are using a commercial CA, your web browser should already contain a copy in its CA trust store. Export a copy of the file to your desktop or other folder. If you are using your own private CA, download a copy from your CA’s server. For example, on Windows Server 2003, you would go to: https:///certsrv/ where is the IP address of your CA server. Log in as Administrator.
4. To select a certificate, either: • Enable SCEP and in the field to the right of it, type the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediary network devices to obtain certificates.) To specify a specific CA, type an identifier in the field below the URL. • Enable Local PC and browse to find a certificate file. 5. Click OK. 6.
6. Click Create New. A dialog appears. 7. In ID, enter the index number of the host entry within the group, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number. 8. In CA, select the name of a certificate authority’s certificate that you previously uploaded and want to add to the group. 9. Click OK. 10.Repeat the previous steps for each CA that you want to add to the group. 11.
Table 34: System > Certificates > Local Button/field Description Generate Click to generate a certificate signing request. For details, see “Generating a certificate signing request” on page 285. Import Click to upload a certificate. For details, see “Uploading a server certificate” on page 289. View Certificate Detail Click to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.
Although they do not present a certificate during SSL/TLS inspection, FortiWeb still requires server certificates in order to decrypt and scan HTTPS connections travelling through it (SSL inspection) if operating in any mode except reverse proxy. Otherwise, FortiWeb will not be able to scan the traffic, and will not be able to protect that web server.
3. Configure the certificate signing request: Setting name Description Certification Name Enter a unique name for the certificate request, such as www.example.com. This can be the name of your web site. Key Type Displays the type of algorithm used to generate the key. This option cannot be changed, but appears in order to indicate that only RSA is currently supported. Key Size Select a secure key size of 512 Bit, 1024 Bit, 1536 Bit or 2048 Bit.
Setting name Description Subject Information Includes information that the certificate is required to contain in order to uniquely identify the FortiWeb appliance. This area varies depending on the ID Type selection. ID Type Select the type of identifier to use in the certificate to identify the FortiWeb appliance: • Host IP — Select if the FortiWeb appliance has a static IP address and enter the public IP address of the FortiWeb appliance in the IP field.
Setting name E-mail Description Type the email address of the owner of the FortiWeb appliance, such as admin@example.com. This option appears only if ID Type is E-Mail. Optional Information Organization unit Includes information that you may include in the certificate, but which is not required. Type the name of your organizational unit (OU), such as the name of your department. This is optional. To enter more than one OU name, click the + icon, and enter each OU separately in each field.
Uploading a server certificate You can import (upload) either: • Base64-encoded • PKCS #12 RSA-encrypted X.509 server certificates and private keys to the FortiWeb appliance. DSA-encrypted certificates are not supported if the FortiWeb appliance is operating in a mode other than reverse proxy. See “Supported features in each operation mode” on page 62.
To upload a certificate The total file size of all certificates, private keys, and any other uploaded files may not exceed 12 MB. 1. Go to System > Certificates > Local. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see “Permissions” on page 47. 2. Click Import. A dialog appears. 3.
5. To use a certificate, you must select it in a policy or server farm (see “Configuring a server policy” on page 483 or “Grouping your web servers into server farms” on page 256).
3. Do one of the following to locate a certificate: • Select SCEP and enter the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediate network devices to obtain certificates.) To specify a specific certificate authority, enter an identifier in the field below the URL. • Select Local PC, then browse to locate a certificate file. 4. Click OK. 5. Go to System > Certificates > Intermediate CA Group.
See also • Supplementing a server certificate with its signing chain • How operation mode affects server policy behavior How to apply PKI client authentication (personal certificates) If your clients will connect to your web sites using HTTPS, you can configure FortiWeb to require clients to present a personal certificate during the handshake in order to confirm their identities. This is sometimes called public key infrastructure (PKI) authentication (RFC 5280).
Figure 39:Bilateral authentication PKI authentication relies on these factors to strongly confirm identity: • Sole private key possession — Like with all X.509 certificates, a client’s identity can only be irrefutably confirmed if no one else except that person has that certificate’s private key. The private key is a randomized string of text that has a hard-to-guess relationship with its corresponding public key.
• Asymmetric encryption — Public key encryption is a type of asymmetric encryption: it is based upon two keys that are different — but exactly paired — mathematical complements. Only the private key can decrypt data that was encrypted by its public key. The inverse is also true: only the public key can decrypt data that was encrypted by its private key. This is true, for example, in the RSA cryptographic algorithm. Figure 40:RSA algorithm SSL 3.0 or TLS 1.0 is required.
generated from it is also guaranteed to come only from that client. The client will sign a certificate with its matching public key. Because certificate authorities (CA) sign applicants’ certificates, third parties who have that CA’s certificate can also confirm that that CA certified the applicant’s identity, and the certificate was not forged. • Chain of trust — What if a device does not know the CA that signed the connecting party’s certificate? Since there are many CAs, this is a common scenario.
Example: Generating & downloading a personal certificate from Microsoft Windows 2003 Server If you are running Microsoft Certificate Services on Microsoft Windows 2003 Server, you can use your server as a CA, to generate and sign personal certificates on behalf of your clients. As part of signing the certificate, the CA will send the finished personal certificate to your web browser.
5. Click the advanced certificate request link. The Advanced Certificate Request page appears. 6. Click the Create and submit a request to this CA link. The Certificate Request Template appears. 7. In the Certificate Template drop-down list, select the Client Authentication template (or a template that you have created for the purpose using Microsoft Management Console (MMC)). Fortinet 298 FortiWeb 5.
8. In the Name field, type the name the end-user on behalf of which the client certificate request is being made. This will be the Subject: field in the certificate. Other fields are optional. 9. Click Submit. The certificate signing request (CSR) is submitted to the CA. 10.If a message appears, warning you that the web site is requesting a new certificate on your behalf, click Yes to proceed. Once the CA server generates the requested certificate, the Certificate Issued window appears. 11.
2. Go to Tools [gear icon] > Internet options. The Internet Options dialog window appears. 3. Click the Content tab. Fortinet 300 FortiWeb 5.
4. Click the Certificates button. The Certificates dialog window appears. By default, the Personal tab is front most. 5. Click to select a personal certificate in the list. 6. Click Export. The Certificate Export Wizard dialog appears. Fortinet 301 FortiWeb 5.
7. Click Next. The Export Private Key step appears. 8. Select Yes, export the private key. The end-user will require his or her private key in order to authenticate. Without that token (or if many people possess that token), identity cannot be confirmed. Transmit and store any private key backups securely, just as you would for passwords.
9. Click Next. The Export File Format step appears. 10.Select Personal Information Exchange - PKCS #12 (.PFX) as the file format. 11.If you need to absolutely guarantee identity (i.e. not even you, the administrator, will have the end-user’s private key installed — only the end-user will), mark the check box named Delete the private key if the export is successful. For improved performance, do not include all CA certificates from the personal certificate’s certification path (i.e.
12.Click Next. The Password step appears. 13.Enter and confirm the spelling of the password that will be used to password-protect and encrypt the exported certificate and its private key. Fortinet 304 FortiWeb 5.
14.Click Next. The File to Export step appears. 15.In File name, enter a unique file name for the certificate, then click Browse to specify the location where you want to save the exported certificate and private key. Use a consistent naming convention. This will minimize the likelihood that you confuse one person’s private key with another’s, deliver it to the wrong person, and therefore need to revoke the corresponding certificate and generate a new one. 16.
Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server If you are generated and signed your end-users’ personal certificates using Microsoft Certificate Services on Microsoft Windows 2003 or 2008 Server, you must download the CA’s certificate and provide it to the FortiWeb appliance so that it will be able to verify the CA signature on each personal certificate. To download a CA certificate from Microsoft Windows 2003 Server 1. On your management computer, start your web browser. 2.
7. If your browser prompts you, select a location to save the CA’s certificate file. Example: Importing the personal certificate & private key to a client’s trust store on Microsoft Windows 7 If you need to import one or two certificates to a person’s computer on his or her behalf, you can manually import the .pfx file.
2. Go to Tools [gear icon] > Internet options. The Internet Options dialog window appears. 3. Click the Content tab. Fortinet 308 FortiWeb 5.
4. Click the Certificates button. The Windows Certificates store dialog window appears. By default, the Personal tab is front most. 5. Click Import. The Certificate Import Wizard appears. Fortinet 309 FortiWeb 5.
6. Click Next. The File to Import step appears. 7. If you double-clicked the certificate and private key file to start the wizard, the file is already specified in File name. Otherwise, click Browse. Go to the location where you downloaded the personal certificate. From Files of type, select Personal Information Exchange (*.pfx, *.p12), All Files (*.*), or whatever file format was used to export the certificate. Finally, select the certificate file, and click Open. Fortinet 310 FortiWeb 5.
8. Click Next. The Password step appears. 9. In Password, type the password that was used to secure the private key. (If the certificate was made on your behalf by an administrator, this is the password that the administrator used when exporting your .pfx file. He or she must provide this password to you.) Fortinet 311 FortiWeb 5.
10.Click Next. The Certificate Store step appears. 11.Select either: • Automatically select the certificate store based on the type of certificate — Your personal certificate will automatically be placed in the default personal certificate store, as long as it was created correctly. • Place all certificates in the following store — Click the Browse button to manually indicate your personal certificate store. 12.Click Next. 13.Click Finish. If the import is successful, a notification appears. 14.Click OK.
15.Click the Advanced tab. 16.In the Settings area, scroll down to the Security settings. 17.Enable Check for server certificate revocation. 18.Click OK to save your settings and close the Internet Options dialog window. 19.Close Internet Explorer. The Check for server certificate revocation option will not take effect until you restart the browser. To import a client certificate into Google Chrome on Microsoft Windows 7 1. Start Google Chrome. 2.
3. At the bottom of the page, click Show advanced settings to reveal additional settings, including, towards the bottom of the page, HTTP/SSL. 4. In the HTTPS/SSL area, enable Check for certificate revocation. 5. Click the Manage certificates button. The Windows Certificates store dialog window appears. (In Mac OS X, this is the Keychain Access application instead.) By default, the Personal tab is front most. Continue with step 5 in “To import a client certificate into Microsoft Windows 7” on page 307.
Figure 41:Importing a personal certificate in Google Chrome — [Wrench icon] > Options > Under the Hood, click Manage Certificates, then click Import Uploading the CA’s certificate to FortiWeb’s trusted CA store In order for FortiWeb to be able to verify the CA’s signature on client’s personal certificates when they connect, the CA’s certificate must exist in the FortiWeb’s trusted CA certificate store.
Configuring FortiWeb to validate client certificates To be valid, a client certificate must: • not be expired or not yet valid • not be revoked by either certificate revocation list (CRL) or, if enabled, online certificate status protocol (OCSP) • be signed by a certificate authority (CA) whose certificate you have imported into the FortiWeb appliance (see “Uploading trusted CAs’ certificates” on page 280); • contain a CA field whose value matches a CA’s certificate • contain an Issuer field whose value mat
Setting name Description OCSP Select the name of an existing online certificate status protocol (OCSP) certificate, if any, that you want to use to verify the revocation status of client certificates. See “Revoking certificates by OCSP query” on page 319. CRL Select the name of an existing certificate revocation list, if any, to use to verify the revocation status of client certificates. See “Revoking certificates” on page 318. 5. Click OK. 6.
When a PKI authentication attempt fails, if you have enabled logging, attack log messages will be recorded. Messages vary by the cause of the error.
3. Do one of the following to locate a CRL file: • Select HTTP, then enter the URL of an HTTP site providing a CRL service. • Select SCEP, then enter the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediate network devices to obtain certificates.) • Select Local PC, then browse to locate a certificate file. 4. Click OK.
See also • How to offload or inspect HTTPS • Revoking certificates How to export/back up certificates & private keys Because your X.509 certificates are vital for FortiWeb to protect HTTPS transactions, when preparing a full FortiWeb backup, make sure that your certificates are included. Should FortiWeb experience hardware failure, this will minimize time required for you to reconfigure a replacement appliance.
Access control You can control clients’ access to your web applications and limit the rate of requests. There are multiple ways to do this, depending on whether your goal is to act based upon the URL, the client’s source IP, or something more complex.
3. Configure these settings: Clear all Edit Delete Setting name Description Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. Host Status Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the URL access rule. Also configure Host.
Setting name Description Severity When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule: • Low • Medium • High The default value is High. Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See “Configuring triggers” on page 557. 4.
Domain Type the fully qualified domain name (FQDN) that a client source IP must reverse resolve to in order to match. This option appears only if Source Address Type is Domain. URL Type Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression). URL Pattern Depending on your selection in URL Type, enter either: • the literal URL, such as /admin.php. The URL must begin with a slash ( / ).
3. Click Create New. A dialog appears. Clear all Edit Click to switch ascending/ descending sort order Delete Click to sort by this column 4. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. 5. Click OK. 6. Click Create New to add an entry to the set. A dialog appears. 7. In Priority, enter the priority for this rule in relation to other defined rules.
Advanced access control rules provide a degree of flexibility for these types of complex conditions. You can combine any or all of these criteria: • source IP • rate limit • HTTP header • URL In the rule, add all criteria that you require allowed traffic to match. X-header-derived client source IPs (see “Defining your proxies, clients, & X-headers” on page 266) do not support this feature in this release.
3. Configure these settings: Setting name Description Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. Action Select which action the FortiWeb appliance will take when it detects a violation of the rule: • Alert — Accept the request and generate an alert email and/or log message. • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message.
Setting name Description Block Period Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule. This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 (1 hour). The default value is 60. See also “Monitoring currently blocked IPs” on page 606.
your exact value or matches your regular expression (depending on whether you have selected Simple String or Regular Expression). Value matching is case sensitive. To prevent accidental matches, specify as much of the header’s value as possible. Do not use an ambiguous substring. For example, entering the value 192.168.1.1 would also match the IPs 192.168.10-19 and 192.168.100-199. This result is probably unintended. The better solution would be to configure either: • a regular expression such as ^192.168.
you can configure FortiWeb to use the FortiGuard IP Reputation. IP reputation leverages many techniques for accurate, early, and frequently updated identification of compromised and malicious clients so you can block attackers before they target your servers.
2. Go to IP Reputation > IP Reputation > Policy. 3. In the Status column, enable categories of disreputable clients that you want to block and/or log. APTs often mask their source IP using anonymizing proxies. While casual attackers will move on to easier potential targets if their initial attempts fail, APTs are motivated to persist until they achieve a successful breach. Early warning can be critical.
In such cases, when requests appear to originate from other parts of the world, it may not be worth the security risk to accept them. • DDoS botnets and mercenary hackers might be the predominant traffic source. • Anonymizing VPN services or Tor may have been used to mask the true source IP of an attacker that is actually within your own country.
4. Click Create New. A dialog appears. 5. Configure these settings: Clear Delete Setting name Description Name Type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. Severity When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field.
8. From the Country list on the left, select one or more geographical regions that you want to block, then click the right arrow to move them to the Selected Country list on the right. In addition to countries, the Country list also includes distinct territories within a country, such as Puerto Rico and United States Minor Outlying Islands, and regions that are not associated with any country, such as Antarctica. 9. Click OK. The web UI returns to the initial dialog.
Blacklisting & whitelisting clients individually by source IP You can define which source IP addresses are trusted clients, undetermined, or distrusted. • Trusted IPs — Almost always allowed to access to your protected web servers. Trusted IPs are exempt from many (but not all) of the restrictions that would otherwise be applied by a server policy. For a list of skipped scans, see “Sequence of scans” on page 23.
2. Go to Web Protection> Access > IP List. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions” on page 47. 3. Click Create New. A dialog appears. Clear all Edit Delete 4. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. 5. Click OK. 6.
Setting name Description Severity When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when a blacklisted IP address attempts to connect to your web servers: • Low • Medium • High Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a blacklisted IP address’s attempt to connect to your web servers.
Rate limiting In addition to controlling which URLs a client can access, you can control how often. This can be especially important to preventing scouting and brute force password attacks. If a client is not really interested in actually receiving a response and/or attempting to authenticate or connecting, but is simply attempting to consume resources in order to deprive legitimate clients, consider more than simple HTTP-layer rate limiting. See also “DoS prevention” on page 338.
See also • Limiting the total HTTP request rate from an IP • Limiting TCP connections per IP address by session cookie • Preventing an HTTP request flood • Preventing automated requests • Configuring browser enforcement exceptions Limiting the total HTTP request rate from an IP You can limit the number of HTTP requests per second, per source IP address. This feature is similar to DoS Protection > Application > HTTP Flood Prevention.
4. Configure these settings: Fortinet 340 FortiWeb 5.
Setting name Description Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. HTTP Request Limit/sec (Standalone IP) Type a rate limit for the maximum number of HTTP requests per second from each source IP address that is a single HTTP client.
Setting name Description Real Browser Enforcement If you want to return a JavaScript to the client to test whether it is a web browser or automated tool when it exceeds the rate limit, enable this option. If either the client fails the test, or if it does not return results before the Validation Timeout, FortiWeb will apply the Action. If the client appears to be a web browser, FortiWeb will allow the client to exceed the action. See also “Bot analysis” on page 605.
Setting name Description Action Select which action the FortiWeb appliance will take when it detects a violation of the rule: • Alert — Accept the request and generate an alert email and/or log message. • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that will be returned to the client with the HTTP status code. See “Uploading a custom error page” on page 467 or Error Message.
Setting name Description Severity When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule: • Low • Medium • High The default value is High. Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See “Configuring triggers” on page 557. 5.
To configure a TCP connection limit per session 1. Go to DoS Protection > Application > Malicious IPs. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions” on page 47. 2. Click Create New. A dialog appears. 3. Configure these settings: Setting name Description Name Type a unique name that can be referenced in other parts of the configuration.
Setting name Description Action Select which action the FortiWeb appliance will take when it detects a violation of the rule: • Alert — Accept the request and generate an alert email and/or log message. • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that will be returned to the client with the HTTP status code. See “Uploading a custom error page” on page 467 or Error Message.
Setting name Description Severity When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule: • Low • Medium • High The default value is High. Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See “Configuring triggers” on page 557. 4.
If the rate exceeds the limit, the FortiWeb appliance executes the Action. This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines. To configure HTTP flood prevention 1. Go to DoS Protection > Application > HTTP Flood Prevention. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions” on page 47. 2.
Setting name Description Real Browser Enforcement If you want to return a JavaScript to the client to test whether it is a web browser or automated tool when it exceeds the rate limit, enable this option. If either the client fails the test, or if it does not return results before the Validation Timeout, FortiWeb will apply the Action. If the client appears to be a web browser, FortiWeb will allow the client to exceed the action. See also “Bot analysis” on page 605.
Setting name Description Action Select which action the FortiWeb appliance will take when it detects a violation of the rule: • Alert — Accept the request and generate an alert email and/or log message. • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that will be returned to the client with the HTTP status code. See “Uploading a custom error page” on page 467 or Error Message.
Setting name Description Severity When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule: • Low • Medium • High The default value is High. Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See “Configuring triggers” on page 557. 4.
perhaps zero or one request each, until the server is exhausted and has no memory left to track the TCP states of new connections with legitimate clients. This feature is similar to DoS Protection > Application > Malicious IPs. However, this feature counts TCP connections per IP, while Malicious IPs counts TCP connections per session cookie. It is also similar to DoS Protection > Network > Syn Cookie.
Setting name Description Action Select which action the FortiWeb appliance will take when it detects a violation of the rule: • Alert — Accept the request and generate an alert email and/or log message. • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that will be returned to the client with the HTTP status code. See “Uploading a custom error page” on page 467 or Error Message.
5. Group the rule in a DoS protection policy (see “Grouping DoS protection rules” on page 355) that is used by a protection profile. Attack log messages contain DoS Attack: TCP Flood Prevention Violation when this feature detects a TCP connection flood. See also “Log rate limits” on page 544. Example: TCP flood prevention Assume you set 10 as the limit. A client opens 15 TCP connections. Each connection has a different source port.
To configure TCP SYN flood protection 1. Go to DoS Protection > Network > Syn Cookie. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions” on page 47. 2. Enable Syn Cookie. 3. In Half Open Threshold, enter the maximum number of TCP SYN packets, including retransmission, that may be sent per second to a destination address.
2. Go to DoS Protection > DoS Protection Policy > DoS Protection Policy. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see “Permissions” on page 47. 3. Click Create New. A dialog appears. 4. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. 5.
See also • Sequence of scans • Bot analysis Preventing automated requests Because malicious clients frequently alter their User-Agent: field in the HTTP header to mimic harmless clients such as browser, it is not a reliable method of excluding automated tools. You can intelligently limit the rate of HTTP requests per TCP connection per session, based upon whether or not the client passes a test that indicates it is a web browser.
4. Configure these settings: Setting name Description Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. HTTP Request Limit/sec Type the maximum rate of requests per second allowed from a single HTTP client to the same URL on a protected web site. For best results, this should be at least as many requests as required to normally load the URL.
Setting name Description Action Select which action the FortiWeb appliance will take when it detects a violation of the rule: • Alert — Accept the request and generate an alert email and/or log message. • Alert & Deny — Block the request (or reset the connection) and generate an alert email and/or log message. You can customize the web page that will be returned to the client with the HTTP status code. See “Uploading a custom error page” on page 467 or Error Message.
Setting name Description Severity When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule: • Low • Medium • High The default value is High. Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See “Configuring triggers” on page 557. 5.
If any client sends a request for the same URL on your web site 3 times within the same second, upon the next request, FortiWeb will return a web page with the JavaScript browser validator. The validator will respond to FortiWeb with the test result. Clients that fail to demonstrate that they are a web browser will have their requests dropped for the next 2.78 hours (i.e. 10,000 seconds), and the attack will be logged with a High severity level.
6. Configure these settings: Setting name Description Host Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the exception. This option is available only if Host Status is enabled. Host Status Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to match the exception. Also configure Host. Request URL Type the literal URL, such as /causes-false-positives.
penalizes the source IP address by blocking additional requests for the time period that you indicate in the profile. This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines. To configure brute force login attack prevention 1. Before you configure a brute force login attack profile, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected hosts group.
4. Configure these settings: Clear all Edit Delete Setting name Description Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. Severity When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field.
7. Configure these settings: Setting name Description Host Status Enable to require that the Host: field of the HTTP request match a protected hosts entry in order to be included in the brute force login attack profile’s rate calculations. Also configure Host. Host Select which protected hosts entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the brute force login attack profile. This option is available only if Host Status is enabled.
Setting name Description Standalone IP Access Limit Type the rate threshold for source IP addresses that are single clients. Request rates exceeding the threshold will cause the FortiWeb appliance to block additional requests for the length of the time in the Block Period field. To disable the rate limit, type 0. Share IP Access Limit Type the rate threshold for source IP addresses that are shared by multiple clients behind a network address translation (NAT) device such as a firewall or router.
Rewriting & redirecting Rewriting or redirecting HTTP requests and responses is popular, and can be done for many reasons. Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying technology or web site structures to HTTP clients. For example, when visiting a blog web page, its URL might be: http://www.example.
To configure a rewriting/redirection rule 1. Go to Application Delivery > URL Rewriting Policy > URL Rewriting Rule. 2. Click Create New. A dialog appears. Its appearance varies by your settings in Action Type, and Request Action or Response Action. Clear all Edit Delete 3. In Name, type a name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. 4.
5. If you selected Request Action in Action Type, in the Request Action drop-down list, select one of the following: • Rewrite HTTP Header — Rewrites part(s) of the header in the HTTP request before passing it to the web server. Setting name Description Host Enable then type either a host name, such as store.example.com, or IP address if you want to replace the value of the Host: field in the header of HTTP requests. Requests will be redirected to this web host.
Setting name Description Referer Enable then type a URI, such as http://www.example.com/index, if you want to rewrite the Referer: field in the HTTP header. This option is available only if Request Action is Rewrite HTTP Header. Using Physical Server Enable to insert the variable FORTIWEB_PSERVER in Referer. At the time of each specific HTTP request, FortiWeb will replace this variable with the IP address of the physical server to which it is forwarding the request.
8. Configure these settings: Setting name Description Object Select which part of the HTTP request will be tested for a match: • HTTP Host — The Host: field in the HTTP header. This option does not appear if Response Action in step 6 was Rewrite HTTP Body. • HTTP Request URL — The URL in the HTTP header. The URL can be up to 1,024 characters long, unless superseded by HTTP constraints such as Header Line Length. This option does not appear if Response Action in step 6 was Rewrite HTTP Body.
Setting name Description For example, for the URL rewriting rule to match all URLs that begin with /wordpress, you could enter ^/wordpress, then, in Meet this condition if, select Object matches the regular expression. The pattern is not required to begin with a slash ( / ). When you have finished typing the regular expression, click the >> (test) icon.
9. If you selected HTTP Referer from Object, also configure the following: Setting name Description If no Referer field in HTTP header Select either: • Do not meet this condition • Meet this condition Requests can lack a Referer: field for several reasons, such as if the user manually types the URL, and the request does not result from a hyperlink from another web site, or if the URL resulted from an HTTPS connection. (See the RFC 2616 section on the Referer: field.
and redirects them to the equivalent URL on its secure sites: https://www.example.com/login https://www.example.co.jp/ This rewriting rule has 3 parts: • Regular expression that matches HTTP requests with any host name — (.*) This regular expression should not match HTTPS requests, since it would decrease performance to redirect requests that are already in HTTPS. • Regular expression that matches requests with any URL in the HTTP header — ^/(.
This could be configured via either the CLI or web UI. Fortinet 375 FortiWeb 5.
CLI commands to implement this are: config waf url-rewrite url-rewrite-rule edit "http_to_https" set action redirect set location "https://$0/$1" set host-status disable set host-use-pserver disable set referer-status disable set referer-use-pserver disable set url-status disable config match-condition edit 1 set reg-exp "(.*)" set protocol-filter enable next edit 2 set object http-url set reg-exp "^/(.
When the external DNS name www.example.com appears in the client’s request’s HTTP Host: header, it should be rewritten to www-internal.example.com. In the server’s response traffic, when the internal DNS name www-internal.example.com appears in the Location: header, or in hyperlinks in the document body, it must be rewritten. Fortinet 377 FortiWeb 5.
To do this, it creates a set of 3 rewriting rules, one for each of parts that FortiWeb must rewrite. Capture group 0 Fortinet Capture group 1 378 FortiWeb 5.
Table 35: Example request host name rewrite Object HTTP Host Regular Expression in URL match condition www.example.com Host www-internal.example.com Table 36: Example response location rewrite Object HTTP Location Regular Expression in URL match condition (.*)www-internal.example.com(.*) Location $0www.example.com$1 Table 37: Example response hyperlink rewrite Fortinet Object HTTP Body Regular Expression in URL match condition www-internal.example.com Replacement www.example.
See also • Grouping rewriting & redirection rules • Example: Rewriting URLs using regular expressions • Example: Rewriting URLs using variables • Rewriting & redirecting • Regular expression syntax • What are back-references? • Cookbook regular expressions Example: Sanitizing poisoned HTML Example.com is a cloud hosting service provider that has just bought several FortiWebs. Thousands of customers rely on it to maintain database-backed web servers.
Since attackers often try new attack forms to evade filters, the regular expression uses a few techniques for flexible matching: • case insensitivity — (?i) • alternative quotation marks — ["'`?“”„?‚’‘'?‹›«»] • word breaks of zero or more white spaces — (\s)* • word breaks using forward slashes instead of white space — [\s\/]* • zero or more new line breaks within the tag — (\n|.)* Fortinet 381 FortiWeb 5.
Table 38: Example HTML body rewrite using regular expressions Object HTTP Body Regular Expression in URL match condition (?i)<(\s)*iframe[\s\/]*src=(\s)*["'`?“”„?‚ ’‘'?‹›«»]javascript:(\n|.)* Replacement