Uploaded by amir ma

FortiWeb Study Guide-Online

advertisement
DO NOT REPRINT
© FORTINET
 Error! No text of specified style in document.
FortiWeb 5.6.0
Study Guide
for FortiWeb 5.6.0
DO NOT REPRINT
© FORTINET
FortiWeb Study Guide
for FortiWeb 5.6.0
Last Updated: 28 June 2017
We would like to acknowledge the following major contributors: Martijn Duijm, Idan Soen, Rafael
Lehmani, Shiqiang Xu
No part of this publication may be reproduced in any form or by any means or used to
make any derivative such as translation, transformation, or adaptation without
permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976.
Copyright © 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare®, and
FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet
names herein may also be registered and/or common law trademarks of Fortinet. All other product or
company names may be trademarks of their respective owners. Performance and other metrics
contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may
affect performance results. Nothing herein represents any binding commitment by Fortinet, and
Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a
binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly
warrants that the identified product will perform according to certain expressly-identified performance
metrics and, in such event, only the specific performance metrics expressly identified in such binding
written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to
performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full
any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet
reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and
the most current version of the publication shall be applicable.
DO NOT REPRINT
© FORTINET
Table of Contents
1 Introduction .........................................................................................................................4
2 Basic Setup .........................................................................................................................42
3 Integrating External SIEM ...................................................................................................101
4 Integrating Front-End SNAT and Load Balancing ..............................................................156
5 Denial of Service (DoS) and Defacement ...........................................................................184
6 Signatures, Sanitization, and Auto-Learning ......................................................................220
7 SSL / TLS ............................................................................................................................281
8 Authentication and Access Control .....................................................................................329
9 PCI DSS 3.0 Compliance....................................................................................................368
10 Caching and Compression.................................................................................................422
11 HTTP Routing, Rewriting, and Redirects ..........................................................................443
12 Troubleshooting ................................................................................................................473
DO NOT REPRINT
© FORTINET
 Introduction
In this lesson, you will learn the basics of FortiWeb. This includes how FortiWeb fits into your existing network
architecture.
While products such as FortiGate protect your client systems from threats, FortiWeb is specifically designed
to protect your Web Servers from threats
FortiWeb Study Guide
4
DO NOT REPRINT
© FORTINET
 Introduction
In this lesson, we will explore the following topics:
• FortiWeb Overview
• Attack types and Deployment options
• Management Interfaces
• Support Resources
• Let’s begin by looking at the key features.
FortiWeb Study Guide
5
DO NOT REPRINT
© FORTINET
 Introduction
After completing this section, you should be able to:
• Define a Web Application Firewall (WAF)
• Learn the value of FortiWeb
• Describe the FortiWeb product family
• By understanding FortiWeb’s function, you will be better able to apply the FortiWeb in your network in
order to protect your critical Web Server resources.
FortiWeb Study Guide
6
DO NOT REPRINT
© FORTINET
 Introduction
What is a web application firewall (WAF)? Why would you need a WAF? Don’t FortiGate and FortiClient scan
HTTP?
It’s true. Both FortiGate and FortiClient do scan HTTP, but who and what do they scan for? FortiGate’s HTTP
proxy and FortiClient are focused on protecting clients, not servers. For example, FortiGuard Web filtering
URL ratings block requests based on the category of the server’s web pages, and antivirus protection
prevents clients from accidentally downloading spyware and worms. Neither feature protects servers from
threats such as malicious scripts or ransomware.
Protecting servers requires a different approach than protecting clients because servers are subject to
different types of attacks. Protecting web servers that handle popular web sites, and enterprise web
applications like IBM Lotus Notes or Microsoft SharePoint, also requires high performance. Also, unlike web
browsers, there is a database behind most modern web servers which also requires protection.
FortiWeb Study Guide
7
DO NOT REPRINT
© FORTINET
 Introduction
Databases are jackpots for black hat hackers. Once your database has been compromised – stolen or
injected with code – it can be used for extortion, political manipulation, industrial espionage, seeding clients as
zombies for DDoS attacks on other servers, sending spam, fraudulent purchases, storing criminal files, and
more! The variations of threats seem endless.
So, if you need high-grade security for your web server, you also need it for the real target: the database
behind your server. Consider adding a FortiDB. FortiWeb can only scan web traffic. So, like FortiDB, FortiWeb
should be placed behind a firewall, such as FortiGate.
FortiWeb Study Guide
8
DO NOT REPRINT
© FORTINET
 Introduction
A layered security approach provides a better defense and better speed.
Security doesn’t need to be your bottleneck. With your FortiGate in front, you have the option of distributing
some scans – such as SSL offloading and lower-layer inspection – to whichever device has less system load.
Distributing scans optimizes performance. Just like FortiGate, FortiWeb has ASIC chips that can accelerate
encryption and decryption.
FortiWeb Study Guide
9
DO NOT REPRINT
© FORTINET
 Introduction
The FortiWeb product family comprises multiple models, designed to suit specific needs. The FortiWeb
models range from those suited to SMB applications all the way up to models suited to an enterprise data
center. The FortiWeb product family includes both dedicated hardware and VM appliances.
FortiWeb Study Guide
10
DO NOT REPRINT
© FORTINET
 Introduction
Great! You now understand FortiWeb’s key features.
Now, let’s explore Web Server attack types and ways in which we can deploy FortiWeb to protect against
these threats.
FortiWeb Study Guide
11
DO NOT REPRINT
© FORTINET
 Introduction
After completing this section, you should be able to:
• Understand when and where to add FortiWeb to your defense portfolio
• Choose the right operation mode
FortiWeb Study Guide
12
DO NOT REPRINT
© FORTINET
 Introduction
FortiWeb can be deployed in a one-arm topology, but is more commonly positioned inline, to intercept all
incoming clients’ connections and redistribute them to your servers. FortiWeb has TCP- and HTTP-specific
firewalling capabilities. Because FortiWeb is not designed to provide security to non-HTTP applications, it
should be deployed behind a firewall, such as FortiGate, that focuses on security for other protocols that may
be forwarded to your back-end servers, such as FTP and SSH. Once you have deployed the FortiWeb device,
you can configure it from a web browser and terminal on your management computer, using its web UI and
CLI.
FortiWeb Study Guide
13
DO NOT REPRINT
© FORTINET
 Introduction
The order in which FortiWeb appliances apply protection rules and perform protection profile scans varies
according to whether or not you have applied a web protection profile.
FortiWeb Study Guide
14
DO NOT REPRINT
© FORTINET
 Introduction
FortiWeb solutions vary by the type of attack that they are meant to combat. A few of the FortiWeb solution
and attack combinations are summarized in this slide. Many of the FortiWeb solutions combat the OWASP
top 10 attacks.
You may remember seeing frequent Adobe Flash updates made to combat security issues. Less well
publicized was Google’s temporary switch to using RC4 for its HTTPS services. This switch was made to
protect its servers from the BEAST attack in 2011. Since then, RC4 vulnerabilities have also been discovered.
CRIME attacks and BREACH attacks are based on related principles, and the same researchers that
published BEAST also published the compression-based Lucky 13 attack, so it’s important to remember that
simply using HTTPS is not guaranteed to be secure.
FortiWeb Study Guide
15
DO NOT REPRINT
© FORTINET
 Introduction
In the previous slide, we discussed how cookies can be used to store attacks that are initiated by a different
client. Once a cookie is on the client, even if it is originally harmless, a malicious client can tamper with it
easily. Many tools are readily available to perform this type of attack – there are even browser plugins, as we
show in our labs. The next time you send a request to the server, these poisoned cookies become a
dangerous input for an HTTP parser to accept. Cookie poisoning detection is the FortiWeb feature that is used
to combat this type of attack.
FortiWeb Study Guide
16
DO NOT REPRINT
© FORTINET
 Introduction
Credit card theft is a major security issue. It doesn’t always originate with an attack. Poorly coded web
applications may return credit card data as hidden inputs, not realizing that anyone can view the HTML source
code of a web page – or alter it. FortiWeb can protect you from accidental disclosure. We’ll cover compliance
issues in a separate lesson.
FortiWeb Study Guide
17
DO NOT REPRINT
© FORTINET
 Introduction
Uploading an executable isn’t even necessary for some attacks. If your web server doesn’t reject input that
contains commands to access the file system, its system software can be abused. This can be especially bad
if your web server is running as root or Administrator. Imagine an unknown person with superuser access to
your passwd or route –p add commands.
FortiWeb Study Guide
18
DO NOT REPRINT
© FORTINET
 Introduction
Heartbleed was an SSL/TLS attack that was responsible for a Canadian Revenue Agency web site shutdown,
tax deadline extensions, and a full network security audit for Social Insurance Number compromises in April
2014. FortiWeb SSL offloading is not vulnerable to this type of attack and, therefore, could have prevented it.
FortiWeb Study Guide
19
DO NOT REPRINT
© FORTINET
 Introduction
Some of the default installations of IIS and Apache are notorious for publishing their installation version
information in the default 404 pages and HTTP headers, making it easy for attackers to find unpatched
servers. FortiWeb can erase these server information disclosures quickly, giving your system administrators
time to correct these misconfigurations.
FortiWeb Study Guide
20
DO NOT REPRINT
© FORTINET
 Introduction
The attack types that we discussed in the previous slides were only some of the most common types of
attacks; there are many more that we did not cover. Attacks can use many strategies in HTTP, and attacks
won’t always show in normal web server logs. How can you tell when you’re being attacked? How can you
block an attack?
FortiWeb Study Guide
21
DO NOT REPRINT
© FORTINET
 Introduction
How does FortiWeb stop some of the common attack types that you have learned about in this lesson?
In most deployments, you want to guarantee that zero bytes of an attack can reach your web servers. This is
especially important in the case of denial of service (DoS) attacks, because DoS attacks can start at the IP
layer, before a TCP connection is even fully formed.
To have access to the most features, including non-security features such as redirects and rewrites, configure
FortiWeb to operate in reverse proxy mode. If you can’t modify your IP address scheme, true transparent
proxy operating mode is a good option. When FortiWeb is used in an inline topology, and is operating in either
of these modes, it always blocks or sanitizes HTTP requests and can, therefore, block an attack before it
reaches your web servers.
FortiWeb Study Guide
22
DO NOT REPRINT
© FORTINET
 Introduction
Let’s look at how attacks are blocked when FortiWeb is operating in reverse proxy mode. Since FortiWeb is
acting as a proxy for your servers, it is a termination point at the IP layer. It never forwards the traffic to your
protected servers if it detects an attack, so the back-end connection is never formed. Depending on the OSI
layer of the client’s attack, FortiWeb replies with either a TCP reset or an HTTP error code, whichever is
appropriate.
FortiWeb Study Guide
23
DO NOT REPRINT
© FORTINET
 Introduction
If high performance and zero latency is more critical than absolute security, when streaming media, for
example, you can choose a different operating mode, such as offline mode, or transparent inspection mode.
FortiWeb Study Guide
24
DO NOT REPRINT
© FORTINET
 Introduction
Let’s look at how FortiWeb interrupts attacks in offline mode. In offline mode, FortiWeb is located on an arm,
where it’s linked to a switch’s mirror port. So, FortiGate forwards a copy of the traffic to both the web servers
and FortiWeb. FortiWeb races to scan for attacks before the transmission and server-side processing is
complete. If FortiWeb detects an attack, it sends a TCP reset signal – the only thing it can do in this mode – to
try to force the server to discard the incomplete connection data.
When FortiWeb is operating in transparent inspection mode, it interrupts attacks in a similar manner. In
transparent inspection mode, FortiWeb is placed between servers and the client, instead of on an arm.
However, FortiWeb must still must race against the clock when it scans for attacks. It’s crucial that you
understand this: if the TCP reset packet loses the race, your incident response team must be ready
immediately. Just because FortiWeb attempts to interrupt an attack, that does not mean that it will always
succeed. You should keep tripwires and other forensic tools ready.
In contrast, when FortiWeb is operating in reverse proxy mode, blocking is reliable.
FortiWeb Study Guide
25
DO NOT REPRINT
© FORTINET
 Introduction
The blocking method and attack protection used varies by operation mode, but so does traffic forwarding and
SSL offloading or inspection. This table provides a summary, but if you need a specific feature, check the
documentation to make sure that the required feature is supported.
FortiWeb Study Guide
26
DO NOT REPRINT
© FORTINET
 Introduction
Because blocking is not guaranteed to succeed in offline mode, this mode is best used during the evaluation
and planning phase, early in implementation.
Reverse proxy is the most popular operating mode. It can rewrite URLs, offload TLS, load balance, and apply
NAT.
For very large MSSP, true transparent mode has a significant advantage. You can drop it in without changing
any schemes of limited IPv4 space – in transparent mode, you don’t need to give IP addresses to the network
interfaces on FortiWeb.
FortiWeb Study Guide
27
DO NOT REPRINT
© FORTINET
 Introduction
HTTP 1.1 is stateless; that is, it has no inherent support for persistent sessions. However, many web
applications add sessions to become stateful.
Why? What is a session? What is statefulness? What effect to statefulness and sessions have on web
security?
Sessions occur when a set of correlated requests for individual web pages or data (hits) form the impression
of an overall client visit for a particular time span. Some memory of these requests is retained between visits.
Sessions typically consist of a session ID and data indicating current state. Classic examples of a session
include logins, shopping carts, and lists of previously viewed items.
When sessions are not protected to prevent misuse, software can be used in unexpected ways by attackers.
However, sessions alone are not enough to ensure that a client’s requested operations make sense. The
client’s next page request in the session could break the web application’s logic, unless requests are
restricted to valid ones.
If valid state transitions are not enforced, and session IDs and cookies aren’t guarded from fraud (including
sidejacking attacks made famous by Firesheep) or cookie poisoning, web applications become vulnerable to
state transition-based attacks — attacks where pages are requested out of the expected order, by a different
client, or inputs used for the next page are not as expected.
FortiWeb Study Guide
28
DO NOT REPRINT
© FORTINET
 Introduction
Many variations of HTTP attacks exist, but these are the principles behind most of them:
• Order of page requests in a web app’s session must make sense, if a page has prerequisites – but HTTP
has no built-in session logic
• Protocol (and application) design must degrade gracefully and successfully contain themselves within finite
resources
Don’t assume that increasing your web server’s maximum number of allowed simultaneous connections, or
enabling threading, will solve the problem. Slowloris attacks, for example, actually have more severe effects
on servers where threading is enabled, because they must then also attempt to limit the number of threads.
Similarly, if your database server doesn’t allow enough connections, increasing them on your web server will
only change the type of error message.
FortiWeb Study Guide
29
DO NOT REPRINT
© FORTINET
 Introduction
FortiWeb can add its own sessions to enforce the logic of your web applications. This hardens the security of
your web applications, even without applying patches. For example, to reinforce authentication logic, you
might want to require that a client’s first HTTP request always be a login page. All other web pages should be
inaccessible until a client has authenticated, because out-of-order requests could be an attempt to bypass the
web application’s authentication mechanism.
How does FortiWeb know if a request is the client’s first HTTP request? If FortiWeb treats each request
independently, without knowledge of any previous requests, it is not be able to remember the authentication
request, and, therefore, cannot enforce page order. To fill this need for context, enable Session Management
on FortiWeb. When enabled Session Management is enabled, the following occurs:
•
•
•
At the first HTTP/ HTTPS request from a client, FortiWeb embeds a cookie in the response’s Set-Cookie
field in the HTTP header named cookiesession1. (FortiWeb does not use source IP addresses and
timestamps alone for sessions. NAT can cloak multiple clients; clocks can be altered.).
Later requests from the same client must include the embedded cookie in the Cookie field to be seen as
part of the same session. Once a request’s session is identified by the session ID in the cookie, FortiWeb
can perform any configured tracking or enforcement actions based on the requests remembered for that
session ID. Violating traffic may be dropped or blocked, depending on your configuration.
After some time, if the FortiWeb has not received any more requests, the session will time out. The next
request from that client, even if it contains the former session cookie, will restart the process at step 1.
FortiWeb Study Guide
30
DO NOT REPRINT
© FORTINET
 Introduction
Great! You now understand the threat landscape and how to best deploy FortiWeb to protect your Web
Servers.
Now, let’s take a look at the management interfaces FortiWeb has available to us.
FortiWeb Study Guide
31
DO NOT REPRINT
© FORTINET
 Introduction
In this section, you will:
• Describe the various management access methods
FortiWeb Study Guide
32
DO NOT REPRINT
© FORTINET
 Introduction
If you’re familiar with how to access FortiGate, you’ll also be familiar with how to access FortiWeb.
First, you’ll need to use either a console connection or a peer network connection to configure FortiWeb with
an IP address and gateway. After that, you’ll be able to attach it to your network, and access the GUI and CLI
through the network. The operation mode can be set using either the dashboard or the CLI.
Tip: If you’ll be using one of the transparent modes, don’t configure FortiWeb network settings right away.
Changing the operation mode from reverse proxy mode to a transparent mode, or the opposite, resets
FortiWeb’s network settings, and only port1 can be the management port. What does this mean? If you’re
connected through the network, you might lose GUI or CLI connectivity. So, during setup for transparent
mode, don’t place FortiWeb in your network immediately. Use a local console or peer network connection to
the GUI or CLI after you’ve switched the operation mode.
FortiWeb Study Guide
33
DO NOT REPRINT
© FORTINET
 Introduction
FortiWeb Manager centralizes the configuration of FortiWeb appliances. Its web UI replaces the local
interfaces on FortiWeb appliances in your network, allowing you to create, deploy, and update configurations
remotely. Instead of creating a local configuration on a remote FortiWeb, FortiWeb manager allows you to
create a configuration that you can install on one or more FortiWebs. To make changes to a configuration, edit
the FortiWeb Manager package (or create a new one), and deploy the updated package to the remote
appliance. The configuration you install using FortiWeb Manager replaces any default or existing configuration
on the remote appliance. However, you can revert to the previous configuration using the installation logs.
In FortiWeb Manager, FortiWeb configuration is organized in two parts:
•
•
Provisioning templates – System objects including DNS, SNMP, and security settings. In most cases,
you set these settings during an initial deployment, and do not update them often.
Policy packages – Contain one or more policies you create using configuration objects such as virtual
servers, server pools, and web protection policies. You create these configuration objects separately, and
add them to the policies found in package,s as needed.
To update configurations you installed using policy packages, edit the configuration objects and policies as
needed, and then install the updated package.
FortiWeb Study Guide
34
DO NOT REPRINT
© FORTINET
 Introduction
You perform tasks that configure remote FortiWeb devices using the following two tabs: Device Manager and
Policy & Objects.
The Device Manager tab allows you to perform the following provisioning tasks:
• Create a list of FortiWeb appliances available for configuration. To help you organize your devices,
you can add a device to a group when you add it.
• Change an individual configuration setting on an appliance
• Create and assign reusable system templates that contain values for the settings that are most
commonly used when you provision an appliance, including DNS, SNMP, and security settings
• Upload firmware and data analytics definitions files and use the uploaded files to upgrade the
FortiWeb appliances in a group
The Policy & Objects tab allows you to perform the following policy creation and installation tasks:
• Create configuration objects such as virtual servers, server pools, and web protection profiles
• Create or update policy packages. You create the package policies using the pre-built configuration
objects
• Install the policy packages on one or more FortiWeb appliances
The FortiWeb Manager web UI also has a System Settings tab that allows you to monitor FortiWeb Manager
and to perform tasks, such as user management and high availability configuration.
FortiWeb Study Guide
35
DO NOT REPRINT
© FORTINET
 Introduction
Fantastic! You now know the various Management Interface options available for managing your FortiWeb
devices.
Now let’s take a look at the available support resources.
FortiWeb Study Guide
36
DO NOT REPRINT
© FORTINET
 Introduction
In this section you will learn how to:
• Find and Use Support Resources
FortiWeb Study Guide
37
DO NOT REPRINT
© FORTINET
 Introduction
When you log in, many options appear. FortiWeb is full-featured and continues to evolve to meet the
challenges presented by the HTTP threat landscape. This slide shows the main source of information that can
help you with your implementation.
FortiWeb Study Guide
38
DO NOT REPRINT
© FORTINET
 Introduction
Like in other Fortinet products, clicking the help button in FortiWeb will jump to the right page in the
documentation. It gives how-to examples, feature overviews, and detailed references of specific options.
FortiWeb Study Guide
39
DO NOT REPRINT
© FORTINET
 Introduction
Congratulations! You have now completed this lesson.
FortiWeb Study Guide
40
DO NOT REPRINT
© FORTINET
 Introduction
Now that we have completed this lesson, you should be able to:
• Define what a Web Application Firewall is
• Describe the value of FortiWeb
• Describe the FortiWeb product family
• Understand when and where you can add FortiWeb to your defense portfolio
• Choose the right FortiWeb operation mode
• Understand the various management access methods
• Find and use support resources
FortiWeb Study Guide
41
DO NOT REPRINT
© FORTINET
 Basic Setup
In this lesson, you’ll learn how to physically deploy your FortiWeb and complete basic settings so that you
can begin to integrate it into your network.
FortiWeb Study Guide
42
DO NOT REPRINT
© FORTINET
 Basic Setup
In this lesson, we will explore the following topics:
• Topology
• Nesting of Configuration Components
• Initial Configuration
• Routing FTP/SSH to the Back-End
• Proxy Pickup and Connection Termination
• Load Balancing and Pass Through
• Virtual Hosts
By the end of this lesson you will be able to perform a basic deployment of FortiWeb in a variety of network
topologies.
FortiWeb Study Guide
43
DO NOT REPRINT
© FORTINET
 Basic Setup
First, we’ll take a look at physical and logical topology. In this section we will:
• Define and discuss possible topologies and implementation scenarios
FortiWeb Study Guide
44
DO NOT REPRINT
© FORTINET
 Basic Setup
If you’re using FortiWeb VM in a cloud, much of the physical topology may either be hidden from you, or out of
your control. Instead, your main concern is the virtualized hardware. In the cloud, there is an important
difference between a logical topology and a typical hardware model deployment: your FortiWeb’s interface to
the Internet may be DHCP, not a static IP.
FortiWeb Study Guide
45
DO NOT REPRINT
© FORTINET
 Basic Setup
Regardless of whether you deploy real or virtual hardware, you need to know if source NAT (SNAT) is being
used. If you have a FortiGate, operating in transparent mode, and placed in front of your network, you can
skip this.
But if you are using NAT/route mode, or a load balancer such as FortiADC or Citrix NetScaler, you should
check its configuration. By default, FortiWeb blocks many attacks based upon a client’s source IP address.
So, if FortiGate hides the real source address from FortiWeb, FortiWeb may not behave as you intend.
Here, an upstream load balancer is applying source NAT, but FortiWeb hasn’t been configured to handle this.
As a result of the misconfiguration, whenever an attack occurs, FortiWeb blocks sessions from the FortiADC,
breaking all connectivity.
FortiWeb Study Guide
46
DO NOT REPRINT
© FORTINET
 Basic Setup
There are two solutions you can use if you have upstream source NAT. The following is one solution:
Configure the upstream NAT device to put the original client’s IP address in an HTTP header such as XForwarded-For. The name format can vary – some CDNs, like Akamai use X-True-IP or X-Real-IP. If you’re
not sure what name format to use, run a packet capture or use browser developer tools to observe the HTTP
transactions.
Configure FortiWeb to find the IP in the HTTP header, not the IP header.
This solution works in many cases, including when FortiGate is used. But, not all NAT devices support the use
of this solution. Also, FortiWeb 5.3.4 ignores private IP addresses in X-headers, so this solution won’t work if
you’re an enterprise with users on your private network. What other solutions can you use?
FortiWeb Study Guide
47
DO NOT REPRINT
© FORTINET
 Basic Setup
The easier of the two solutions is to place FortiWeb in front of the load balancer. Some other positive side
effects of this topology are that the load balancer only receives legitimate traffic, so it’s protected, and the load
balancer resources are used efficiently.
Remember, though, that load balancers sometimes use the source IP address for session persistence or
client-based load balancing. If this is the case, configure FortiWeb to transmit the original client’s IP address in
X-Forwarded-For in the HTTP header, and configure your load balancer to use that address instead of the
source address in the IP header.
FortiWeb Study Guide
48
DO NOT REPRINT
© FORTINET
 Basic Setup
This diagram shows a network topology that you might see in an enterprise-sized business. It’s slightly
simplified, but probably it would involve an authentication server, full mesh topology, a management LAN on
FortiWeb’s port1, and, possibly, HA for redundancy. Because the FortiGate in this topology is operating in
NAT/route mode, and applying source NAT, the administrator has enabled load balancing and configured two
virtual servers. The FortiGate applies X-headers: one for road warriors connecting from the Internet, and
another for employees on the headquarters office LAN.
Can you find the misconfiguration?
That’s right: it’s the FortiGate virtual server for the office LAN. Since the FortiGate would be using private
network IP addresses, many LANs could have clients using those same private IP addresses; that is, the
addresses are not globally unique. So, a FortiWeb running 5.3.4 wouldn’t use the X-header for those private
IP addresses.
FortiWeb Study Guide
49
DO NOT REPRINT
© FORTINET
 Basic Setup
Great! Now you have an understanding of the various network topologies possible with FortiWeb.
In the next section we will discuss the nesting of configuration components, which is the logic of configuring a
FortiWeb
FortiWeb Study Guide
50
DO NOT REPRINT
© FORTINET
 Basic Setup
Once you’ve decided on a physical and logical topology, you’ll log in and begin to configure FortiWeb. Where
should you start? Understanding which configuration objects are used by other configuration object will help
you determine where to start. After this lesson you will:
• Understand configuration objects and basic configuration logic
FortiWeb Study Guide
51
DO NOT REPRINT
© FORTINET
 Basic Setup
You’ll usually start by configuring a leaf node object –use a fine-grained setting, not the server policy. Server
policies group objects together and apply settings to matching traffic. But, to use server policies, you must
configure the objects first.
In reverse proxy mode, start by configuring fine-grained objects, such as:
• A virtual server
• A certificate for HTTPS
• Persistence settings that will be used by the server pool
• Custom signatures
• TCP flood rate limits
• Authentication rules
• Rewrite rules
• Input rules
Then, select these objects in DoS policies, server pools, and other intermediate objects, before binding them
all together in a server policy.
FortiWeb Study Guide
52
DO NOT REPRINT
© FORTINET
 Basic Setup
In transparent inspection mode or true transparent proxy mode, most is similar. The most significant exception
is the virtual server. Virtual servers don’t exist in these operation modes, because they don’t forward traffic at
the IP layer. Instead, virtual servers use an OSI Layer 2 bridge, together with the IP-layer port number. This is
called a V-zone.
Also, due to differences in how the two modes work, some features that are supported in reverse proxy mode
aren’t supported in transparent mode. For example, when operating in transparent mode, FortiWeb forwards
traffic while inspection is being completed. Therefore, it can’t rewrite URLs in packets that have already
egressed; it can only interrupt connections once it detects that an attack is in progress.
FortiWeb Study Guide
53
DO NOT REPRINT
© FORTINET
 Basic Setup
In offline protection mode, most features are not supported. You would use offline protection mode primarily in
the preparation phase, with auto-learning to discover applicable signatures and input constraints. When
operating in offline protection mode, FortiWeb doesn’t pick up traffic on the proxy or bridge – it accepts all
traffic on a data capture port, one of the network interfaces, and listens for attacks.
FortiWeb Study Guide
54
DO NOT REPRINT
© FORTINET
 Basic Setup
Good Job! You should now have an understanding of the logic behind the FortiWeb configuration process.
Next, we will look at creating an Initial configuration
FortiWeb Study Guide
55
DO NOT REPRINT
© FORTINET
 Basic Setup
Now that learned the basics about how objects link together, you can start to configure FortiWeb. In this
section you will learn to:
• Describe and perform initial configuration tasks and procedures
• Configure Administrative Groups, profiles and accounts
• Configure Operating mode
• Configure Network Interfaces and Routing
• Describe and Configure High Availability
• Discuss FortiGuard Services
FortiWeb Study Guide
56
DO NOT REPRINT
© FORTINET
 Basic Setup
This slide shows simple setup steps. In reverse proxy, once you have completed these steps, traffic will flow
through FortiWeb, you will be ready to begin applying security.
FortiWeb Study Guide
57
DO NOT REPRINT
© FORTINET
 Basic Setup
If administrators or users are centrally authenticated through an active directory or a RADIUS server, you
must define the queries first. If administrators or users are connecting through LDAPs or STARTTLs, make
sure to upload your LDAP server’s CA certificate to the list of trusted CAs; otherwise, FortiWeb won’t be able
to authenticate the server connection and queries will fail!
FortiWeb Study Guide
58
DO NOT REPRINT
© FORTINET
 Basic Setup
Group queries so that you can use them when creating new accounts.
FortiWeb Study Guide
59
DO NOT REPRINT
© FORTINET
 Basic Setup
Define administrators’ scopes and permissions. This best practice, combined with access profiles and ADOMs
to define separate roles and scopes; strong passwords; and defining your trusted management hosts, helps to
keep your FortiWeb secure.
Administrator accounts are not all the same, even if you have assigned the same access profile permissions.
What’s the difference? The admin account is similar to root. Only admin can reset forgotten passwords, for
example. If you forget the password to the admin account, you’ll have to use the recovery procedure with the
maintainer account, which is only available if you have local console access – and even that can be disabled.
FortiWeb Study Guide
60
DO NOT REPRINT
© FORTINET
 Basic Setup
Don’t allow multiple users to log in as admin. Make sure that administrator accounts are separate. Also,
specify the access profile and, if applicable, the query to your authentication server.
For security reasons, your routers shouldn’t allow login attempts from the Internet to FortiWeb. Scripts from
attackers are constantly scanning IPs on the Internet for open ports, especially for brute forcing. So, it’s a
good idea to provide insurance, in case your router is misconfigured. To do this, define all allowed IPv4
management IPs for every administrator account. FortiWeb’s GUI and CLI will only respond to trusted IPs. If
only one host or subnet is allowed, just paste it into all three fields.
If you leave any IPv4 Trusted Host field set to 0.0.0.0/0.0.0.0, FortiWeb will allow login attempts from any
address – useful for anyone that wants to brute force your network security!
IPv6 is different. FortiWeb will only respond if you define a trusted host or subnet, so you can leave them
empty.
FortiWeb Study Guide
61
DO NOT REPRINT
© FORTINET
 Basic Setup
When should you prohibit simultaneous administrator logins?
FortiWeb doesn’t lock the configuration when you view an object’s settings. So, if multiple administrators edit
that same object, the changes made last would overwrite any configuration changes made before. If you don’t
want to use access profiles to prevent this, you can configure FortiWeb to allow only one administrative
session at a time. Alternatively, you can enable ADOMs so that each administrator’s policies and other
settings can’t be seen or affected by others. You’ll learn more about ADOMs when we cover external logging.
FortiWeb Study Guide
62
DO NOT REPRINT
© FORTINET
 Basic Setup
Be sure to set your time zone. To ensure that time setting remains accurate, allow your FortiWeb to connect
to an NTP server so that it can keep its clock in sync.
FortiWeb Study Guide
63
DO NOT REPRINT
© FORTINET
 Basic Setup
Reverse proxy operating mode, the most popular mode, is the default. If you are going to use an operating
mode other than the default – such as starting in offline mode for auto-learning – you would switch from the
default mode at this point.
FortiWeb Study Guide
64
DO NOT REPRINT
© FORTINET
 Basic Setup
If you switch to transparent mode, FortiWeb’s network settings are reset. So it’s best to make this switch from
the CLI or before you configure your network settings and HA.
FortiWeb Study Guide
65
DO NOT REPRINT
© FORTINET
 Basic Setup
If you switch to transparent mode through the CLI, don’t forget to set the gateway IP. FortiWeb will keep the
port1 management IP, but,since the routes are lost, you must specify the gateway when you switch operating
modes.
FortiWeb Study Guide
66
DO NOT REPRINT
© FORTINET
 Basic Setup
If are going to use FortiWeb HA, you would configure it at this point. To configure HA, you must have two
identical FortiWeb models with the same firmware. Only active-passive HA is supported; active-active is
usually implemented externally, using a FortiADC load balancer, for example.
Since the standby FortiWeb has no management IP, you need to configure any device-specific settings first,
before you enable HA. This includes configuring the host name and HA priority. Then, you enable HA. That
way, as you continue to configure settings, the standby FortiWeb will automatically sync with the active
FortiWeb. If you need to copy the configuration to multiple FortiWebs, but don’t want failover, use
configuration synchronization instead of HA.
FortiWeb Study Guide
67
DO NOT REPRINT
© FORTINET
 Basic Setup
HA on FortiWeb behaves similarly to how it does on other Fortinet devices. If the heartbeat fails or a
monitored port does not respond, then the standby FortiWeb uses ARP to advertise to the network that the
FortiWeb virtual MAC and, by extension, its IP addresses can now be reached through the standby’s links.
This causes switches to start forwarding frames through the standby’s connected ports, as if the failed
FortiWeb had been unplugged and moved to different ports on the switch. The failover is almost
instantaneous.
FortiWeb Study Guide
68
DO NOT REPRINT
© FORTINET
 Basic Setup
This slide covers a few VM-specific tips to consider if you’re using FortiWeb VM. The most important thing to
consider is that the HA heartbeat and failover ARP are latency-sensitive. So, if your FortiWeb VMs share
hardware with other guest OSs, make sure that FortiWeb VM has priority.
FortiWeb Study Guide
69
DO NOT REPRINT
© FORTINET
 Basic Setup
Link two ports that HA will use to communicate – directly, if possible – then configure HA before configuring
the network interfaces. The network settings will sync, as well as other, subsequent settings. FortiGuard
antivirus packages now sync between the peers, so you no longer have initial risk after the failover period.
Some data, such as logs and reports stored on the local hard drive, don’t sync. See the documentation for
details.
FortiWeb Study Guide
70
DO NOT REPRINT
© FORTINET
 Basic Setup
If you don’t have two FortiWebs for HA, and you’re using transparent mode, you can still prevent hardware
failure from interrupting traffic. To do this, connect through port pairs and configure fail-open to bypass. Note
that your web sites will be totally unprotected until you replace the failed FortiWeb!
FortiWeb Study Guide
71
DO NOT REPRINT
© FORTINET
 Basic Setup
Fail-open is available only FortiWeb models that have a specific type of ASIC chip between each port pair.
When you set fail-open options, FortiWeb programs the chip to behave as either a bypass or circuit interrupt,
when FortiWeb loses power or reboots.
•
•
PowerOff-Bypass — Behave as a wire when the FortiWeb appliance is powered off. This allows
connections to pass directly from one port to the other, bypassing all policy scans and modifications.
PowerOff-Cutoff — Interrupt connectivity when the FortiWeb appliance is powered off. The bypass is
disabled. This is the default setting.
Alternatively, you can use FortiBridge.
FortiWeb Study Guide
72
DO NOT REPRINT
© FORTINET
 Basic Setup
The next step is to configure network interfaces, and set which administrative protocols are enabled on
interface. If you’re deploying in a cloud, such as Amazon Web Services, use DHCP instead of the usual: a
static IP address.
FortiWeb Study Guide
73
DO NOT REPRINT
© FORTINET
 Basic Setup
You should specify at least one route to the default gateway. This route is where FortiWeb sends traffic if an
IP isn’t directly connected. Usually, this is the upstream FortiGate or (if FortiGate is in transparent mode) the
Internet router. If you have a large internal network, and your protected web servers are not on the same
subnet, you must add a route for those destinations as well.
FortiWeb Study Guide
74
DO NOT REPRINT
© FORTINET
 Basic Setup
If your network interfaces use DHCP, especially if you have dual gateways, then static routes are not enough.
You may need to route traffic based upon the ingress port, the source, or both. To do this, you can now
configure policy-based routes.
FortiWeb Study Guide
75
DO NOT REPRINT
© FORTINET
 Basic Setup
Once FortiWeb connects to the Internet, if it has a FortiGuard subscription package, it downloads updates.
For FortiWeb, FortiGuard provides several updatable components – many more than just antivirus or intrusion
signatures. FortiGuard security also provides updates on known web app administrative URLs, information
leakage patterns, data types for input enforcement, IPs of current known attackers, and more.
FortiWeb Study Guide
76
DO NOT REPRINT
© FORTINET
 Basic Setup
The best practice is to enable FortiWeb to periodically check for FortiGuard update packages and
automatically install them. The antivirus databases are very similar to FortiGate and FortiMail, except that
there is no extreme database.
Notice the antivirus buffer size. This is one of FortiWeb’s many buffers. Is it big enough for most uploads? Is it
small enough that antivirus scans won’t use too much RAM? By default, FortiWeb passes uploads that are too
large to fit in the buffer. Virus uploads are usually small, so this is not a significant risk. But, if security is more
important than performance or accepting all uploads, then you should configure an HTTP constraint. This will
block POST requests where the body – that is, the uploaded file – is too large to fit the buffer. This is part of
security hardening.
FortiWeb Study Guide
77
DO NOT REPRINT
© FORTINET
 Basic Setup
Excellent! You now know how to perform an Initial configuration of a FortiWeb.
In the next section we will look at how FortiWeb can address FTP and SSH.
FortiWeb Study Guide
78
DO NOT REPRINT
© FORTINET
 Basic Setup
Next, you’ll establish connectivity through FortiWeb. As mentioned previously, FortiWeb only scans HTTP.
However, FortiWeb can act as a router or bridge for other protocols. When functioning as a router, FortiWeb
forwards packets that are destined for your web servers’ IPs. If you do use FortiWeb as a router, use caution.
An upstream firewall such as FortiGate should scan FTP or SSH connections to your web servers.
In this section we will learn how to:
• Route FTP and other non-HTTP protocols through FortiWeb
FortiWeb Study Guide
79
DO NOT REPRINT
© FORTINET
 Basic Setup
This slide shows the basics of how FTP (by default, on port 21) arrives at a virtual IP (VIP) on FortiGate.
Fortigate applies NAT then routes packets to FortiWeb. However, because it’s not HTTP, there is no proxy
pickup. Instead, FortiWeb simply routes the packet to its destination IP address. Unlike HTTP, with FTP or
SSH, the destination address must be the back-end servers – not FortiWeb’s virtual server.
FortiWeb Study Guide
80
DO NOT REPRINT
© FORTINET
 Basic Setup
If you’re using transparent mode, no configuration is required. FortiWeb will allow other protocols to pass
through. However, if you’re using FortiWeb in reverse proxy mode, then you must enable IP-based forwarding
(routing) if you want it to transmit FTP or SSH. It’s very common for web servers to have secondary services
such as FTP or SSH. This allows web developers to update their applications and upload new files. Keep in
mind, however, that as a WAF, FortiWeb specializes in HTTP. FortiGate has session helpers for SIP with the
voice portion of Lync, for example, but FortiWeb doesn’t, so this may not work for all protocols. In that case,
you may need to adjust your topology so that FortiWeb is not a router hop for those protocols.
FortiWeb Study Guide
81
DO NOT REPRINT
© FORTINET
 Basic Setup
Good job! You now know how to allow FortiWeb to deal with FTP and SSH
Next, let’s look at FortiWeb in conjunction with Proxies.
FortiWeb Study Guide
82
DO NOT REPRINT
© FORTINET
 Basic Setup
We’ve just shown that FortiWeb only proxies HTTP. It doesn’t pick up other protocols, and in reverse proxy
mode, which forwards as a Layer 3 router, it will only forward non-HTTP packets if you enable IP-based
forwarding.
What is required for HTTP traffic flow? In this section we will:
• Describe and Discuss forwarding HTTP through FortiWeb
FortiWeb Study Guide
83
DO NOT REPRINT
© FORTINET
 Basic Setup
In transparent mode, FortiWeb forwards as a Layer 2 device. So, by default, web traffic passes through. If
want web traffic to be inspected, you must define where FortiWeb should pick up traffic: which bridge and
TCP port number. This is a key difference from operating in reverse proxy mode.
In reverse proxy mode, FortiWeb forwards as a Layer 3 device. So, by default, traffic that is not destined for a
management IP or virtual server IP is dropped – effectively, it is blocked. Web traffic won’t flow until you
define a virtual server IP and listening port number, as well as the destination servers – a NATted IP or
destination in the back-end IP session. Non-web traffic isn’t picked up by a virtual server, nor is it destined for
FortiWeb itself, so traffic won’t flow unless IP-based forwarding (that is, routing) is enabled.
FortiWeb Study Guide
84
DO NOT REPRINT
© FORTINET
 Basic Setup
This table shows some basics of how traffic flow, proxy pickup, blocking styles, and SSL termination all vary
by operating mode.
FortiWeb Study Guide
85
DO NOT REPRINT
© FORTINET
 Basic Setup
To define transparent proxy or virtual server pickup, usually you can use the predefined port numbers – port
80 for HTTP and port 443 for HTTPS. But, if your web servers allow API connections or requests to staging
web sites, for example, you may need to define web services on other port numbers, such as port 8080.
FortiWeb Study Guide
86
DO NOT REPRINT
© FORTINET
 Basic Setup
Great! You now know how FortiWeb can be configured to deal with Proxies.
Now let’s take a look at dealing with Load Balancers in the network.
FortiWeb Study Guide
87
DO NOT REPRINT
© FORTINET
 Basic Setup
After FortiWeb has picked up traffic, how do you define where it should send the traffic? In this section we will:
• Describe and Discuss Server Polls
• Describe and Discuss Load Balancing
• Describe and Discuss Session Persistence
FortiWeb Study Guide
88
DO NOT REPRINT
© FORTINET
 Basic Setup
You define your destination back-end web servers by specifying their IP addresses in server pools.
Depending on FortiWeb’s operation mode, it will either:
• Forward the frames, if it’s operating as a Layer 2, transparent device, or
• Rewrite the destination IP and distribute it according to your load balancing algorithm, if it’s operating in
reverse proxy mode
How do you define if subsequent requests are sent to the same server? How do you define how the load of
the first request in an IP or HTTP session should be distributed? Can you avoid servers that are down for
maintenance?
You must define some objects first.
FortiWeb Study Guide
89
DO NOT REPRINT
© FORTINET
 Basic Setup
Load balancing on FortiWeb is similar to load balancing on FortiGate, but with the addition of web-specific
methods. This is useful since HTTP has its own sessions at that layer, and because sometimes different web
servers are dedicated to hosting specific web apps.
You can specify that the load is distributed by HTTP session cookie instead of TCP/IP connection.
You can also choose, instead of balancing load, to use FortiWeb as a Layer 7 switch. This sends requests to
specific servers based on the hostname, or URL, or both. For example, FortiWeb can send Microsoft
SharePoint requests to a different server than Outlook Web App requests.
FortiWeb Study Guide
90
DO NOT REPRINT
© FORTINET
 Basic Setup
After you make the initial load balancing decision, by default, each subsequent request could be sent to a
different web server, according to the algorithm. If you don’t want this to happen – for example, if your users
log in and only that server can associate the next request with that login – then you must configure session
persistence.
FortiWeb Study Guide
91
DO NOT REPRINT
© FORTINET
 Basic Setup
You can define session persistence in several ways, using either the IP or HTTP layer. This is similar to
FortiGate. If you want to use a session cookie-based method, the most efficient way is to use one of your
app’s own session cookies. If you session doesn’t have a cookie, FortiWeb can inject its own load balancing
session cookie, and use it to track the sessions.
FortiWeb Study Guide
92
DO NOT REPRINT
© FORTINET
 Basic Setup
If you aren’t sure whether your app has its own session cookies, it’s easy to find out. Look in your browser’s
cache, or download one of the many add-ons supported in Google Chrome or Mozilla Firefox.
In this example, you can configure FortiWeb to use the value in the cookie PHPSESSID to uniquely identify
sessions, and always route them to the same server.
FortiWeb Study Guide
93
DO NOT REPRINT
© FORTINET
 Basic Setup
Excellent! You now know how to implement FortiWeb in the network when Load Balancers are in use.
In the final section we will look at Virtual Hosts.
FortiWeb Study Guide
94
DO NOT REPRINT
© FORTINET
 Basic Setup
You can also restrict proxy pickup by the domain name in the Host header in the HTTP layer.
Some web servers have web sites for several domains. In Apache, for example, you might configure a few
virtual hosts for low-volume web sites on the same hardware, and the same IP address, if you are a hosting
provider. For a larger-scale solution, you can use host name definitions on FortiWeb to route HTTP traffic.
Like other objects, configure host names before you configure the server policy.
In this section you will:
• Describe and Discuss Protected Hostnames
• Configure Server Policies
FortiWeb Study Guide
95
DO NOT REPRINT
© FORTINET
 Basic Setup
Protected host names can be domain names, but they can also be IP addresses. You should add all host
names that clients use, or that DNS could resolve to.
Protected host names can be used in the server policy to filter which traffic matches. They can also be used to
restrict matching in component objects such as URL rewrites, and for HTTP content routing.
FortiWeb Study Guide
96
DO NOT REPRINT
© FORTINET
 Basic Setup
Here’s an example of how you can use a protected host names definition to deny all requests that are not for
either www.example.co.uk or 10.0.1.253”
When applied in a server policy, a reverse proxy FortiWeb would, for example, block a request to
http://example.co.uk since it is not an exact match. If you want to accept that variant and forward it to your
web servers, then you would add that host name to the list and set its Action setting to Accept. The request
could still be blocked by a later scan – antivirus, for example – but it would not be due to its host name.
FortiWeb Study Guide
97
DO NOT REPRINT
© FORTINET
 Basic Setup
When all objects are ready, create a server policy. In that policy, select your objects.
You must select a protection profile in order to save the policy. If you’re using reverse proxy mode, initially, to
test traffic flow, you can select Alert Only profile or enable Monitor Mode. This will match traffic, and log any
attacks that the protection profile detects, but it will not block anything yet.
Then, after you’ve tested connectivity, you can clone and modify the protection profile to begin blocking
attacks. Be sure to disable Monitor Mode when you’re ready to begin blocking.
If you’re using transparent mode, remember that just because traffic is allowed does not mean it was picked
up by the proxy. Transparent mode allows non-matching traffic by default. To be sure that traffic was matched
by a policy, enable and check your traffic logs.
FortiWeb Study Guide
98
DO NOT REPRINT
© FORTINET
 Basic Setup
Congratulations! You have successfully completed this lesson.
FortiWeb Study Guide
99
DO NOT REPRINT
© FORTINET
 Basic Setup
In this lesson, we covered how to integrate FortiWeb in networks where an upstream device applies source
NAT. On FortiGate, this can be done with a virtual server, which is a special type of virtual IP. We also talked
about how FortiGate can use a virtual IP to forward FTP, RDP, or SSH to FortiWeb, and FortiWeb can route it
to the web servers. Last, we showed how to configure FortiWeb for basic traffic flow and load balancing.
Specifically, we discussed:
•
•
•
•
Physical cabling
Source NAT effects
Configuring FortiGate to forward traffic
Initial Setup, including:
• Administrator accounts
• Operation mode
• Network settings and time
• HA
• Bypass and fail-open
• Virtual server, services, v-zones
• Load distribution and session persistence using Client IP or session cookie
• Routing non-HTTP protocols
• Protected hostnames
FortiWeb Study Guide
100
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
In this lesson, you’ll learn about special deployment considerations, such as the following:
• When you should log to an external server or device
• How to support multi-tenant deployments
FortiWeb Study Guide
101
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
In this lesson we will explore the following topics:
• Administrative Domains
• Integrating external logging and reporting
• Setup on FortiAnalyzer
• Setup on FortiWeb
• Testing log connectivity
• Centralized alerts
• Custom reports
FortiWeb Study Guide
102
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
In this section we will:
• Describe and Discuss Administrative Domains
• Compare and Contrast ADOMs and VDOMs
FortiWeb Study Guide
103
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
First, let’s talk about administrative domains (ADOMs). ADOMs can be useful to divide up workloads among
administrators. Everything from certificates to policies can be separated by ADOMs; therefore, they can be
used for multi-tenant deployments. However, ADOMs do not have virtualized networking, and so although
they may look and act mostly like FortiGate VDOMs, they are not true virtual domains.
ADOMs on FortiWeb subdivide the configuration. You can allocate separate access by web applications,
customers, or other logical divisions.
When you’re logging to an external device, such as a FortiAnalyzer, ADOMs can subdivide access to logs and
filter the data used in reports. If you enable ADOMs on FortiWeb, be sure to enable the Advanced ADOM
mode on FortiAnalyzer too, so that your FortiWeb ADOMs appear in the FortiAnalyzer device list.
FortiWeb Study Guide
104
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Enabling ADOMs is simple. You can do it from the dashboard in the System Information widget.
FortiWeb Study Guide
105
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
When you enable ADOMs, some settings apply to the entire FortiWeb – regardless of ADOM – such as the
admin account and firmware updates. But, most settings are specific to each ADOM, so you must create at
least one ADOM that will contain policies, certificates, and so on.
FortiWeb Study Guide
106
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
In most cases, you’ll start by creating one administrator account for each ADOM. The administrator will be
chiefly responsible for that ADOM, including that ADOM’s configuration backups. In larger organizations, you
may need to make more ADOM administrators. Multiple administrators can be assigned to each ADOM. You
can subdivide their permissions using access profiles in order to follow best practices for the segregation of
duties. You can’t, assign an administrator to more than one ADOM.
FortiWeb Study Guide
107
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
If you want to grant access to all ADOMs and global settings, select prof_admin as the access profile when
configuring the administrator account. Like the account named admin, an account that is assigned the
prof_admin profile will be able to configure all ADOMs and global settings.
Best practice dictates that you should avoid unnecessary security holes, so, if possible, try not to assign
prof_admin access. Instead, restrict each the access of administrator to their relevant domain. That way, they
can’t accidentally or maliciously impact other ADOMs, and any damage they cause or mistakes they make will
be limited in scope.
FortiWeb Study Guide
108
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Excellent! You now know the understand the purpose and characteristics of Administrative Domains.
In the next section we will discuss integrating external logging and reporting.
FortiWeb Study Guide
109
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
If you enable ADOMs, the way that you query logs in order to build custom reports on FortiAnalyzer or other
SIEMs changes. Let’s take a look.
In this section we will:
• Describe and Discuss the benefits of and reasons for external logging
FortiWeb Study Guide
110
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Logging externally is a FortiWeb best practice. Why? FortiWeb can store logs locally on its hard disk, or in
RAM, but logging externally the following benefits:
• Flexibility for reporting
• Better performance
• Better scalability
• Visibility for multi-device attack correlation
FortiWeb Study Guide
111
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Great! You now know why we would want to integrate external logging and reporting.
In the next section we will look at configuring the FortiAnalyzer as an external SIEM.
FortiWeb Study Guide
112
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Now you will learn how to configure logging and custom reports with FortiAnalyzer; however, you could apply
many of the concepts you will learn in this lesson to any third-party event logging and reporting system.
FortiWeb Study Guide
113
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
These are the basic steps to you need to perform to configure both devices to interoperate.
•
•
•
•
•
On FortiAnalyzer, enable administrative domains. To support FortiWeb ADOMs, also enable the
Advanced ADOM option.
Create a new ADOM specifically for FortiWeb 5.2 or later devices. This will initialize a new database
according to the schema that is required to store FortiWeb logs, which are different than FortiGate logs.
FortiWeb logs, for example, can include HTTP session IDs.
Add FortiWeb to FortiAnalyzer’s device list so that it is allowed to store logs, and has an assigned disk
quota.
Optionally, configure centralized alert email and custom report queries.
On FortiWeb, enter your FortiAnalyzer’s device IP, add it to a notification settings object, and configure
which events and severities should be sent to FortiAnalyzer.
FortiWeb Study Guide
114
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Let’s see the setup in action. This slide shows how to enable ADOMs on FortiAnalyzer.
FortiWeb Study Guide
115
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Next, you create a new ADOM. On FortiAnalyzer, ADOMs do more than just separate administrators for each
user’s data. Choosing an ADOM also specifies the schema of a new database, and indicates which schema
its tables will use. Log schemas vary by Fortinet device.
FortiWeb Study Guide
116
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Next, you add your FortiWeb IP, Serial Number, Device Name, and Device Model to the new database. The
device list control occurs by serial number and IP.
FortiWeb Study Guide
117
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Log schemas also vary by device version. Just like its other features, FortiWeb logs have evolved over time,
so older firmware doesn’t produce the same logs. This determines whether incoming log fields each have a
column in the tables. Logs must fit the tables correctly in order for reports to function. For example, if you
choose the wrong schema, or indicate the wrong firmware version, and there is no column to store HTTP
session IDs and attack subtypes, FortiAnalyzer will not be able to store that part of FortiWeb traffic and attack
logs. Report datasets that require it will fail. I the example shown in this slide, you need to select the schema
for FortiWeb 5.6 log formats.
FortiWeb Study Guide
118
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
When you register FortiWeb, FortiAnalyzer does not use the admin account credentials, and it does not create
an OFTP registration connection back to FortiWeb. FortiGate does, but most other Fortinet devices don’t. This
simplifies connectivity – your firewall policies only need to allow one-way UDP syslog traffic from FortiWeb to
FortiAnalyzer.
If your FortiAnalyzer is located on a remote network, remember to make an IPsec VPN tunnel from the frontend FortiGate to the remote network’s FortiGate. Syslog is a clear-text protocol, and FortiWeb logs contain
sensitive network security information.
FortiWeb Study Guide
119
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Now FortiAnalyzer should initialize the database for this specific FortiWeb, preparing it to store log data.
When done, a success message should appear. Click Finish.
FortiWeb Study Guide
120
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
As a quick review, here’s what matters when configuring FortiWeb and FortiAnalyzer to work together.
•
•
•
•
The FortiAnalyzer firmware must be compatible with FortiWeb. An old FortiAnalyzer won’t support the logs
of new FortiWeb firmware if the log format has changed.
Remember to enable ADOMs, and create one specifically for FortiWeb.
Add FortiWeb to the allowed device list.
Test connectivity. If there are firewalls in between, policies must allow UDP syslog traffic from FortiWeb to
FortiAnalyzer.
FortiWeb Study Guide
121
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Good Job! In this section you performed a basic configuration of FortiAnalyzer to work with ForitWeb.
Next we will look at configuring the FortiWeb itself
FortiWeb Study Guide
122
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Next, you will learn how to configure logging – especially remote logging – on FortiWeb.
FortiWeb Study Guide
123
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
First, define the IP address of a FortiAnalyzer. This is where FortiWeb will send logs, if you’ve selected that
destination, and they match the type, severity, and other criteria.
FortiWeb Study Guide
124
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Next, select your FortiAnalyzer definition in a trigger policy. If you also want to receive an alert email for
severe logs, such as hardware failure or DDoS attack, you can define multiple notification settings. Select
your FortiAnalyzer in each one, then also define an email server and select it in the trigger policy that you use
with severe events. Alternatively, you could configure your alert email in a central location, on FortiAnalyzer.
FortiWeb Study Guide
125
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Now enable event and traffic log output to your FortiAnalyzer. Specify what severity of logs should be sent.
Remember: logging information-level events and greater can significantly increase bandwidth usage,
decrease performance, and require much more disk space on your FortiAnalyzer. After configuring, verify that
your FortiAnalyzer model is powerful enough to handle the log volume without dropping logs. Syslog is a UDP
connectionless protocol that is lightweight but does not verify successful message transmission and storage.
Also verify that you’ve allocated enough disk space.
For example, if you need to store three months worth of logs, see how much disk space is consumed after a
normal week, then multiply it to 12 weeks. For a robust solution, also simulate logging volumes that could
happen if your network is under attack. This is when your logs are most crucial.
FortiWeb Study Guide
126
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Choose which log types to record: attack logs, event logs, and, possibly, traffic logs. Remember that packet
payloads can only be stored on FortiWeb’s local hard disk. Like traffic logs, they can be disk intensive. If
possible, it’s best to enable that option only during troubleshooting.
FortiWeb Study Guide
127
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
For event logs that record critical system resource usage, you have even more granular control. You can
specify which levels will trigger a log message, and indicate a more specific trigger policy.
FortiWeb Study Guide
128
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
For the attack log, configuration is even more flexible. For each specific rule or attack signature, indicate
whether to log violations, and which notification servers (if any) to use. This is where you should select the
trigger policy that uses your FortiAnalyzer object.
FortiWeb Study Guide
129
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Excellent! You have now configured logging on FortiWeb.
In the next section we will confirm the connectivity between FortiWeb and FortiAnalyzer.
FortiWeb Study Guide
130
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Now you're ready to test logging.
FortiWeb Study Guide
131
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
This slide lists the easiest ways to test connectivity for each log type that FortiWeb can generate.
Ideally, you want to load test logging to make sure that the network is not dropping logs at crucial times such
as during traffic spikes or distributed denial of service attacks. If this is the case, analyze the available
bandwidth, but also the processing capacity of your FortiAnalyzer, FortiWeb, and all routers and switches
between. For even stronger robustness in DDoS attacks, you can also insert a FortiDDoS in front of your
FortiWeb. Its specialized hardware is built to handle massive numbers of transactions, and analyze traffic
anomalies with speed.
FortiWeb Study Guide
132
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
When you log in to FortiAnalyzer again, you should notice a green icon in the Logs column when viewing the
device list. The green icon indicates that FortiAnalyzer recently received a log message from FortiWeb, so
connectivity was successful.
FortiWeb Study Guide
133
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
If you configured event handling, you can use it to view logs. But, you can also use the Log View menu. To
drill down and view the details of a log, double-click the row that log is in.
FortiWeb Study Guide
134
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Great! We have now confirmed that FortiWeb is sending log data to the FortiAnalyzer.
In the next section we will look at using that data to generate centralized alerts
FortiWeb Study Guide
135
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
If you have many network devices, it’s often more convenient to configure alerts from one central location,
rather than on each device individually. You can do this on FortiAnalyzer.
In this section you will learn to configure centralized alerts.
FortiWeb Study Guide
136
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
FortiAnalyzer offers more granular ways than FortiWeb to define what will trigger an alert email.
FortiWeb Study Guide
137
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
To configure event handlers, go to the Event Management tab and select your FortiWeb ADOM. Just like log
storage, event options vary by the log schema.
FortiWeb Study Guide
138
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
You don’t have to receive one email for every incident. In continuous scripted attacks, or DDOS attacks, this
could result in a deluge of email. To avoid that, specify the alert interval.
FortiWeb Study Guide
139
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Unlike on FortiWeb, selecting the event’s Severity on FortiAnalyzer does not filter the logs. On FortiAnalyzer,
use the Generic Text Filter field to specify a SQL filter.
FortiWeb Study Guide
140
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Indicating how severe the messages are on FortiAnalyzer simply allows you to color-code their entries in the
Event Management tab.
FortiWeb Study Guide
141
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
If you double-click an alert event, you can view the log message’s fields, such as which host and URL was
attacked.
FortiWeb Study Guide
142
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
If you simply want to view all chronological logs of the attack or event log type, instead of filtering them and
using them to generate alert email, go to the “LogView” tool instead.
FortiWeb Study Guide
143
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Good job! You now know how to have FortiAnalyzer generate centralized alerts for your FortiWeb
In the final section we will learn to generate customized reports.
FortiWeb Study Guide
144
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Once FortiAnalyzer is receiving and storing your FortiWeb logs, you can start to generate reports. Custom
reports are a challenge for many FortiAnalyzer beginners, and FortiWeb’s queries are different from
FortiGate’s. In this lesson, you’ll learn the basics of how to make a report specifically for FortiWeb, and how to
customize the SQL query to show precisely what you want.
FortiWeb Study Guide
145
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
We’ve already explained a little of how FortiWeb sends log messages, and how FortiAnalyzer stores log
messages in its database: it splits each log message, and stores each log field in a corresponding table
column.
After storing logs, you’ll eventually want to search them, or make a report.
To do this, you run SQL queries using FortiAnalyzer. These queries select specific columns – mostly these
match the name of log fields, but not always – and sometimes recasts them as a different datatype, if
required. Each query returns a dataset: the logs matching the query criteria, in the format and order specified.
In the case of a search, FortiAnalyzer shows the dataset in the GUI. But for reports, it compiles and sorts
data, cross-references it if applicable, and then renders graphs and tables in a document.
FortiWeb Study Guide
146
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Now, let’s look at an example of how to configure a custom report on FortiAnalyzer. We’ll begin by creating a
new report, or cloning one of the defaults.
FortiWeb Study Guide
147
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
In the Configuration tab for the report, you can filter by time period, FortiWeb serial number, and FortiWeb
ADOM. These correspond to the timestamp, device ID, and ADOM fields in logs sent by FortiWeb.
If you’ve just begun to send logs to FortiAnalyzer, you may need to restrict the report’s time period to Today
since there haven’t been seven days’ worth of logs yet.
FortiWeb Study Guide
148
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
On the report’s Settings tab, you can filter by all of the other log fields. Since we specified the FortiWeb 5.6 log
schema when we created the device list entry, the filter list includes many FortiWeb-specific log fields, such
as the HTTP status code that the web server replied with, or the URL that was requested.
To filter correctly, the value must match the entire string in that log field exactly. If you’re not sure what the
value would be, search for a sample log, and then copy and paste its value.
Here, we’ve included only log messages for server replies that were not 200 – that is, we’re including only
error messages in the report.
FortiWeb Study Guide
149
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Once you’ve defined the dataset, you need to define how the report will display it. You can do that on the
Layout tab.
FortiWeb Study Guide
150
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
If you click the options for a chart that you’re including in the report, you can specify:
• Which dataset should be used to make the chart
• Which row or column should be bound to each X-axis or Y-axis
You can even add additional dataset filters. Report contents can be filtered at multiple levels, so if you don’t
see what you expect, check all filters.
If you’ve made a custom dataset – that is, a custom report query – this is where you select it. Custom queries
should be tested after each FortiAnalyzer or FortiWeb upgrade. Due to their individual nature, upgrade scripts
cannot be guaranteed to upgrade the custom queries correctly. To customize a dataset, you can start by
cloning and modifying its SQL query. Be sure to test the query so that reports will contain the data that you
expect, and omit data that should not be included. To write a completely new dataset, it’s helpful to download
the FortiAnalyzer database schema. If you don’t know SQL, many references are available. For example,
depending on the device and version, you may need to query for destination IP addresses by the column
name dstip instead of its log field name, dst. You may also need to cast it as an IP address type, instead of a
simple string. Schema and SQL references will help you to do both.
FortiWeb Study Guide
151
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Finally, run the report. You can either do this manually, by clicking the Run Report Now button, or scheduling
when FortiAnalyzer will automatically compile the dataset and generate the report.
FortiWeb Study Guide
152
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
When the report is complete, whether it was triggered manually or automatically (that is, by schedule), it
appears here.
If you chose email as an output, it should also arrive at your inbox. If it doesn’t, first make sure that your spam
filters haven’t caught it – adding FortiAnalyzer’s sender email address to your address book often helps. If
that’s not the problem, verify that your firewall isn’t blocking SMTP from FortiAnalyzer, and verify that your
FortiAnalyzer’s settings for authentication and encryption match those of your email server. Attachment size is
rarely an issue, but could be something to check too. Email servers can reject send attempts for many
reasons.
FortiWeb Study Guide
153
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
Congratulations! You have successfully complete this lesson.
FortiWeb Study Guide
154
DO NOT REPRINT
© FORTINET
 Integrating External SIEM
In this lesson, you learned:
•
•
•
•
•
ADOMs – Segregation of Duties or Customers
Why External Logging?
Configuring FortiAnalyzer to receive logs from FortiWeb
• Database schema specific to logs for FortiWeb
Configuring FortiWeb to send logs to FortiAnalyzer
Configuring event handlers & reports on FortiAnalyzer
• Custom SQL queries
FortiWeb Study Guide
155
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
In this lesson, we’ll talk about special deployment considerations:
• Where should you put FortiWeb between your firewall and your servers?
• Should you use built-in load balancing, or an external load balancer?
FortiWeb Study Guide
156
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
In this lesson we will discuss:
• External load balancers
• Setup on FortiWeb
• Setup on the front-end FortiGate
• Setup on FortiADC
FortiWeb Study Guide
157
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
FortiWeb has a built-in load balancer. Why and when should you use an external load balancer? There are
two primary reasons:
• Complexity – If you require very complex HTTP content routing rules, it might be worth a specialized
application delivery controller (ADC).
• Protocol support – FortiWeb specializes in HTTP. It can’t load balance other protocols. So for example,
FortiWeb can’t load balance SIP for Microsoft Lync.
If FortiGate is in NAT mode, you can set up a virtual server – a special type of VIP – to forward HTTP traffic to
FortiWeb. This can apply source NAT (SNAT) and load balancing. SNAT has unwanted side-effects with
FortiWeb, since by default, most of its features block based upon the IP layer’s source address. So you must
configure both FortiGate and FortiWeb correctly to avoid this. Notice that this is specific to NAT. If your frontend FortiGate routes but doesn’t apply NAT, or if it’s in transparent mode, then this doesn’t apply.
If you have FortiADC in front of FortiWeb, the same factor applies. It can be deployed either in front, or, more
commonly, behind FortiWeb. We’ll show those 2 different deployments in a minute.
FortiWeb Study Guide
158
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Before, or after? Location matters. If you have a transparent external load balancer that is positioned in front
of FortiWeb, you probably won’t need to do any specialized configuration. But if that load balancer applies
source NAT, you must configure both the load balancer and FortiWeb to read and apply an HTTP-layer Xheader (usually X-Real-IP: or X-Forwarded-For:) so that FortiWeb blocks clients based upon the request’s
original source IP, not the current source IP (which is the load balancer).
FortiWeb X-headers now support IPv6, so this no longer a factor in where you can deploy FortiWeb.
If your load balancer is positioned behind FortiWeb, the configuration of X-headers is simpler, but still
important. If the configuration is not correct, your load balancer could send all sessions to one server
because, at the IP layer, it looks like your load balancer has only one client: your reverse proxy FortiWeb. So,
source IP-based session persistence to the same back-end server won’t distribute load correctly. The load
balancer should forward based upon an HTTP-layer session cookie, or by deriving the original client’s IP from
the X-header.
FortiWeb Study Guide
159
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Great! You now know the reasons for using an external load balancer and how they impact FortiWeb
deployment.
In the next section we will look at how to configure the FortiWeb to work with a load balancer.
FortiWeb Study Guide
160
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
In this section you will:
• Configure FortiWeb to function behind an SNAT device
FortiWeb Study Guide
161
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Once you have configured your upstream or downstream NAT device to read or send X-headers, configure
your FortiWeb to use them. The red outlines on the slide highlight the settings that you need to configure, if
your load balancer is positioned upstream. If it’s positioned downstream, the settings you configure are
different. Enable Add X-Forwarded-For: or Add X-Real-IP: instead. Since HTTP headers aren’t
authenticated and are easy to spoof, be sure to define which IP addresses – for example, your upstream
FortiGate – are the trusted providers of this header.
FortiWeb Study Guide
162
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Once you’ve configured how FortiWeb will use the XFF header, to apply it, select it in a protection profile that
is used by a server policy.
FortiWeb Study Guide
163
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
If the client is on the Internet and has a public IP address, the attack logs show the original client’s IP, not your
FortiGate. This helps when you need to determine the IP address of a repeat attacker so that you can blacklist
their source IP.
In FortiWeb 5.3.4, if the client is on your private network and has an RFC 1918 address, many clients on other
private networks could have the same IP address. So the X-header will be ignored. In that case, the IP-layer
source address will still be in the attack log.
FortiWeb Study Guide
164
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Since the IP layer’s source address hasn’t really been changed, and because the traffic log is often used to
troubleshoot IP-layer connectivity, this log still shows your front-end load balancer’s IP.
FortiWeb Study Guide
165
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Good job! You now know how to configure FortiWeb to operate behind a load balancer.
In the next section we will look at the configuration needs of the FortiGate within this scenario for the
FortiGate to serve as the SNAT device.
FortiWeb Study Guide
166
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
In this section you will learn how to:
• Configure FortiGate as a SNAT device
FortiWeb Study Guide
167
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
You configured FortiWeb to block the original client’s IP, not FortiGate’s interface IP. To use FortiGate’s
interface IP, you must configure FortiGate’s HTTP proxy to add an X-Forwarded-For: header with the original
client’s IP; not remove or ignore the header. This is also a good time to configure the policies that FortiWeb
needs for both inbound and outbound traffic.
FortiWeb Study Guide
168
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Where should you start?
IP addresses are referenced by each policy on FortiGate. So define those first. Add all potential source and
destination addresses:
• FortiAnalyzer as a destination will allow FortiWeb to log to it
• FortiGate’s virtual server as a destination will accept HTTP, apply NAT, and possibly add an X-ForwardedFor: header. If your FortiGate is in transparent mode, the destination for HTTP traffic could be your
FortiWeb. If both devices are in transparent mode, then the destination IP could be your load balancer or
back-end web servers.
• If you need to forward other protocols, such as RDP or SSH to your web servers, a FortiGate VIP may also
be an IP packet’s destination address
• FortiWeb itself can be a source of traffic outbound to the Internet for FortiGuard updates, DNS, email,
SNMP, or syslog.
Note that FortiWeb’s virtual server replies, but never initiates an IP session – just like the back-end web
servers. So it’s only used in policy destinations, not sources.
FortiWeb Study Guide
169
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
By default, load balancing, including virtual servers, are hidden in FortiGate’s GUI. To show them, turn on that
feature.
FortiWeb Study Guide
170
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
When FortiGate is running in NAT mode, it usually applies destination NAT. At the IP layer, this changes the
packet’s destination address to FortiWeb’s real, private network address. If FortiGate applies source NAT too,
then it also rewrites packets’ source address. It might be to a pool, or to the egress interface’s physical IP. If it
does that, then from FortiWeb’s perspective, FortiGate is the client, not the browser. What’s the result? When
FortiWeb detects an attack, depending on the scan, it could block your FortiGate!
So, if your FortiGate applies source NAT, you’ll usually want to make sure that it also passes the packet’s
original SRC IP to FortiWeb. Otherwise, the following will happen:
• Many FortiWeb features such as IP reputation, which uses public IPs, won’t work
• You will need to configure IP pools for the virtual server on FortiGate to prevent IP session or TCP
connection reuse (also called multiplexing) for unrelated HTTP requests. Otherwise, when the web app is
attacked, innocent requests in the same IP session or TCP connection may be dropped or reset. If you
block with period blocks, the effect is multiplied, and could effectively cause your web app to be down. So
configure and test this carefully!
FortiWeb Study Guide
171
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Normally, FortiGate is used for SSL inspection. It decrypts a copy of a packet in order to scan it, but doesn’t
actually terminate the SSL session. Instead, it passes along the encrypted packet, if it doesn’t violate the
security policies. However, when using load balancing, FortiGate can terminate the SSL session, and pass
clear text HTTP to FortiWeb. This is called SSL offloading.
Should you use FortiWeb or FortiGate for SSL offloading? It depends on which device has less system load
and processing power. You could do it on either, or – if compliance requires the data to remain encrypted in
transit all the way to the web server – you aren’t required to do SSL offloading at all.
If both FortiWeb and FortiGate will inspect secure traffic to the servers, upload the server’s private key and
certificate to both devices.
FortiWeb Study Guide
172
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
After configuring the virtual server on FortiGate, configure the mapping for FortiGate’s load balancer: the
packets’ next destination IP, called the real server.
For a reverse proxy FortiWeb, instead of a back-end web server, the real server is the IP address of a virtual
server on FortiWeb. For transparent modes or offline mode, the real server is the IP address of a back-end
load balancer or actual web server.
FortiWeb Study Guide
173
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
If you’re doing SSL inspection – but not SSL offloading –FortiWeb’s virtual server should be listening for
HTTPS on port 443, not clear text HTTP on port 80.
FortiWeb Study Guide
174
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
If clients will use other protocols to access the web servers, remember to make VIPs to forward that traffic too.
FortiWeb Study Guide
175
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Depending on your topology, you may be able to forward other protocols such as SFTP directly to back-end
servers. This avoids complications for protocols that need session helpers, and also improves round-trip time,
since FortiWeb isn’t a routing hop for non-HTTP protocols.
FortiWeb Study Guide
176
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Finally, assemble the firewall addresses in the policy. Select HTTP or HTTPS as the service, and the DMZ
port and FortiGate’s virtual server as the destination.
If you enable source NAT, use the egress interface’s IP as the back-end IP session’s source IP, not a
dynamic pool. This will ensure that FortiGate uses the IP address expected by the FortiWeb’s X-header rule’s
list of trusted IPs. For non-HTTP protocols, also make policies for the VIPs of those services.
FortiWeb Study Guide
177
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Don’t forget outgoing policies so that FortiWeb can connect to the Internet, and to remote logging or
authentication servers.
FortiWeb Study Guide
178
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Excellent! You have now configured your front-end FortiGate.
In the next session we will look at configuring a FortiADC load balancer for this scenario.
FortiWeb Study Guide
179
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Load balancers are usually located on the back end, but if you’re using one to provide external active-active
HA among multiple FortiWeb devices, you could have one on the front end. Let’s compare that with FortiGate.
FortiWeb Study Guide
180
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Here’s a load balancing profile that you might see on FortiADC VM or D series models. This is where you
configure the X-header for HTTP or HTTPS connections, if your FortiADC is in situated front of your FortiWeb.
As a device that specializes in application-layer routing, you can see that FortiADC provides many more
features than FortiGate’s load balancer, in addition to dedicated system resources for high performance.
FortiWeb Study Guide
181
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
Congratulations! You have successfully completed this lesson.
FortiWeb Study Guide
182
DO NOT REPRINT
© FORTINET
 Integrating Front-End SNAT and Load Balancers
In this lesson, you learned about why you might add an external load balancer. When it’s in front of FortiWeb,
and if it’s applying source NAT, we also showed how to configure it to transmit the original client’s IP to
FortiWeb. We showed how FortiGate can use that HTTP header to block attacks correctly, instead of blocking
all sessions from the FortiGate, and how the source address in attack logs change when X-Forwarded-For:
headers are used.
Conversely, we also showed how FortiWeb can transmit that IP to a back-end load balancer or web site.
Content management systems with anti-spam plugins, for example, log the client’s IP address, so sometimes
even web servers need to know the browser’s IP.
FortiWeb Study Guide
183
DO NOT REPRINT
© FORTINET
 DoS and Defacement
In this lesson, we’ll talk about why and how to mitigate denial of service (DoS) attempts, and how to prevent
(and rapidly, automatically reverse) vandalism.
FortiWeb Study Guide
184
DO NOT REPRINT
© FORTINET
 DoS and Defacement
In this lesson we will explore the following topics:
• Threat Overview
• Network or Transport layer analysis
• Application layer analysis
• Blended analysis – L3/L4 + L7
• Breaches
FortiWeb Study Guide
185
DO NOT REPRINT
© FORTINET
 DoS and Defacement
DoS attacks have made news headlines for years, but many network engineers see them as a nuisance, not a
real threat.
This is a mistake.
The high cost is clear in studies by Amazon, Google, and the University of Waterloo
(https://cs.uwaterloo.ca/~bernard/edgecloud). Any latency greater than about 80ms is noticeable by users.
According to Greg Linden, Amazon found every 100ms of latency cost them 1% in sales. According to VP
Marissa Mayer, Google found an extra .5 seconds in search page generation time dropped traffic by 20%.
Meanwhile, Goldman Sachs is making record profits off a 500 millisecond trading advantage. A broker could
lose $4 million in revenues per millisecond if their electronic trading platform is 5 milliseconds behind the
competition. When a DoS attack occurs, latency or unresponsiveness increases until the service is totally
unusable. Some denial of service attacks, such as the one that Sony faced in 2011, last for weeks and are
coupled with breaches and data theft. That estimated cost was $250 million. And it doesn’t count identity theft
or credit card fraud.
Sony’s DDoS itself was massive, but it was ultimately a diversion tactic – it distracted from worse
compromises. Worse, by 2014, Sony hadn’t learned.
FortiWeb Study Guide
186
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Clearly DoS attacks are not harmless, or cheap. Everyone from businesses to governments are targets.
How can you stop them?
DoS is a broad category of attacks. Protocols from NTP monlist, to HTTP, and SSL have been used. It’s any
attack that makes a service unresponsive without a rootkit or other breach. Once a server’s bandwidth, CPU,
memory, or service-specific sockets or memory buffers are consumed, then it can’t respond to legitimate
users. To stop a DoS attack, you must prevent those resources from being consumed. Since this lesson is
about FortiWeb, we’ll talk about how to mitigate DoS attacks on the main protocols that affect the web: IP,
DNS, TCP, HTTP, and SSL or TLS.
FortiWeb Study Guide
187
DO NOT REPRINT
© FORTINET
 DoS and Defacement
FortiWeb is not designed to defend DNS servers. But it is critical that you don’t forget DNS when hardening
your defenses.
Without DNS, the Web doesn’t work.
Consider the case of Lenovo. After Lenovo’s Superfish vulnerability was disclosed, the hacker group Lizard
Squad used a DNS hijack to redirect lenovo.com to their own web server. The files on Lenovo’s web servers
weren’t actually modified at all. Only the DNS servers were compromised.
There are secure, load-tested DNS solutions. Since web apps are often hosted in redundant data centers
though – some in San Francisco, others in New York, Sao Paulo, Shanghai, Oslo, Frankfurt, or Dubai – it’s
also worth it to consider a DNS solution such as FortiDirector. It can send clients to the closest data center
that is still available.
That way, if an individual data center is under a 300 Gbps attack, for example, legitimate clients could still use
other sites that aren’t affected. In a severe DDoS, the latency caused by a server being in another country still
might be better than a server under heavy attack.
FortiWeb Study Guide
188
DO NOT REPRINT
© FORTINET
 DoS and Defacement
To fight DoS attacks, first you need to know if it is really a DoS attack, or just a traffic spike. What’s your
network’s normal behavior – including during periods such as holiday shopping seasons? Do you normally
have traffic from Brazil or Antarctica?
Some types of DoS attempts are easy to determine with certainty. TCP SYN flood and TCP floods per a
single HTTP session cookie are almost never caused by normal clients.
But in other cases, a traffic anomaly is relative to your normal traffic patterns. How many images, scripts, and
videos are loaded per web page? How many people usually visit your site on Sunday, compared to Monday?
If you know your normal ranges, it is easier to recognize a traffic spike, and to avoid misconfiguring your DoS
sensors on FortiWeb.
FortiWeb Study Guide
189
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Good! You now have a better understanding of the various threats.
In the next section we will look at mitigating threats at the Network and Transport layers.
FortiWeb Study Guide
190
DO NOT REPRINT
© FORTINET
 DoS and Defacement
For DoS attacks that use web stack protocols, FortiWeb has multiple solutions. Each mitigates attacks that
function at different layers, in different ways.
Let’s take a look.
FortiWeb Study Guide
191
DO NOT REPRINT
© FORTINET
 DoS and Defacement
At the IP network layer, FortiWeb can protect you in multiple ways.
When you apply a Period Block action to a signature, that client’s source IP is ignored until the penalty times
out. But that’s not the only way that FortiWeb uses the client’s source IP.
One of the best methods of protection is FortiGuard IP reputation. It requires no maintenance. It’s efficient – it
blocks quickly, at a low layer, before FortiWeb has wasted CPU time on more intensive HTTP scans.
FortiWeb Study Guide
192
DO NOT REPRINT
© FORTINET
 DoS and Defacement
An IP can have a bad reputation for different reasons. Which ones matter?
Zombie PCs can send both attacks and innocent traffic – sometimes, the person is using their computer
without knowing that they are infected. Other types of attacks indicate source IP addresses that always should
be blocked.
Unless you’re protecting webmail servers, you may not need to block IPs that are known spammers, for
example. But you may want to apply a period block action to known botnet participants, since they are often
associated with DoS attacks. Period block can improve performance. Like all caching strategies, it uses a little
bit of RAM to save CPU and bandwidth resources that are scarce during a DoS attack. FortiWeb will not
remove the client’s IP from its temporary blacklist cache until the period expires, and it won’t waste CPU or
bandwidth replying with a 403 error at the HTTP layer.
FortiWeb Study Guide
193
DO NOT REPRINT
© FORTINET
 DoS and Defacement
If you’re not completely blocking an IP, then the next logical action is to protect your network from rate
anomalies. Usually, it doesn’t work well to apply the same rate limit to all user types. Request rates that are
normal from an airport Wi-Fi network or large office would be very abnormal for a single person at home. And
you don’t want to set a low limit, effectively blocking all large buildings. But due to IPv4 NAT, it can be hard to
tell how many private network clients are behind the public IP.
On FortiWeb, there are two ways to distinguish shared Internet connections and apply different rate limits for
them. One way is shared IP.
FortiWeb Study Guide
194
DO NOT REPRINT
© FORTINET
 DoS and Defacement
The Shared IP setting uses a small amount of RAM for each client to remember the sequence ID number in
the previous packet’s IP header. If your web apps’ requests don’t have a session cookie, this may be the only
way that you can distinguish when multiple clients share the same Internet connection.
If the numbers are sequential, then that IP usually has only one client behind the public IP. FortiWeb calls this
a standalone IP. If the numbers are non-sequential, it usually means that there are multiple clients behind that
public IP. FortiWeb calls this a shared IP, and you’ll usually configure higher rate limits for shared IPs in DoS
sensors that use the Shared IP setting.
FortiWeb Study Guide
195
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Not all DoS sensors use the Shared IP setting. TCP flood prevention, for example, simply specifies one
connection rate limit.
FortiWeb Study Guide
196
DO NOT REPRINT
© FORTINET
 DoS and Defacement
TCP SYN cookie flood prevention doesn’t use shared IP either. But it doesn’t need to.
That’s because legitimate clients almost always follow a TCP SYN signal quickly with SYN ACK and the rest
of the connection setup. Only attackers don’t. So, FortiWeb can be certain that this anomaly is malicious, and
should be automatically blocked.
FortiWeb Study Guide
197
DO NOT REPRINT
© FORTINET
 DoS and Defacement
What would happen if you weren’t on the first page of results for Google, Yahoo!, or Baidu? Just as it’s
important to block bad IPs, it’s equally important to not block good IPs!
If you host a public web site, search engine crawlers will periodically access your web site for search rankings
and sometimes page cache. Their scripts are much faster than humans. But search engines are not a DoS.
So clearly you shouldn’t give them a low rate limit. You probably shouldn’t block them at all.
If you block a search engine, your rankings can suffer, and people may not be able to find your web site. This
can be devastating for e-commerce, government service, and content sites. To prevent this, if your web apps
are publicly accessible, white list known search engines on FortiWeb.
FortiWeb Study Guide
198
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Known search engines are one of the many objects that FortiWeb keeps updated by FortiGuard services.
While search engines often identify themselves by their User-Agent: HTTP header, those headers can be
easily forged, so it’s important to allow them based upon their public source IP address instead. You should
periodically check the list for updates. If a new search engine becomes popular, you may have a new option
on FortiWeb.
FortiWeb Study Guide
199
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Great! You now know how to detect and prevent threats at the Network and Transport layers
In the next section we will look at threats in the Application layer.
FortiWeb Study Guide
200
DO NOT REPRINT
© FORTINET
 DoS and Defacement
As we continue up the OSI stack, FortiWeb has some DoS protection that works by analyzing the application
alone. Others combine analysis of the application layer with the transport or network layer.
Let’s take a look.
FortiWeb Study Guide
201
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Search engines are well-known bots. But what about scripted access from bots that you don’t know? These
can sometimes be legitimate power users using tools such as wget. But more often, they are DoS tools. If
FortiWeb only analyzed the TCP/IP layers, these could be difficult to detect. But FortiWeb can analyze and
work with the HTTP layer, too.
These types of tools are often command-line, lightweight, and don’t support many of things a normal, fullfeatured web browser like Firefox or Chrome would. So when a client exceeds a rate limit, you can configure
FortiWeb to inject a test script into the page, and validate whether it’s a browser or not. If it’s a bot, you can
block that source IP.
FortiWeb Study Guide
202
DO NOT REPRINT
© FORTINET
 DoS and Defacement
This DoS sensor also does traffic policing on HTTP requests, but it operates differently. Do you see a
separate Shared IP rate?
No.
For this feature, FortiWeb injects a session cookie in the server’s HTTP response. Since clients keep
separate session cookie caches, as long as the client accepts cookies, it uniquely identifies the client. So
FortiWeb counts the rate of requests from that session cookie value. If the rate is too high, and you’ve enabled
Real Browser Enforcement, then FortiWeb uses the real browser enforcement JavaScript to fingerprint the
client and determine if it is a person’s browser or a bot. Otherwise, or if a bot is detected, FortiWeb applies the
block action that you’ve selected.
FortiWeb Study Guide
203
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Good job! You now know how to detect and prevent Application layer threats.
Next, let’s look at a blended analysis where all three layers are involved.
FortiWeb Study Guide
204
DO NOT REPRINT
© FORTINET
 DoS and Defacement
In this section we will:
• Describe and Discuss Multi-layer DDoS mitigation solutions
FortiWeb Study Guide
205
DO NOT REPRINT
© FORTINET
 DoS and Defacement
In this sensor, real browser enforcement can even be combined with shared IP, which we see here in the
HTTP request limit.
Although it works on both the IP and HTTP layers, this FortiWeb feature doesn’t require the client to support
cookies – only JavaScript.
Again, to cause connection timeouts on this type of malicious client and discourage them from returning, you
can set the Action to Period Block.
FortiWeb Study Guide
206
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Malicious IPs is another DoS mitigator that you can use with high confidence. Although some download
accelerators do use multiple connections, it’s very rare that legitimate clients will open many TCP connections
simultaneously. Normal browser tabs on Firefox and Chrome are not going to be the source of 1,024
simultaneous TCP connections. So this is a good candidate for a period block action.
FortiWeb Study Guide
207
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Once you have configured DoS sensors, group them together into an anti-DoS policy that specifies which
ones to use. You may want to configure multiple DoS policies, depending on the types of web apps you host.
Then, select them in the protection profile used by a server policy.
FortiWeb Study Guide
208
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Apart from the TCP/IP stack, web protocols have some DoS vulnerabilities inherent in the design. We’ve
shown DoS sensors that involve HTTP session cookies. But your other HTTP headers, individual servlets,
and web apps can have their own DoS vulnerabilities too. To prevent these, you can use HTTP constraints to
limit the HTTP protocol and app-specific input buffers to reasonable amounts.
Sometimes web app DoS vulnerabilities can be detected with FortiWeb input rules. You will learn about
FortiWeb input rules in another lesson. For example, a login page should usually accept only one password
input. If the application accepts many, then it’s possible to use that to create an app-specific DoS attack.
FortiWeb Study Guide
209
DO NOT REPRINT
© FORTINET
 DoS and Defacement
You shouldn’t forget your FortiWeb itself when engineering your network to be resilient to attacks. How you
configure FortiWeb also affects how successful you will be.
Similar to your web apps, you should consider RAM and other so-called sizing factors. You should also
consider your settings for various scan buffers, response cache, and how FortiWeb is configured to handle
them.
FortiWeb Study Guide
210
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Most DoS mitigation that FortiWeb does is in software. In other words, it does increase CPU, or RAM load, or
both. So, if you have large or high-profile attack targets, it’s best practice to combine FortiWeb with a purposebuilt hardware device like FortiDDoS. FortiDDoS is a specialist. Sophisticated anomaly analysis over time,
with data aging, ensures that you can intelligently cope with massive throughput. Its specialized chips can
help to keep your network working near line speed. Performance like this is simply not possible in software on
a general-purpose CPU.
FortiWeb Study Guide
211
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Great! You now know how to detect and prevent multi-layer threats.
Next, let’s discuss breaches in the network.
FortiWeb Study Guide
212
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Once you’ve strengthened your architecture and configuration against DoS attacks, remember what DoS
attacks are usually designed to achieve: distraction.
Has a security breach happened while you’ve been fighting the DoS attack?
You’ll learn about FortiWeb’s IPS features in another lesson. But, if you are already breached and need a
solution to fight it now, while you’re analyzing a more permanent solution, what can you do?
FortiWeb Study Guide
213
DO NOT REPRINT
© FORTINET
 DoS and Defacement
There are reasons why some targets, like the FBI and MIT, are persistently attacked. But you don’t have to be
rich, powerful, or politically controversial to have your web site defaced. About 1.5 million web sites were
defaced in 2014, and this number is growing rapidly. Targets included a local rugby team, a Montessori school
in Abu Dhabi, Baseball Canada, and UK charity groups for cancer research. Many bulk defacements, such as
these, are abandoned after the attack is done, with the attacker moving on to look for new targets.
FortiWeb Study Guide
214
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Not all security breaches are for extortion or stealing data. Some, like those done by LulzSec and ISIS, are
just vandalism. They may spread propaganda or discredit and humiliate the target.
FortiWeb has an anti-defacement feature. It keeps hashes of files in your Apache, IIS, or other web site
directory. Periodically, FortiWeb connects to the server to see if the files have changed. If it detects a change,
and you did not explicitly tell FortiWeb that an authorized change would occur, then FortiWeb can email you or
automatically revert the files to a clean copy. This can help minimize the impact of drive-by mass defacements
at hosting providers, while you work to discover and analyze the security hole.
FortiWeb Study Guide
215
DO NOT REPRINT
© FORTINET
 DoS and Defacement
When you configure anti-defacement, FortiWeb periodically uses FTP, SSH, or the SMB/CIFS protocol to
connect to your back-end web servers to look for changes to the files.
The first time it connects, FortiWeb will download copies to its own hard disk. These are the clean copies that
it will restore if it detects defacement, and if you have enabled automatic restoration of your web sites.
Subsequently, FortiWeb will only check to see if the files on the server have changed; it won’t download new
files each time. So, after the first sync, anti-defacement connections are made quickly.
FortiWeb Study Guide
216
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Since most modern web sites are not static HTML files, but are templates where content is injected from a
database, be aware that anti-defacement does not make a backup copy of your back-end databases.
Use FortiWeb to block SQL injection attacks, and follow best practices. Make sure you back up your database
regularly. If your database changes frequently, it can help to log transactions so that you can revert them if
necessary. If your web app data is very sensitive, such as for banks or PeopleSoft installations, you should
also apply controls. Database security devices such as FortiDB can help.
FortiWeb Study Guide
217
DO NOT REPRINT
© FORTINET
 DoS and Defacement
Congratulations! You have successfully completed this lesson.
FortiWeb Study Guide
218
DO NOT REPRINT
© FORTINET
 DoS and Defacement
In this lesson, we discussed several different types of DoS attacks that can affect web servers. You learned
about a range of attack types, including ones that affect every OSI layer of the web server stack, as well as
DNS. You learned how to study your normal traffic patterns, and how to recognize anomalies.
Some of FortiWeb’s DoS sensors analyze multiple OSI layers. You learned about how FortiWeb can test
whether clients are web browsers, and apply separate traffic policing or period blocks to browsers and search
engine crawlers, when the HTTP layer is included.
Finally, you also learned how to use anti-defacement to rapidly undo vandalism, since defacements often
accompany DoS attacks.
FortiWeb Study Guide
219
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
In this lesson, you will learn how to use signatures from FortiGuard subscription services, create your own
custom signatures, and use auto learning to train FortiWeb on your web apps’ security needs.
FortiWeb Study Guide
220
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
In this lesson we will explore:
• Quick Start
• Generating signatures and rules
• Input Validation: Session Cookies
• Input Validation: Headers and Body
• Input Validation: Forms
• State Based attacks
• Threat Scoring
FortiWeb Study Guide
221
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
FortiWeb can send TCP reset signals and, depending on the violation and your FortiWeb’s operation mode,
may also be able to send HTTP return codes and error pages.
What methods does it use to determine whether a client’s request is an attack?
FortiWeb has many strategies to detect attacks. In some cases, you can use default settings, and adjust as
necessary. But in other cases, you need to tailor settings to each web app. Whenever an administrator
updates a web server or web application, its needs can change.
How can you configure FortiWeb most quickly?
FortiWeb Study Guide
222
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
There are a few quick start strategies you can use. In this section we will:
• Discuss and Describe the Quick Start method of enabling signatures
• Configure Monitor Only mode
• Configure Auto Learning
FortiWeb Study Guide
223
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Here is an overview of methods that you can use to configure FortiWeb quickly. Let’s take a look at each of
them.
FortiWeb Study Guide
224
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Default settings and predefined settings are the easiest to use. If they’re not quite right, you can copy the
profile, adjust it, then change your policy to select your new profile.
FortiWeb Study Guide
225
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
If you want to do a dry run to see if a feature accidentally blocks normal traffic, you can either enable the
Monitor Mode option for a policy-wide effect, or you can select the Alert action for a specific feature that you
want to test.
If you test your FortiWeb configuration with typical traffic for one week and it doesn’t generate any accidental
attack logs, it’s usually safe to enable the feature without worrying that it will interfere with normal traffic.
FortiWeb Study Guide
226
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
The most powerful, but also the most resource-intensive method, is to let FortiWeb study your traffic and
suggest appropriate settings. This is called auto learning.
To teach itself about your traffic, FortiWeb must scan every HTTP header, every input, and every cookie in
every page of each apps’ normal traffic. As you can imagine, this takes considerable CPU power and RAM.
So if you enable it fully, on every policy, for every network interface, this can significantly impact performance.
It’s important to use auto learning wisely, especially if your FortiWeb is inline.
There are several ways that you can reduce or negate the impact of auto learning and keep performance at
an acceptable level. For example, you can run auto learning on only one policy at a time, or you can use it
while FortiWeb is in a one-arm, out-of-band topology and in offline mode, in an initial phase before you switch
to an inline, reverse proxy deployment.
FortiWeb Study Guide
227
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
This slide shows auto learning with the smallest possible performance impact: none.
Before deploying FortiWeb inline, FortiWeb is in offline mode, and attached to a switch’s traffic mirroring port.
Through its data capture port, FortiWeb listens and studies typical inputs, their sizes and data types, and the
server’s typical responses. After collecting data for at least a week – recommended time varies by your
application, usage patterns, and traffic volumes – FortiWeb can recommend safe constraints and attack
signatures. Then, you can generate initial protection profiles, switch the operation mode, and deploy FortiWeb
inline.
FortiWeb Study Guide
228
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
FortiWeb is studying what your HTTP traffic usually looks like: how long the headers are, which URLs there
are, and what the inputs’ data types are.
FortiWeb Study Guide
229
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
While auto learning, one of the things that FortiWeb usually studies is the web apps’ inputs, such as:
• How many are there?
• What are their names?
• What data type should they accept? Are some formats illegal?
• How big of a number, or how long of a string?
One of the most common ways that attackers find zero-day exploits are by inserting inappropriate data in an
input – forms, hidden inputs, or cookies – to see if it breaks the application in a way that can be exploited. So
auto learning will compare normal users’ inputs to the data types that it knows. If it usually matches a specific
type, such as a postal code or IP address, then FortiWeb will recommend that you apply an input rule to reject
other, invalid types of inputs.
FortiWeb Study Guide
230
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Obviously, if you’re under attack, it’s not a good time to begin auto learning.
Why?
Think about the data type learning that we just showed. FortiWeb is learning about what is normal input for
your web app. So you want to “feed” it lots of normal traffic.
If most traffic contains XSS attacks, for example, then FortiWeb could accidentally learn that those inputs
normally allow JavaScript. Then it will recommend disabling XSS signatures. That would be the opposite of
the configuration you want!
FortiWeb Study Guide
231
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Another thing that auto learning studies is which web servers are being protected.
Each web server has specific configuration and administrative files, such as .conf files, that should not be
accessible from an Internet URL. FortiWeb auto learning will recommend access control to block public
network access to the URLs that apply to your specific web servers.
FortiWeb Study Guide
232
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
If you have an application or web server with unusual configuration files or administrative URLs, you can
always look to see whether it will match a predefined pattern. If it doesn’t, make a custom definition for your
suspicious URLs.
You can use the predefined regular expressions as an example.
FortiWeb Study Guide
233
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
In an HTTP request that uses the GET method, the URL and parameters are all together, on the same line,
with no spaces between them. So, how does auto learning find the URL, and differentiate it from each input
and its values?
By default, it uses standard cues to find them. A question mark (?) usually separates the URL from the inputs,
an equal sign (=) separates the input’s name from its value, and an ampersand (&) separates the input’s value
from the name of the next input.
What happens if the URL is dynamically generated, or if the separator characters are different? In that case,
you must specify where to find each piece. Otherwise, auto learning won’t function correctly.
FortiWeb Study Guide
234
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
The object named URL Replacer is what shows auto learning how to interpret the URL line to find the URL
and separate each input.
Since Java server pages and Outlook Web App 2003 often don’t use the standard URL format, there are
predefined objects for them. But you can configure your own, too. You can see examples in the
documentation. When you’ve defined a chain of URL replacers to interpret every non-standard part of the
URL into the standard format, group them together, in order, in an application policy, then select it in the autolearning profile.
Remember to clear the cache of auto-learning data first, if you need to restart the auto-learning period with
your new URL replacer.
FortiWeb Study Guide
235
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Good job! You now know how to deploy and configure FortiWeb very quickly.
In the next section we will begin to look at ways to fine tune FortiWeb to your specific environment by
generating signatures and rules based on learned data.
FortiWeb Study Guide
236
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Auto learning will monitor for many attack types, and give you a head start in creating a configuration that is
tailored to your specific web applications. What is the result? When you’ve decided that it has analyzed
enough of your traffic, you use auto learning’s data to generate a protection profile.
This also generates its components for the relevant rules and attack signatures.
FortiWeb Study Guide
237
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Once your FortiWeb has been monitoring normal usage for a while, look at the auto learning report. Does it
look accurate, or did it incorrectly detect too many attacks? Did it miss any URLs that you know of? Did it
detect your web server type correctly?
When you click Generate Config, the profile that auto learning generates will be based upon its data. So if any
estimated settings are incorrect, you can correct them here.
Remember to click on each URL in the tree on the left side – not just the host name or the auto learning
profile’s name – because each web page can have unique cookies and other inputs. The Overview, Attacks,
and Visits tabs are always visible. However, the tab for inputs, only appears when you select a specific URL.
You may need to adjust their estimated data types, too.
FortiWeb Study Guide
238
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
If you click the Attacks tab, for example, you will see how many requests matched attack signatures. It is in
the Count and Percentage columns.
FortiWeb Study Guide
239
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
When you verify the recommendations, if you want to choose a different setting, you will need to complete the
following steps:
• Change the setting in the Type column to Custom.
• Change the setting in the Custom column:
• If you want to enable protection, select On.
• If you want to disable protection, select Off.
If you are enabling custom protection, in the Action column, select the action that you want FortiWeb to
perform when it detects a violation.
After you’ve verified or adjusted all settings, click Generate Config. Auto learning will generate all required
components.
There are some settings that are not studied by auto learning. For example, whitelisted objects is a global
setting, not policy-specific. You should manually configure those after.
FortiWeb Study Guide
240
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
A protection profile is what you select in a server policy to indicate which scans FortiWeb performs. The
protection profile ties together many component scans. Signatures detect many types of known attacks –
similar to IPS on FortiGate – but FortiWeb analyzes many more things than simply malformed data. For
example, FortiWeb can analyze whether cookies are returned intact, and whether sessions are initiated from
the correct URL and pages accessed in a logical order. This means that FortiWeb can detect known attacks
with signatures, but it can also prevent many zero-day attacks.
FortiWeb Study Guide
241
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Well done! You now know how to generate auto-learning reports and modify protection profiles.
In the next section we will look at using Input Validation based on Session cookies.
FortiWeb Study Guide
242
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Now you will learn more about each component that auto learning generates, and how it protects your web
servers.
First, let’s study how it protects session cookies. We will:
• Describe and Discuss HTTP Header validation
• Describe and Discuss HTTP Protocol Constraints
FortiWeb Study Guide
243
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
As it was initially defined in the RFC, HTTP is stateless. This means that each request is not necessarily
correlated to any request before or after.
For simple web page views, this was enough. However, as web pages became dynamic and eventually
became software in their own right – that is, web applications – programmers needed some way for servers to
remember variables between each request.
For example, in a page that gradually loads more items as you scroll down, the web application must know
what items you have already viewed. If you Like a Facebook post, it must know what account you used to log
in, so that the Like status is applied only when your account is accessing the page – not for everyone. Web
apps usually do this with sever-side sessions, session cookies that are stored client-side, or both.
FortiWeb Study Guide
244
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Here is an example HTTP transaction, showing how cookies are used in a JSP application.
1. First, the client initiates a session by requesting a page:
/login
2. The server replies. In the reply, the header contains Set-Cookie: and the name of a session cookie,
JSESSIONID, and its value. The value is a unique ID for this client’s session, and allows the server to
identify the client and correlate the next request with the first.
3. In the client’s second request, it returns the unchanged cookie.
4. The server uses this ID to remember the settings that it may need to generate the next page in this client’s
session. Then, it replies.
FortiWeb Study Guide
245
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Because the server is effectively storing some of its application data on an untrusted client, session cookies
are a risk. A malicious client could change the value of the session cookie; for example, they could replace the
session ID with a SQL query. In the next request that the client sends, the poisoned cookie would go with the
request to the server. If the web app does not check the cookie’s value for SQL commands before passing the
cookie’s value into a database query, then the attacker could run any database commands that they want.
FortiWeb Study Guide
246
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
FortiWeb’s cookie poisoning detection blocks this kind of abuse. When cookie poisoning detection is enabled,
FortiWeb remembers each cookie, and associates it with FortiWeb’s session management cookie. If the next
request’s cookies don’t match the original cookie sent by the server, then FortiWeb knows that the client has
changed the cookie. Normally, innocent clients don’t change their cookies.
FortiWeb Study Guide
247
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
In this slide, you can see an example of a session cookie being present and FortiWeb, inline, scanning for
cookie poisoning. After the client logs in with HTTP authentication, the web app creates a session ID. Then,
as the client continues to use the web app, the web app sets a new cookie, to remember that the client has
previously authenticated, and binds the authentication status to the session ID. Before the client receives the
server’s reply, FortiWeb reads and remembers the values of all cookies. If the server changes the cookie’s
value, FortiWeb updates its cache. After the first request, every time, FortiWeb validates that the client hasn’t
changed the cookies.
FortiWeb Study Guide
248
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Good job! You have just learned how to implement Input validation based on session cookies.
In the next section we will discuss Input Validation based on Headers and Body.
FortiWeb Study Guide
249
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
The Cookie: header is one type of HTTP input that users don’t usually see, but it’s not the only one. In this
section we will:
• Describe and Discuss HTTP Header validation
• Describe and Discuss HTTP Protocol Constraints
FortiWeb Study Guide
250
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
HTTP constraints allow you to control the number, type, and length of many HTTP headers, which are also
inputs. This prevents unexpected inputs that a malicious client could craft to try to compromise your server.
The limits can vary according to your server’s software, and its hardware. For example, if a server has limited
RAM, then it’s potentially easier to overload or crash with an excessive number of headers, since parsing the
headers and storing them in buffers requires RAM.
FortiWeb Study Guide
251
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Since requests that use the POST method can have very large bodies, if your web app does not accept movie
or music uploads, for example, then it can be useful to reduce the maximum length of the HTTP body.
FortiWeb Study Guide
252
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Excellent! You now know how to implement Input Validation based on Headers and Body.
In the next section we will look at Input Validation based on Forms.
FortiWeb Study Guide
253
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Input from HTML forms is equally important to validate. In this section we will:
• Configure Parameter Validation Rules
• Configure Upload Restriction Rules
• Configure Upload Restriction Policy
• Configure Signature Policy
• Define Cross Site Scripting
• Define SQL Injection
FortiWeb Study Guide
254
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
FortiWeb can apply reasonable limits to inputs from HTML forms, such as requiring that user names contain
email addresses.
Technically, you can use parameter validation rules regardless of the HTML input type: both visible, usercompleted HTML forms, and hidden inputs. In the HTTP, they are transmitted the same way. Since hidden
inputs are not rendered by the browser as buttons or fields, you may not realize they exist. It often takes more
time to find all of them. That’s why FortiWeb has hidden input rules. Its GUI helps you to quickly configure this
specific type of parameter by scanning the URL’s HTML page for hidden inputs.
FortiWeb Study Guide
255
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
With FortiWeb, you can also specify that excessively large files of the wrong type can’t be uploaded.
FortiWeb Study Guide
256
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
When restricting uploads, you can also engage FortiGuard Antivirus.
FortiWeb Study Guide
257
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
FortiGate-style FortiGuard Antivirus signatures are not the only type of signatures that FortiWeb uses.
FortiGuard antivirus is an engine for analyzing binary file uploads; it’s enabled by the Trojans option in
signatures. For non-binary web app exploits, FortiGuard security provides an extensive set of regular
expressions that match attack string patterns.
FortiWeb Study Guide
258
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Because they are regular expressions, you can also customize or write your own attack signatures. If you do
this, use PCRE syntax.
FortiWeb Study Guide
259
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
When configuring which signatures to use, choosing the Period Block setting instead of Aert & Deny is an
important performance tweak. Select it for DoS or persistent attacks to reduce FortiWeb’s CPU usage and
buy time for forensic analysis.
FortiWeb Study Guide
260
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Signatures detect many types of attacks. Many correspond to the OWASP top 10, which PCI specifically
requires that you block.
One type of attack is called cross-site scripting (XSS). The root cause of an XSS attack is that the web
application does not sanitize its inputs, rejecting JavaScript. As a result, it stores the XSS attack in its
database and, whenever other clients request the page that re-uses that data, the JavaScript is embedded in
the page.
JavaScript can do many things with a page, including rewriting the whole page and making its own requests.
This is the basic mechanism of AJAX apps. In this case, XSS causes innocent clients to transmit to a different
server that is controlled by the attacker. This could, for example, transmit credit card information or passwords
from a form to the attacker.
FortiWeb Study Guide
261
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Another very common type of attack is SQL injection. Similar to an XSS attack, its root cause is that the web
app does not sanitize input. If the attacker enters a SQL query into an input such as an HTML form, the web
app simply accepts it and passes it along to the database engine, which accidentally runs the query.
The SQL language can do anything to the data. For example, it can download the table of users so that the
attacker can run a password cracker. A query could add new entries for new administrator logins, or modify
logins, blocking administrators from logging into your CMS.
FortiWeb Study Guide
262
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Some signatures apply to most web apps – they are not app-specific. XSS and SQL injection signatures
belong to this category.
Popular web apps such as Drupal and WordPress are well known. So, FortiWeb has predefined signatures for
their known vulnerabilities, and FortiGuard Service updates can provide ongoing updates, as new
vulnerabilities are discovered. But, if you need to protect an in-house, custom web app, you can also write
your own app-specific custom signatures.
If a predefined signature causes a false positive, edit the signature policy. Click the Advanced Mode button
that appears, and create exceptions or disable those individual signatures. You don’t need to disable the
entire category.
FortiWeb Study Guide
263
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
The advanced mode for editing the signature policy offers full flexibility. You can disable a signature in the
current policy only, or in all policies. You can also disable it for only a specific domain name, or URL, or both
(that is, make an exception to the rule). The exceptions also support PCRE regular expressions so you can
match an entire group of URLs if you need to.
This is your primary tool for eliminating false positives.
Alternatively, if you’re viewing the attack log and it looks like an innocent request accidentally matched the
attack signature, you can also create exceptions or disable signatures while viewing the log.
1. Click a log entry to view its details.
2. In the log entry, click the link to make an exception or disable the signature.
FortiWeb Study Guide
264
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Regardless of the reason why a request is detected as an attack, you can usually customize FortiWeb’s error
message.
FortiWeb Study Guide
265
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Great! You now know how to implement Input Validation based on Forms
In the next section we will look at how to detect and prevent State-Based attacks.
FortiWeb Study Guide
266
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Lack of input sanitization is only the beginning. If your FortiWeb’s vulnerability scan detects those types of
vulnerabilities, it’s the easiest for developers to find and correct.
What’s harder to find and correct? Mechanism exploits.
In this section we will:
• Define a Start Page
• Configure Session Initiation page
• Define Page Access rules
• Configure Allowed Page Order
FortiWeb Study Guide
267
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Not all attacks can be detected by regular expressions matching an input string. The exploits that are hardest
to find and protect against are mechanistic. They exploit how the web app allows transitions from one page to
the next, that are not logically valid.
One major category of mechanistic attacks involves how sessions are initiated. If a shopping cart must be
associated with an existing session, a file upload must be associated with a previous login, or there’s any
other correlation of this page with previous pages, then the web app must validate that:
• The session is not null
• The session was created by that client IP or browser
• The session was created by visiting a URL where sessions normally begin, such as a login page or
advertising campaign URL
Otherwise, the attacker can exploit the app in many ways. Session hijacking is one way.
FortiWeb Study Guide
268
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Unless you’ve used auto learning, this can be difficult to configure correctly. To do so, you must understand
the web app well. Instead of a period block, 403 Forbidden, or Alert & Deny action, it is usually best to
redirect the client to the correct page for session initiation. Since a web app can have multiple valid session
initiation pages, the default setting indicates the target for the Redirect action.
FortiWeb Study Guide
269
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Many other mechanistic attacks exploit page flow after the session is initiated. Page access rules enforce
valid page order. You shouldn’t, for example, be able to place an order for a TV unless you’ve submitted
payment!
Page access rules can’t completely prevent all permutations of CSRF attacks. Some require too much RAM
to prevent. A solution could become a potential performance bottleneck or opportunity for DoS attacks. This is
why vulnerability scans, IP reputation, and other features are still important; however, page order rules can
prevent many of these attacks.
FortiWeb Study Guide
270
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
This slide shows you how to configure a page order rule for the scenario we just talked about. Notice that we
don’t have to input all pages – only ones where the order between two pages must be enforced.
You can specify that the rule applies only to specific virtual hosts and specific URLs. This avoids false
positives and wasted resources, improving performance, since FortiWeb only needs to remember session
page order for those specific combinations.
FortiWeb Study Guide
271
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Well done! You now know how to detect and prevent State-Based attacks.
Next, let’s take a look at Threat Scoring.
FortiWeb Study Guide
272
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
The threat scoring feature allows you to configure your signature policy to take action based on multiple
signature violations by a client , instead of a single signature violation. When a client violates a signature in a
threat scoring category, it contributes to a combined threat score. When the combined threat score exceeds a
maximum value you specify, FortiWeb takes action. In this section we will:
• Configure Threat Scoring
• Review Threat Scoring in Attack Logs
FortiWeb Study Guide
273
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
When threat scoring for a signature category is turned on, FortiWeb ignores the action set for the category.
Instead, when traffic violates a signature in the category, FortiWeb adds the threat score for the signature to
the combined threat score for the signature policy. When the combined score exceeds the maximum specified
by the Threat Scoring Threshold setting, FortiWeb takes the specified action.
Some high-priority signatures are configured to override the threat management settings for their category.
You cannot enable threat scoring for the following categories:
• Credit card detection
• Information disclosure, if it is configured to erase information
FortiWeb Study Guide
274
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Threat scoring match scope specifies how FortiWeb calculates the combined threat score before it compares
it to the threat scoring threshold.
• HTTP transaction – FortiWeb compares the score for each transaction to the threshold
• TCP session – FortiWeb compares the score for each session to the threshold. The score can include
multiple transactions.
• HTTP session – FortiWeb compares the score for sessions associated with a specific client to the
threshold. This option requires you to enable session management in the appropriate protection profile.
Example combined threat score calculations are shown in this slide.
Threat scoring threshold is low (7 points).
A TCP session contains two HTTP transactions:
•
Transaction A violates two signatures. Each signature has a threat score of 3.
•
Transaction B also violates two signatures. Each signature has a threat score of 5.
• If the threat scoring match scope is HTTP transaction:
• The score for transaction A is 6, which does not exceed the threshold and FortiWeb takes no
action.
• The score for transaction B is 10, which exceeds the threshold, and FortiWeb takes the specified
action.
• If threat scoring match scope is TCP session, the score for the session is 16, which exceeds the threshold
and triggers the action.
FortiWeb Study Guide
275
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
The signature details settings allow you to adjust the threat score for each signature.
FortiWeb Study Guide
276
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Some high priority signatures are configured, by default, to ignore the threat score settings. When traffic
violates these signatures, FortiWeb takes the action specified for that signature immediately. If you disable the
override setting for these signatures, they behave like other signatures when you add their category to the
threat scoring group.
FortiWeb Study Guide
277
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
A column and icon in the attack log indicate messages that FortiWeb generated when a combined threat
score for a signature policy exceeded its threshold. The message details include more information about the
score and the signatures that contributed to it. FortiWeb aggregates threat score messages in the Aggregated
Attacks page.
FortiWeb Study Guide
278
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
Congratulations! You have successfully completed this lesson.
FortiWeb Study Guide
279
DO NOT REPRINT
© FORTINET
 Signature Sanitization and Auto Learning
In this lesson, you learned three strategies for quickly deploying protection settings. You learned how the
action setting that you select can affect performance. You learned that when FortiWeb scans for attacks, it
can scan for both input sanitization errors and mechanistic attacks. Finally, you learned two strategies for
avoiding blocking legitimate requests when they accidentally match a rule or an attack signature.
FortiWeb Study Guide
280
DO NOT REPRINT
© FORTINET
 SSL/TLS
In this lesson, you’ll learn how to use encrypted HTTP transactions. With HTTPS, login credentials and other
sensitive data aren’t compromised while they’re in transit.
FortiWeb Study Guide
281
DO NOT REPRINT
© FORTINET
 SSL/TLS
In this lesson we will explore the following topics:
• HTTPS Basics
• SSL/TLS Protocols and ciphers
• X.509 Certificates
• Client PKI Certificates
• What if clients type HTTP?
FortiWeb Study Guide
282
DO NOT REPRINT
© FORTINET
 SSL/TLS
In this section we will discuss:
• Why HTTPS?
• SSL Inspection vs SSL Offloading
• Configure SSL Offloading
• Configure SSL Inspection
FortiWeb Study Guide
283
DO NOT REPRINT
© FORTINET
 SSL/TLS
Before, HTTPS was mostly used for online banking, e-commerce, and government web sites. Users needed
privacy and confidence in the site’s authenticity.
Since the leaks in 2013 and later by Edward Snowden, many of the most popular content web sites from
Twitter and Facebook, Tumblr and 500px.com, to Gmail, Google’s search engine, and YouTube have all
switched to HTTPS. Why?
Even seemingly harmless location check-ins and vacation photos can be exploited. If you’re on vacation in
Bali, obviously you’re not home to prevent theft. And privacy laws that govern email have not evolved to cover
social media, leaving people vulnerable to unscrupulous employers and free Wi-Fi. People that prefer privacy
are shifting to HTTPS. This trustworthiness factor is now reflected in Google search rankings. HTTPS sites
have a slightly higher ranking.
There’s a surprising side-effect. As a result of the more computationally expensive handshake and encryption,
it is also more difficult to brute force HTTPS site login page.
FortiWeb Study Guide
284
DO NOT REPRINT
© FORTINET
 SSL/TLS
Many of the top 200 web sites, according to Alexa, have now changed to HTTPS, but what about the millions
of other web sites on the Internet?
This shows statistics for the top ~140,000 sites as of October 3rd, 2016. In that sample, 175 were still
vulnerable to Heartbleed, an SSL vulnerability over one year old. 9.1% used weak cipher strengths less than
128 bits.
The good news is that FortiWeb has tools to not only easily offer HTTPS, but to help you implement it
securely for all protected web sites.
FortiWeb Study Guide
285
DO NOT REPRINT
© FORTINET
 SSL/TLS
When we configure HTTPS on FortiWeb, mostly we’re configuring policies, not the HTTPS administrative
GUI. Policies govern traffic travelling through FortiWeb, not to it.
In policies, FortiWeb supports HTTPS. It can be either:
• An SSL reverse proxy, which terminates the SSL session and then (usually) forwards plain HTTP to backend servers
• An SSL inspector, which does not terminate the SSL session. Instead, it decrypts a copy of the traffic to
scan it for viruses and other security violations. It forwards the original, still-encrypted packet to the backend web servers.
For both, you must upload the web site’s certificate and private key, and then specify it in the policy. This
allows FortiWeb to decrypt the HTTPS traffic and, in the case of SSL offloading, to offer HTTPS service to
clients.
FortiWeb Study Guide
286
DO NOT REPRINT
© FORTINET
 SSL/TLS
The differences between SSL inspection and SSL offloading are explained in this slide.
•
•
SSL inspection puts the certificate and private key on both FortiWeb and the web servers. However,
FortiWeb is not an end point for the SSL session; it’s one continuous session, from the client to the
servers. Clients negotiate with the server, not with FortiWeb. As long as the traffic is not an attack,
FortiWeb allows the packets to continue to their final destination.
SSL offloading only puts the certificate and private key on FortiWeb; clients negotiate the SSL session with
FortiWeb, not the web servers. This reduces system load on the web servers. Since the traffic is decrypted
before FortiWeb forwards it, FortiWeb can also scan traffic in this mode.
There is one more style, not shown here. Technically, you can inspect SSL or TLS if FortiWeb does terminate
the SSL session. But it must make a second SSL session to the protected servers. This is not fully
transparent. FortiWeb may need its own certificate so that it can authenticate itself to servers. However,
FortiWeb doesn’t save system resources on the protected servers, so it’s not technically SSL offloading,
either.
FortiWeb Study Guide
287
DO NOT REPRINT
© FORTINET
 SSL/TLS
This slide lists some of the main differences between SSL inspection and SSL offloading.
Remember, despite the name, both do enable FortiWeb to inspect HTTPS traffic.
FortiWeb Study Guide
288
DO NOT REPRINT
© FORTINET
 SSL/TLS
(slide contains animations)
Since reverse proxy is the most popular operation mode, usually you will be configuring an SSL proxy. It
either may be SSL offloading, or after inspection, may make a second HTTPS session to the back-end
servers, so that data in transit is always secure. These are the configuration steps.
1. Get a signed certificate. If you’re an enterprise whose computers all trust your active directory or other CA
server, this could be your own private CA. Otherwise, it should be a commercial root CA, so that all
browsers will trust your CA-signed certificate. (click)
2. If an intermediate CA signs it, be sure that browsers can link it to a trusted root. (click) Otherwise, include
the signing chain in the bottom of the certificate, (click) or as intermediate certificates on FortiWeb. (click)
3. Upload both the signed certificate and its associated private key in the local certificates menu on
FortiWeb. (click)
4. PKI authentication is optional. If you want FortiWeb to offer it so that clients, such as iPhones, can log in
by showing their personal certificate instead of typing a password, upload those CA certificates and CRL
or the address of an OCSP server. This way FortiWeb will know if any certificates have been revoked.
(click)
5. Finally, select your certificate and, if applicable, certificate revocation and validation rules, in the policy.
FortiWeb Study Guide
289
DO NOT REPRINT
© FORTINET
 SSL/TLS
Let’s look at how to configure SSL / TLS offloading on FortiWeb.
In the simplest case, you only need to import the PEM file or .cert and .key file. Then, in the policy, select the
predefined HTTPS service, and your certificate. That’s it!
FortiWeb Study Guide
290
DO NOT REPRINT
© FORTINET
 SSL/TLS
If you’re doing SSL inspection in the other operating modes, then, for each server in your server pool, you
must also enable the SSL option and define its HTTPS listening port.
FortiWeb Study Guide
291
DO NOT REPRINT
© FORTINET
 SSL/TLS
If you’re using transparent mode, your back-end web servers must be configured to offer HTTPS. This may be
different from reverse proxy – SSL offloading means that the back-end server only needs to offer plain HTTP.
So while transparent mode doesn’t require any server-side changes, reverse proxy might.
For better security, though, you might still want to audit your servers’ HTTPS support. Make sure that patches
are applied, and that TLS-level compression is disabled. Also disable any ciphers that FortiWeb doesn’t
support, and can’t therefore inspect.
FortiWeb Study Guide
292
DO NOT REPRINT
© FORTINET
 SSL/TLS
If you want best performance, you should set up FortiWeb for SSL offloading. However, in some cases, such
as compliance, where sensitive data must always be encrypted while in transit, you may need a reverse proxy
FortiWeb to re-encrypt before forwarding data to your web servers. Like with SSL inspection, to do this, you’ll
enable the SSL option for each entry in the server pool.
However, because FortiWeb is acting as a client to your web servers in this second session, you should also
upload the certificate of the CA that signed their server certificates. That way, FortiWeb can validate your
servers’ certificates.
If your web servers require that FortiWeb use PKI authentication to authenticate itself as a client, this is also
where you specify which certificate FortiWeb will present. Again, you’ll upload this certificate in the local
menu, but this time, its purpose will be different. FortiWeb will present it when it is a client, not a server.
FortiWeb Study Guide
293
DO NOT REPRINT
© FORTINET
 SSL/TLS
Great! You are now familiar with HTTPS basics
In the next section we will look at SSL/TLS protocols and ciphers
FortiWeb Study Guide
294
DO NOT REPRINT
© FORTINET
 SSL/TLS
Enabling HTTPS does not automatically make your web site fully secure. Attack signatures and mechanism
protections that deal with security once the packet is received are covered in another lesson.
Even in transit, HTTPS is not automatically fully secure. SSL and TLS do have vulnerabilities, so it’s important
that you configure HTTPS on FortiWeb as securely as you can.
In this section you will learn:
• HTTPS Limitations
• TLS versions and vulnerablities
• Verifying Client Connections
FortiWeb Study Guide
295
DO NOT REPRINT
© FORTINET
 SSL/TLS
This is a vulnerability, seen in late 2014, was named POODLE because it exploited padding as an oracle that
caused patterns in encrypted packets. These patterns made a crypto-analysis attack possible. Due to this
being a vulnerability in an implementation of options for older protocols, all servers that supported SSL 2.0
and some that supported SSL 3.0 were vulnerable.
FortiWeb Study Guide
296
DO NOT REPRINT
© FORTINET
 SSL/TLS
(slide contains animations)
What should these servers have done?
(click)
First, don’t use old SSL protocol versions.
(click)
Use TLS 1.1 or 1.2, if possible.
FortiWeb Study Guide
297
DO NOT REPRINT
© FORTINET
 SSL/TLS
TLS 1.2 was initially slow to be adopted, but is now a reasonable choice. The Heartbleed SSL vulnerability
helped to spur its adoption. Since then, other vulnerabilities in old SSL versions have increased the incentive
to upgrade.
FortiWeb Study Guide
298
DO NOT REPRINT
© FORTINET
 SSL/TLS
After you choose which SSL or TLS versions that FortiWeb will offer to clients, the next factor you should
consider is which cipher suites.
Key sizes that are 128 bits or lower are considered weak. Hardware is now fast enough to decrypt them with
speed. But, you should also look at the encryption and checksum mechanisms, plus renegotiation and rekeying, if applicable.
Here’s one reason. RC4 was initially championed as a solution to the BEAST attack. It allowed servers to
continue supporting old clients that needed SSL 3.0 or TLS 1.0. But in the end, RC4 is a mitigation at best. It
is still stronger than the ciphers that are vulnerable to BEAST. But it does have its own weaknesses. So it’s
not as good as disabling old SSL and TLS protocols.
FortiWeb gives you full control over this, so you can support older clients, if you need to, without becoming
vulnerable to the BEAST attack.
FortiWeb Study Guide
299
DO NOT REPRINT
© FORTINET
 SSL/TLS
Weak encryption and checksums, including so-called export grade encryption, are now disabled by default on
many browsers. So reasons to use old, weak encryption are decreasing.
FortiWeb Study Guide
300
DO NOT REPRINT
© FORTINET
 SSL/TLS
Now that you’re aware of some ways to make HTTPS stronger, how can you see what is being used? Client
and server (or, for offloading, FortiWeb) will negotiate the protocol and cipher suites that they both support.
On the client side, in Firefox and Chrome browsers, you can see the negotiation results. Look for the padlock
icon in Firefox’s URL bar, and click it.
FortiWeb Study Guide
301
DO NOT REPRINT
© FORTINET
 SSL/TLS
In Google Chrome, you also click the padlock to see which protocol and ciphers were negotiated.
FortiWeb Study Guide
302
DO NOT REPRINT
© FORTINET
 SSL/TLS
Unfortunately, there is no easy way to verify client connections Internet Explorer. However, there are still
ways that you can test for robust client support.This is one way to test: a Python script called sslyze. As you
can see from the slide, the script checks for several vulnerabilities, such as Heartbleed and insecure
renegotiation.
FortiWeb Study Guide
303
DO NOT REPRINT
© FORTINET
 SSL/TLS
The sslyze script also checks for certificate validation errors, and which protocols and cipher suites that the
server (or FortiWeb) supports. The example in this slides shows that FortiWeb has been configured for
somewhat higher security – it is offering TLS 1.2 with 256-bit AES, RSA keys, and SHA-384 checksums. But
its certificate for www.example.com is self-signed, so browsers will show error messages. This
misconfiguration should be corrected before being used on a production network.
FortiWeb Study Guide
304
DO NOT REPRINT
© FORTINET
 SSL/TLS
SSL scans like this can be very useful to prepare for security audits, as well as when you need to analyze
client compatibility, because it can quickly check all of your configurations.
FortiWeb Study Guide
305
DO NOT REPRINT
© FORTINET
 SSL/TLS
Excellent! You now have an understanding of SSL/TLS protocols and ciphers.
In the next section you will look at X.509 certificates
FortiWeb Study Guide
306
DO NOT REPRINT
© FORTINET
 SSL/TLS
Aside from protocol versions and cipher suites, the other major component of HTTPS is X.509 certificates.
FortiWeb Study Guide
307
DO NOT REPRINT
© FORTINET
 SSL/TLS
FortiWeb uses several kinds of X.509 certificates. It uses its own, built-in, default, self-signed server certificate
when you open your browser and connect to the GUI. FortiWeb may also need its own certificate if you want it
to use PKI authentication as a client to your back-end severs.
FortiWeb Study Guide
308
DO NOT REPRINT
© FORTINET
 SSL/TLS
In most cases, since FortiWeb is a proxy, it will be acting as an agent for your web sites. So it will present
their certificates when a client connects. Since FortiWeb needs the private key to be able to encrypt and
decrypt traffic, be sure to store your FortiWeb backups in a secure location. Like all backups of your private
key, physical access to your private key should be tightly restricted to a few authorized individuals, and
backups should be password-encrypted.
FortiWeb Study Guide
309
DO NOT REPRINT
© FORTINET
 SSL/TLS
What other certificates do you need to upload to FortiWeb?
CA certificates are important for certificate validation. FortiWeb must validate certificates in two cases:
• When a client sends a personal certificate for PKI authentication
• When FortiWeb connects to an OCSP, LDAPS, back-end HTTPS, or secure email server
FortiWeb Study Guide
310
DO NOT REPRINT
© FORTINET
 SSL/TLS
Like web browsers, when FortiWeb evaluates a certificate, it will examine the same factors:
• Does the IP address or host name in the certificate match exactly?
• Is it currently valid, not expired or pending a future time or date?
• Is it signed by a CA that I trust?
• If X.509 extensions exist, such as restricting certificate usage to signing other certificates or as server
authentication, is the certificate being used in a valid context?
FortiWeb Study Guide
311
DO NOT REPRINT
© FORTINET
 SSL/TLS
For CA signatures to be truly trustworthy, it’s important that an attacker can’t use collision attacks. Collision
attacks allow the attackers to mimic the CA’s fingerprint, so it’s better to use certificates with SHA-256 or
greater.
FortiWeb now supports many new certificate-related features, including multi-domain certificates, SNI, and
URL-specific contexts for requiring client PKI authentication. Let’s take a look at what this enhanced support
allows you to do.
FortiWeb Study Guide
312
DO NOT REPRINT
© FORTINET
 SSL/TLS
Multi-domain certificates mean you don’t have to use a wildcard certificate when multiple host names are
being protected by the same FortiWeb policy. Wildcard certificates are considered by OWASP to be less
secure. Instead, you can use a SAN certificate extension field to list specific host names that are under your
control.
FortiWeb Study Guide
313
DO NOT REPRINT
© FORTINET
 SSL/TLS
SNI enables a FortiWeb virtual server to offer different certificates, depending on the host name requested by
the client. Like many other objects on FortiWeb, you must configure an SNI list, then select it in the server
policy.
FortiWeb Study Guide
314
DO NOT REPRINT
© FORTINET
 SSL/TLS
Good job! You now know more about X.509 certificates
In the next section you will learn about Client PKI certificates
FortiWeb Study Guide
315
DO NOT REPRINT
© FORTINET
 SSL/TLS
Server certificates are only one type of certificate. FortiWeb can also accept – and present – a client
certificate.
In this section you will learn to:
• Describe and Discuss Client PKI Certificates
• Configure Client PKI Certificates
FortiWeb Study Guide
316
DO NOT REPRINT
© FORTINET
 SSL/TLS
Passwords have many problems. They are hard to remember, and usually easy to crack. But they are also
hard to reliably type on touch-screen devices.
If most of your web site’s users (or a critical segment of them) use touch screens, and if they are managed by
your organization, then it may be both more user-friendly and more secure to authenticate them using
personal certificates instead. For example, the administrator could use Apple’s iPhone profile manager to
install both your enterprise’s CA certificate and the personal certificate on the phone. Then, every time that
person accessed the web site, they would be securely and effortlessly authenticated.
During an HTTPS handshake, the server (or in the case of SSL offloading, FortiWeb) first presents its
certificate. The client validates it. However, the client can, optionally, present their own certificate for the
server to validate. This is why it’s also called mutual authentication or bi-lateral authentication.
FortiWeb can also authenticate as a client. If it uses HTTPS to connect to the back-end web servers, it can
present its own certificate to authenticate as a client.
FortiWeb Study Guide
317
DO NOT REPRINT
© FORTINET
 SSL/TLS
In order for client PKI authentication to work, you must upload the certificate of the CA that signed the
personal certificates. By default, FortiWeb doesn’t trust any CAs. So if you don’t upload any, FortiWeb won’t
validate any clients’ certificates. You’ll also need to configure a certificate validation rule on FortiWeb.
FortiWeb Study Guide
318
DO NOT REPRINT
© FORTINET
 SSL/TLS
If you’re configuring mutual authentication for the SSL session on the front end, you must do it on both the
client browser and FortiWeb.
FortiWeb Study Guide
319
DO NOT REPRINT
© FORTINET
 SSL/TLS
If you’re configuring mutual authentication with the protected web servers behind FortiWeb, they may already
be installed with a store of trusted CA certificates. In that case, you’ll only need to configure FortiWeb.
FortiWeb Study Guide
320
DO NOT REPRINT
© FORTINET
 SSL/TLS
Great! You now know how to implement and use Client PKI certificates on FortiWeb.
Next you will look at what to do if the user types HTTP instead of HTTPS.
FortiWeb Study Guide
321
DO NOT REPRINT
© FORTINET
 SSL/TLS
Regardless of whether your servers or FortiWeb offer HTTPS, there is no way that you can prevent a client
from typing http:// into their browser. And it’s a common habit for most people. Unless they’re technical,
they may not know the difference.
How can you protect these clients? I this section you will learn how to implement HTTP to HTTPS redirection.
FortiWeb Study Guide
322
DO NOT REPRINT
© FORTINET
 SSL/TLS
The most common method is to simply use HTTP’s redirect mechanisms to send clients to the secure site.
But it’s not ideal. SSL stripping attacks are possible.
FortiWeb Study Guide
323
DO NOT REPRINT
© FORTINET
 SSL/TLS
It’s better to enforce strict transport security. If you enable it, FortiWeb can add an HSTS header so that in the
future, the browser will automatically convert HTTP addresses to their HTTPS equivalent, before making the
request. It will also suppress dialogs that allow users to ignore certificate warnings, a common source of socalled click-through insecurity.
FortiWeb Study Guide
324
DO NOT REPRINT
© FORTINET
 SSL/TLS
Here we see a reply from a web server where FortiWeb has injected the Strict-Transport-Security: header.
FortiWeb Study Guide
325
DO NOT REPRINT
© FORTINET
 SSL/TLS
Once you’ve configured your HTTPS service, don’t forget to add authentication and access control. After all,
HTTPS is only about security in transport. Once a request reaches servers, you need to enforce security
there, too!
FortiWeb Study Guide
326
DO NOT REPRINT
© FORTINET
 SSL/TLS
Congratulations! You have successfully completed this lesson
FortiWeb Study Guide
327
DO NOT REPRINT
© FORTINET
 SSL/TLS
In this lesson, you learned about the differences between SSL and TLS, and how some HTTPS protocol
versions and ciphers are not recommended. You learned about SSL offloading and SSL inspection, how to
test them, and their implications for server-side configuration. Finally, you learned how to enforce use of
HTTPS instead of clear text HTTP.
FortiWeb Study Guide
328
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
In this lesson, you will learn how to add authentication for web applications that don’t have it – or where you
want to unify the login across multiple applications. You’ll also learn how to secure the HTTP transactions so
that your users’ login credentials aren’t compromised.
FortiWeb Study Guide
329
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
In this lesson we will explore the following topics:
• After encrypting, Control access and Authenticate
• Authentication
• User Tracking
• Attacks on Authentication
FortiWeb Study Guide
330
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
When you authenticate users, the first thing you should always do is make sure that user names and
passwords are encrypted in transit. Otherwise, man-in-the-middle (MiTM) attacks and even attackers in the
same Wi-Fi range can easily see their logins.
Why do you need HTTPS?
For some web apps, adding HTTPS is not as critical. NTLM authentication for HTTP does apply some
encryption, and some applications use HTML forms that encrypt and checksum inputs at an individual level.
But, usually, as a best practice, you should use HTTPS. It not only encrypts and tamper-proofs logins in
transit, but also binds sessions to the client IP. This better secures the session. The protection is stronger.
So if your web app doesn’t use HTTPS already, use a reverse proxy FortiWeb to apply it. Once you have a
secure channel, FortiWeb can help you control which IPs have access to each URL, before they even attempt
to authenticate.
FortiWeb Study Guide
331
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
At the most basic level, you can manually blacklist specific IP addresses and white list others.
Unlisted IPs are in a grey zone: they will neither be allowed or denied by this feature. Instead, they’ll be
subject to all of the other scans that you have configured. In other words, their action is Continue to Other
Scans.
If you have a web app that should only be accessible by a specified group of people, such as top
management levels logging in from a secure, private network location, this may be enough.
FortiWeb Study Guide
332
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
It is often impractical to manually maintain source IPs in blacklists if you have a publicly available site on the
Internet. So what other features does FortiWeb have to automatically restrict client IPs?
A much more powerful way of blacklisting is the Geo IP feature. With it, you can blacklist IPs in all regions that
shouldn’t be accessing your web site. For example, if you sell e-books where the copyright agreement allows
publishing only in France, you can ignore traffic from everywhere else.
FortiGuard IP reputation can help you to effortlessly deny access to IPs of unknown reputation due to
anonymous proxies, and to block the IP addresses of known botnets and hackers.
FortiWeb Study Guide
333
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
If you need to control access based upon the request’s HTTP layer – its URL and host name – then FortiWeb
can do that. In previous FortiWeb versions, URL access rules could only match by the domain name and
URL, but now FortiWeb can also match based upon the client’s source IP.
For example, you might want to restrict your phpMyAdmin management GUI so that only web site
administrators on the private network can access it. To do this, you could create a URL access rule that
blocks access to all phpMyAdmin URLs unless they are accessed from a management subnet.
FortiWeb Study Guide
334
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
If you need more sophisticated HTTP-layer control of URL access rules, FortiWeb can do that. In the GUI,
they’re called Custom Access Rules. These rules have extensive additional HTTP-layer criteria that you can
use to create very fine-grained access control.
FortiWeb Study Guide
335
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
In this slide, you can see a rule that restricts URL access to one source IP and checks the rate limit and selfreported User-Agent: string. This rule allows access only by that specific client software.
FortiWeb Study Guide
336
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Great! You now have an understanding of Control Access and Authentication basics.
In the next section we will look at the details of Authentication.
FortiWeb Study Guide
337
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Once you’ve determined which clients should be allowed to try to log in, handle the login itself. If your web
application doesn’t offer authentication natively, FortiWeb can add it.
Here’s a tip: FortiWeb can also strengthen your app’s existing authentication. Configure FortiWeb input rules
on password strength for URLs that change passwords, and you can prevent clients from setting weak
passwords that hackers can easily guess or brute force.
FortiWeb Study Guide
338
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
If your web app doesn’t have its own authentication, FortiWeb authentication rules are a simple way to add it.
Usually, deployments have an existing database of user accounts, such as a Microsoft Active Directory tree. If
so, instead of defining all user accounts locally, you can configure FortiWeb to query the authentication server
instead.
Even if your web app does have authentication, you may still want to use FortiWeb: it can delegate the
credentials to the back-end web app, yet still cache authenticated sessions locally so that you can apply
single sign-on. We’ll show that later.
FortiWeb Study Guide
339
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
When you add an authentication or site publishing rule, this is what the HTTP transaction looks like.
Notice that the first reply is actually a 401 error code, with a header that indicates which authentication the
client should submit. This triggers the browser’s HTTP authentication dialog box. When the user submits their
user name and password, the browser resends the initial request, this time with their authentication details in
an HTTP header. Next, FortiWeb forwards the request (with the HTTP authentication header removed) to the
back-end web server. Since the web server is misconfigured, its reply includes an information disclosure:
which OS and Apache version it has. So, before it forwards the reply to the client, FortiWeb’s Information
Disclosure signature removes that header, too.
The Authorization: header may look encrypted, but it’s not. It’s only encoded in base64. So use caution:
only use basic or digest authentication if the passwords are protected by SSL/TLS!
FortiWeb Study Guide
340
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Authentication rules are very simple. If you need more complex features, such as support for single sign-on,
logoff URLs, 2-factor authentication, and Kerberos delegation, use site publishing rules instead.
FortiWeb Study Guide
341
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
When configuring any kind of authentication, what’s the first thing you need to do? Configure user accounts.
With FortiWeb, you can configure them locally. But if you have many users, this isn’t the most practical way to
define accounts.
FortiWeb Study Guide
342
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Instead, you’ll want to configure a query. Whenever someone tries to log in, FortiWeb will contact the query
server, and ask if the credentials are valid.
In this example, FortiWeb is querying a Microsoft Active Directory server using the LDAPS protocol. Directory
tree structures vary by the schema, so if it was IBM Lotus Notes or another application, the CNID,
distinguished names, and query strings would be different.
FortiWeb Study Guide
343
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Once your queries and/or locally-defined user accounts exist, group them into a user group.
FortiWeb Study Guide
344
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Reference the user group when you define an authentication rule. This defines who has access to each URL.
Note that some HTTP authentication styles like NTLM are not supported by all query types.
FortiWeb Study Guide
345
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Next, group your authentication rules in an authentication policy. This creates a set of authentication rules, but
it also specifies whether FortiWeb will log login failures, what the connection timeout is, and also how long it
will keep idle, authenticated HTTP sessions in cache.
Fast cache timeouts help to prevent unattended computers from being a possible attack vector, and reduce
RAM usage on FortiWeb. Using fast cache timeouts can improve both performance and security. Be careful
not to make them too small, however. If there are some web applications where people must fill out long forms
such as contact information or tax data, for example, the protected web app won’t be user-friendly: their
authentication session will timeout between each page submission.
FortiWeb Study Guide
346
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
When configuration is complete, this is the authentication dialog that FortiWeb will trigger in users’ browsers.
Since it’s based only on an HTTP header, there’s no way to control style, such as to put company logos or
custom colors. It uses the default style of the browser windows.
Basic HTTP authentication isn’t enough for some applications. What if you use Kerberos, or have multiple
web applications and want single sign-on (SSO) between them?
FortiWeb Study Guide
347
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Site publishing is the newer, more sophisticated authentication gateway method. For Microsoft TMG
replacements, this is the method of choice.
Notice that it supports client certificates and HTML form-based authentication, not just HTTP authentication. It
also supports delegation, agentless single sign-on (SSO), and 2-factor authentication.
If you’re using a RADIUS authentication query, site publishing also supports RSA SecurID in addition to or
instead of a password.
Both LDAP and RADIUS queries support plain HTTP and Kerberos delegation. Kerberos delegation can be
integrated with PKI client certificates. The certificate delivers a user name and public key, but also is a
selector for the key tab. To use it, just select Client Certificate Authentication and Kerberos Constrained
Delegation, then specify:
• Which previously uploaded key tab file to use to create and validate service tickets
• Where in the certificate FortiWeb should look for the field that contains the user name
FortiWeb Study Guide
348
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
One important advantage of site publishing over simple authentication rules is FortiWeb’s ability for forward
credentials to the web app after it verifies the login. Many modern web applications have their own
authentication dialogs, so if you want to use FortiWeb’s agentless single sign-on (SSO), then FortiWeb needs
the credentials, but so do the protected web apps.
If you’re using Kerberos, these won’t be the same credentials that the user submitted, however, Instead, they
will be tokens encrypted with a private key that you load onto FortiWeb.
FortiWeb Study Guide
349
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
When configuration is complete, the dialog that site publishing triggers in users’ browsers can be either the
HTTP browser pane that we saw previously, an HTML web page with a form, like this, or it will invisibly
authenticate the user by validating their personal certificate.
If FortiWeb presents a dialog, its appearance varies by the type of authentication tokens that users must
enter:
• Normal user name and password,
• User name and RSA SecurID passcode, or
• User name and password, then 2-factor authentication token such as RSA SecurID
FortiWeb Study Guide
350
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
For universities, enterprises, and other large organizations, you may have multiple web apps that you are
protecting, and want to reduce the number of logins that a student or staff must make. However, you may not
have administrative privileges on the web servers, so Fortinet SSO would not be an option. In this case, you
can enable the agentless SSO feature on FortiWeb.
FortiWeb Study Guide
351
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
This is how it works: when the client authenticates with any web site in the SSO domain, FortiWeb caches the
credentials in an authentication session. As long as the user continues to use web apps in that domain,
FortiWeb will silently allow the user to continue accessing them, forwarding (that is, delegating) credentials to
each next web app if necessary.
FortiWeb Study Guide
352
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Good job! You now know how to implement authentication features on FortiWeb
In the next section you will learn about the User Tracking feature.
FortiWeb Study Guide
353
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
The new user tracking feature allows you to track sessions by user and capture a username to reference in
traffic and attack log messages. You can also use this feature to prevent a session fixation attack and set a
period of time during which FortiWeb blocks requests with a session ID from a timed-out session.
FortiWeb Study Guide
354
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Tracked users are identified in both the Attack logs and in the Traffic logs
FortiWeb Study Guide
355
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
FortiWeb only tracks users that have logged in to a resource successfully, and stops tracking the user either
when the user logs off normally, or when the user’s session times out due to inactivity.
FortiWeb Study Guide
356
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Here we see the screen for creating a User Tracking policy.
You will need to define an Authentication URL, a Log Off URL, and define Authentication Result Conditions
FortiWeb Study Guide
357
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Excellent! You are now able to utilize the User Tracking feature on FortiWeb.
Next, we will discuss examples of attacks on authentication.
FortiWeb Study Guide
358
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Now that authentication is implemented, you’ll want to add a few protections for attacks that are specific to it.
FortiWeb Study Guide
359
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
The most obvious protection may be brute force protection. Especially when a client’s smart phone, tablet or
laptop has become infected and is now part of a botnet, web apps may receive many requests from what
appear to be legitimate sources. However, your attack logs may be full of log messages about authentication
failures. This is because the malware (or, in the case of attackers that aren’t cautious, a script on their own
computer) is trying to guess the password.
Once they guess successfully, they will be able to log in as that user. If the user has administrator privileges
on your network, this can be a serious breach for more than just that account.
Brute force detection monitors login URLs for suspicious request rates from each client IP.
FortiWeb Study Guide
360
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Hands up! How many of you will admit to using these passwords?
This is one of many reasons why PKI and 2-factor authentication are an important step if you need stronger
authentication.
It’s also a perfect example of why you should limit each account to the minimum required permissions for that
person’s job, and why you should enable brute force protection.
FortiWeb Study Guide
361
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Remember, if there are multiple clients sharing a single Internet connection behind NAT, then you’ll usually
want to allow multiple requests. Otherwise, if 25 people begin their work day at 9 AM and try to log in at about
the same time, they’ll be locked out!
FortiWeb Study Guide
362
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Padding oracle attacks are another attack type aimed at authentication and session IDs. In this type of attack,
the attacker analyzes the padding in order to find a predictable pattern. Once they find a pattern, they use it to
understand the encryption and undo it.
It’s the same idea as the SSL/TLS attacks named CRIME & Lucky 13. CRIME requires only six requests to
decrypt one cookie byte due to compression. A TLS MAC calculation always includes 13 bytes of header
information. The predictable length is, in part, is what makes Lucky 13 attacks possible.
http://www.isg.rhul.ac.uk/tls/Lucky13.html
FortiWeb Study Guide
363
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
How much faster can an attacker break cryptography with a padding oracle?
This quote from Juliano Rizzo illustrates how serious the problem is.
FortiWeb Study Guide
364
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Padding can be found in any individually encrypted HTTP input: the URL line, including parameters at the end
of it; a cookie header; or (in the case of POST method requests) parameters in the body.
So when you configure FortiWeb, indicate which inputs have padding that you want to protect.
FortiWeb Study Guide
365
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
Congratulations! You have successfully completed this lesson
FortiWeb Study Guide
366
DO NOT REPRINT
© FORTINET
 Authentication and Access Control
In this lesson, you learned multiple ways to control access at the IP and HTTP layers, before a client can even
attempt to log in. This includes access control rules, Geo IP, and FortiGuard IP reputation.
You learned how FortiWeb can add authentication if the application doesn’t already have it. But if the web app
does have its own authentication, FortiWeb can forward credentials to it. FortiWeb also can apply single signon across multiple web applications without any installation of a Fortinet SSO agent.
Finally, you learned how to defeat some specific authentication attacks. They focus on breaking authentication
by brute forcing either the password itself, or the padding in a password input.
FortiWeb Study Guide
367
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
In this lesson, you’ll learn how to apply FortiWeb features to help you meet the requirements of PCI DSS 3.0.
This includes applying industry best practices from the OWASP Top 10.
FortiWeb Study Guide
368
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
In this lesson we will explore the following topics:
• PCDISS Overview
• How Do I know If My Web App is Vulnerable?
• More Top 10 Threats
• Defining Custom Data Types
FortiWeb Study Guide
369
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
In this section you will learn to:
• Define and Discuss PCI DSS
• Describe and Discuss the OWASP Top 10
FortiWeb Study Guide
370
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
The objective of professional attackers is to acquire information that they can sell on the black market. For
online retail companies, this can include addresses, personal ID numbers, and passwords, but most often, it
bank debit and credit card numbers.
This 2014 study from Verizon highlights how common the problem is.
FortiWeb Study Guide
371
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Because retailers and payment service providers often do not directly bear the cost of fraud, many assume
that it will not hurt their business. Sometimes, executives assume that security will cost more than the risk
itself.
This is false.
This article highlights one breach in 2014: Target. Because their point-of-sale systems were not correctly
secured, 40,000,000 debit cards were compromised. Target had a huge 46% drop in 4th quarter 2013 profits.
Customers became nervous of using their cards to pay for purchases at Target – in the USA, currently there is
no legislation that requires vendors like this to pay for identity theft monitoring after a compromise, so for each
individual customer, the risk is huge. Target was forced to immediately spend $100,000,000 to improve
security. Banks that did business with Target were affected, too: they spent $200,000,000 to reissue
compromised cards. And this was for only one breach.
FortiWeb Study Guide
372
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
The payment card network – including banks – absorbs most of the losses due to fraud. As a result, it has a
clear financial interest in security. Security directly affects their profitability. But obviously they pass these
costs on to businesses and ultimately customers. This is the hidden cost of crime.
So now most payment service providers and retailers must demonstrate basic responsibility when transmitting
or storing payment card data. These standards are known as PCI DSS.
FortiWeb Study Guide
373
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
If you’re new to PCI compliance, here is a brief overview. As you can see, it enforces many of security’s best
practices for more than a decade. So, you may already be mostly compliant.
FortiWeb Study Guide
374
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
PCI has released its next security standard, version 3.2. This came into force on April 1, 2016.
What’s important to know?
The core areas of security remain the same. But the standards development will now be three years long, and
there are new sub-requirements to deal with the most current threats – specifically, web application firewalls.
We’ll discuss each of these sub-requirements, and how to meet them.
FortiWeb Study Guide
375
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
FortiWeb helps you meet all PCI requirements, but PCI now specifically recommends a web application
firewall (WAF), and developing remediations against the top 10 vulnerabilities, according to OWASP.
FortiWeb Study Guide
376
9
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
If you’re not familiar with OWASP, it’s a global non-profit. Its goal is to promote secure application coding and
hardening.
OWASP has been growing steadily since 2004, and has been a contributor to projects such as the WebGoat
security education application. Now you can find OWASP presenters everywhere from OWASP’s official
AppSec conferences in California and Rio de la Plata, to German OWASP Day, Financial Services Cyber
Security Summit in Dubai, and Black Hat Asia.
FortiWeb Study Guide
377
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
OWASP’s top 10 is a list of vulnerabilities that are considered by security experts to be the most serious web
security threats. OWASP periodically updates them based upon its available attack data.
Many large organizations, including PCI, recommend that you scan for these vulnerabilities and fix or defend
against them.
FortiWeb Study Guide
378
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
OWASP’s last update to the top 10 is from 2013. It is available in many languages, including Arabic, Chinese,
Spanish, and Ukrainian. Let’s take a look at how FortiWeb can help you to find these vulnerabilities in your
web applications, and defend against them.
FortiWeb Study Guide
379
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Injection and cross-site scripting: these two vulnerabilities remain the most common threat every year. This
could be because they are the easiest to exploit, even for inexperienced attackers. All you need is to insert a
line of code into any input. If the input doesn’t reject it, you might be able to exploit it.
If a web application does not sanitize its inputs to make sure that they don’t contain scripts, queries, or shell
commands, and if the web app passes that input to an unsuspecting database engine, command line, or
browser, it could accidentally run the attack.
FortiWeb Study Guide
380
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
The good news is that FortiWeb can easily prevent injection and cross-site scripting. In signature policies,
simply enable their signature categories, then select that signature policy in the protection profile that you’re
using.
Plain ASCII inputs aren’t the only type that HTTP can transport. If your web application uses Flash or AJAX,
also be sure that, in the protection profile, you enable FortiWeb to scan binary AMF and XML inputs.
FortiWeb Study Guide
381
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Great! You are now familiar with PCIDSS and the OWASP Top 10 list.
In the next section we will look at how you can identify if your web app is vulnerable.
FortiWeb Study Guide
382
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
For performance reasons, FortiWeb shouldn’t scan for attacks that your web apps aren’t vulnerable to. It’s a
waste of resources. Manual penetration tests are slow and costly. How can you speed up some of your PCI
compliance audits? How can you quickly discover the correct FortiWeb settings for your web apps?
FortiWeb Study Guide
383
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
FortiWeb has a vulnerability scan engine that is tailored to web applications. Quarterly vulnerability scans by
an approved vendor are part of the requirements for PCI DSS compliance. FortiWeb’s vulnerability scan gives
you a quick start so that you will be better prepared, with fewer required remediations.
The web vulnerability scanner doesn’t test for every possible vulnerability – some things are better
investigated by creative human penetration testers – but it does scan for these top OWASP vulnerabilities:
• SQL injection
• Cross-site scripting (XSS), which is a type of JavaScript injection
• Operating system command line injection
• Source code disclosure, which tricks the preprocessor into echoing back the PHP, ASP, Ruby, or other
page source code
FortiWeb Study Guide
384
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
To prepare for a vulnerability scan, always begin by copying the web app and its database to a test
environment. DO NOT SCAN LIVE WEB SITES, ESPECIALLY THROUGH THE INTERNET. If your public IP
is a known source of potential attacks, your ISP could ban you, but reputation-based services could also
blacklist you. Additionally, depending on the web app, the scan could inject data into the database, requiring
you to restore from backup, potentially causing some data loss. Also, if your FortiWeb is directly attached to
the test servers, no other network devices will rate limit or interfere with the accuracy of the scan, so the scan
will be faster and more accurate. For all of these reasons and more, you should scan a test copy of the web
app – not the live production network.
To configure a vulnerability scan, define the schedule, then the profile. Optionally, if you want FortiWeb to
email the finished report to you, also configure a connection to an email server. Finally, bind them together in
a scan policy.
FortiWeb Study Guide
385
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Let take a look at how to configure a web vulnerability scan on FortiWeb.
First, determine the schedule. When a web app is updated, or different plugins installed, its vulnerabilities can
change. So while a recurring vulnerability scan may be part of your PCI compliance routine, it’s a best
practice to run the scan manually whenever new software is introduced.
Any recurring scan can also be started on demand, whenever you need it, so it doesn’t prevent you from
manually forcing a scan. But if you want FortiWeb to only scan when you manually initiate it, select the One
Time option in the Type field.
FortiWeb Study Guide
386
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
FortiWeb may be able to scan faster if you decrease the request timeout. For the most complete scan, you
should also select an Enhanced Mode scan, which will try the POST HTTP method, too.
If your web application has a login page, remember to provide FortiWeb with a user name and password. That
way, FortiWeb can test all of the pages in your web app. Otherwise, the report will be incomplete. Depending
on your application, logins could be HTML form-based, HTTP dialog only, or both. Remember, with a formbased login, when you click Log In, your browser could be sending credentials to a different URL than the one
that you’re currently viewing. To find the URL, view the page’s source code. Search for the <form> tag. Its
action attribute shows the URL where your app receives login attempts – the scan’s authentication URL.
<form name="loginform" id="loginform" action="http://10.0.1.21/wp-login.php"
method="post">
FortiWeb will log in. Then, it will crawl the links in the app, trying injection and echo vulnerability probes in
each input that FortiWeb finds on each page.
FortiWeb Study Guide
387
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
If you’re not sure what authentication data to send to the login URL, as usual, the developer tools in your web
browser can help you.
In this example, the Network panel was opened before clicking the Log In in the web app. Since the form used
the POST method, parameters were in the HTTP body, not the headers, so we scrolled down to the Form
Data section at the bottom to copy the input that FortiWeb will use for authentication. As you can see, it has a
few more unexpected inputs – not only the user name and password.
FortiWeb Study Guide
388
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Once you’ve configured the scan, you can immediately run it by clicking Play, or wait for the appropriately
scheduled time. While the scan is running, the page periodically updates its progress. For extended scans,
you can either periodically return to the page to see the scan’s status, or configure the scan to email you the
results.
FortiWeb Study Guide
389
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
To view the report while you’re logged into FortiWeb’s GUI, click its link in the Scan History page.
FortiWeb Study Guide
390
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
The report lists the settings you chose and shows a summary of the number and types of vulnerabilities that
FortiWeb found. If you click a vulnerability type on the left, you can view details about where FortiWeb found
each vulnerability.
This slide shows the scan results from scanning WebGoat. OWASP is one of the organizations that
contributes to maintaining this security education web app. For security training purposes, it is designed to be
insecure. So, as you’d expect, FortiWeb detects many severe vulnerabilities.
FortiWeb Study Guide
391
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
The details contained in a vulnerability report can help you to decide on which signatures you should use to
protect your servers, and prioritize work based on risk levels. Those details include:
• What was tested
• The severity of the potential effects of the vulnerability
If you determine that the vulnerability cannot be exploited, you can mark it as a false positive. Finding and
marking the false positives in scans ensures that you have an accurate list of vulnerabilities that you need to
address.
FortiWeb Study Guide
392
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Excellent! You now know how to perform a Vulnerability scan on FortiWeb.
In the next section we will look at more Top 10 threats.
FortiWeb Study Guide
393
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Now we’ve shown a couple of OWASP top 10 vulnerabilities, and how to detect them. What are the other
vulnerabilities?
FortiWeb Study Guide
394
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
OWASP’s second most serious threat is more complex to protect against.
Because authentication and sessions can be attacked in many ways, you want to make sure that every step is
secure by ensuring the following:
• Sessions are cryptographically hard to predict
• Sessions are bound to the client IP (if possible, to the individual browser)
• Session cookies, if used, are checksummed. This ensures that a client is not trying to masquerade as
another client and hijack a session
• HTTPS protects both user names and passwords (and, if applicable, 2-factor authentication passcodes)
during transit
• Authentication doesn’t allow brute force attempts to guess valid user names and passwords
• Subsequent page accesses use the bound session correctly, and don’t allow nonsense page transitions
• Log messages don’t contain passwords or credit card numbers
FortiWeb Study Guide
395
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
In this example, a normal user begins at the login page and receives a session ID in a cookie. However, if the
app does not require a session for access to all of the other pages, then the page order within the session
can’t be enforced, because the web app has no other way to remember the client’s previous page request and
associate it with a session. This kind of broken session management can be exploited.
FortiWeb Study Guide
396
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
You select most A2 mitigations in the protection profile, but some you enable in the policy.
FortiWeb Study Guide
397
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Remember, if you have logging enabled (especially with the packet payload), credit cards and passwords
could be in the log messages – not just the HTTP traffic. To prevent this, and ensure PCI DSS compliance,
enable masking of sensitive data in the logs.
FortiWeb Study Guide
398
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Insecure references to objects can occur wherever the web app does not validate authorization to those
objects. Just because a client has submitted a user name and password does not mean they should be
universally trusted. Each request must be validated to determine whether that person is authorized to change
others’ passwords, or to view other users’ secret boards.
This concept is similar to A7 and A10, which you will look at later. The difference is that A4 deals specifically
with parameters instead of pages, and application inputs instead of redirect URLs.
FortiWeb Study Guide
399
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
To enforce valid input lengths and types, you should use parameter validation rules. However, other object
references are less obvious: a bookmark cookie that names a specific page, or a hidden preference to
remember your login token. From the web app’s perspective, these are inputs. Any data that affects how a
web server processes other data is, effectively, an input.
A .php file extension, for example, is an input that tells the web server that it should use its PHP preprocessor
to render the HTML page before replying to clients. If you allow a client to upload an arbitrary PHP file, and
then to go to that URL, they can access any data that the PHP module has access to. Cloaking the file
extension and preventing clients from uploading PHP files helps control which PHP objects they can access.
FortiWeb Study Guide
400
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Most web servers have default pages. When you’re configuring the web server for the first time, this helps to
quickly confirm that the software is running. However, these files should never be exposed on live production
servers. This is essentially the message of A5. These files provide information that can be useful to attackers.
If their permissions are incorrect, these files can also be an exploit vector.
FortiWeb Study Guide
401
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
The file phpinfo.php usually has a simple function that displays all PHP settings. Each application could have
its own php.ini and .htaccess file. IIS, Apache, or whatever your web server is may insert an X-Powered-By:
or Server: header that indicates which server and patch versions are installed. Software stack fingerprints
are useful for crafting attacks or even buying prebuilt ones on the black market.
If any configuration files can be read, written, or executed by users on the Internet, then attackers can gain
information on how to exploit unpatched servers, rewrite the configuration, and more.
FortiWeb Study Guide
402
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Creative penetration testing by human specialists should always be a part of your security audits, but
automated testing should be part of your arsenal as well. It’s impractically slow to find common vulnerabilities
using only manual testing. For this, you can use FortiWeb’s built-in web vulnerability scanner. It uses HTTP
(like your users) and attempt to find unpatched modules, source code disclosure, plus vulnerabilities to three
of the OWASP top 10 threats.
A5 vulnerabilities will be listed under the Information and, sometimes, Source Disclosure vulnerabilities
categories. You can also use the Information Disclosure category of signatures to find A5 vulnerabilities.
FortiWeb Study Guide
403
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
A6 covers sensitive data exposure.
This objective is at the heart of PCI DSS compliance. The other OWASP top 10 threats can impact safety of
stored payment card data – yet another reason to remove such a feature from your web application if possible
– but this threat is specifically about the data while it’s in transit, on the wires.
Like FortiGate, FortiWeb has data leak protection to detect credit card leaks on server replies. Ideally, servers
should accept card numbers, but never increase risk by repeating them back to the client. FortiWeb goes
further, though. As an SSL or TLS terminator, FortiWeb can offer only the most secure protocol versions and
cipher suites to your clients. This helps to keep your servers – and clients – more secure. If attacks are
logged, you can easily mask passwords and credit card numbers so that they don’t appear in your
unencrypted logs.
FortiWeb Study Guide
404
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
To enable DLP, edit a signature policy. You can configure FortiWeb to detect a violation based upon a specific
number of payment card numbers in the web page, if required.
FortiWeb Study Guide
405
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Remember: both A6 and PCI DSS require security while payment is in transit. To secure payment card data
while in transit, authentication and encryption are critical. Note that older SSL 2.0 and SSL 3.0 versions have
many known vulnerabilities, and should be avoided, if possible.
If you’re required to be PCI DSS compliant, SSL 2.0, weak key strength, and MD5 hashes are all considered
to be PCI DSS violations. Soon, SSL 3.0, TLS 1.0 and SHA-1 may be violations too. This is becoming
increasingly likely, because their specified renegotiation styles and cipher suites have exploits in the wild now.
FortiWeb Study Guide
406
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
“Security through obscurity”. We’ve all heard this, right? Threat A7 is exactly that.
Simply because there are no public hyperlinks to an administrative web page does not mean that it won’t be
found and exploited. If your web server’s access rules don’t forbid it, an attacker could even access files
outside of your web app’s directory. And even within the web app itself, you can’t assume that clients will
always access web pages in authorized ways. Some of the most famous hacks have been executed simply by
editing the URL that was in the browser’s URL bar, trying to access URLs where the app didn’t check for
authorization. This is called forced browsing.
Remember: even if a user is authenticated, they are not necessarily authorized for every URL. For each
request, the app should verify that the client is authorized for that realm – as FortiWeb does – and in that step
in the session. The app should also check that URL should be accessible from that IP address. Configuration
files shouldn’t be accessible through the Internet. Access should be restricted to a private management
network.
There could be other URLs, used internally by the web application, whose permissions should be set so that
they can’t be accessed directly, from the Internet.
FortiWeb Study Guide
407
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Access control rules, including so-called custom rules, which allow you to combine multiple factors such as
User-Agent: and rate limiting, can be selected in the protection profile. So can the start pages, page order
rules, and signatures. In the signatures, verify that the directory traversal category is enabled.
FortiWeb Study Guide
408
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
In A8, the client is correctly authenticated and correctly authorized, but an attacker either injects malicious
code, crafts a phishing email, or uses social engineering to trick the user into executing an action.
As you might expect, FortiWeb can detect and sanitize some forms of CSRF, like clickjacking. But other
forms of this attack are currently too CPU- and memory-intensive for prevention to be practical in real time.
They often require large numbers of both positive and negative security rules.
For example, let’s say that Jane has received an email that appears to be from her bank. It’s injected with
code so that when Jane visits the real bank web site and tries to transfer funds, they aren’t sent to the
intended recipient. Instead, funds are transferred to the attacker. In order to detect this kind of attack, a WAF
would need to remember all authorized transfer recipients, and block unauthorized ones, for every user, on
every web application. Also, this is only one input, on one web page. The WAF would need to understand
every input, on every page, of every protected web app. So, if possible, your app should try to safeguard
critical state machine transitions like this. Code security auditors can help you to find them, and CSRF
libraries exist to help eliminate this. These will help to safeguard against social engineering or chat vectors.
You can also enable FortiWeb signatures to guard against injections of CSRF code.
FortiWeb Study Guide
409
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
This CSRF example shows how a person’s actions on a bank web site can be hijacked by an attacker. In this
example, the attacker sends a text message with a link. It is a simple page with an <iframe> and a script
that changes the Pay Bill button to send money to the attacker instead!
This is only one variant. The attacker could log keystrokes, activate the web cam, wiretap, or even send
requests without the user pressing any buttons at all. The attacker could deliver their script in many ways, too.
For example, malvertising – fake banner ads that point to a real web site such as a lottery or credit card
application form, but contain attack scripts – is becoming more common.
FortiWeb Study Guide
410
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
It may surprise you to know that unpatched software is not considered by OWASP to be the most serious
threat. It only ranks ninth on the list of its 10 most serious security threats, even though it is one of the most
common. This ranking is partly this is because it’s the easiest to defend against. If FortiWeb is scanning for
known exploits and Trojans, and blocking Heartbleed HTTPS leaks, then this allows you some time to patch
your servers. Automatic updates on many server software components also make this threat easy to fight.
FortiWeb Study Guide
411
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
HTTPS offloading is configured directly in the server policy. The option to block known exploits and Trojan
uploads is configured in two places: the signature set and in the file upload restrictions.
FortiWeb Study Guide
412
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Like A4, A10 deals with inputs that the web application hasn’t validated. In this case, it’s specifically inputs for
redirects. Apps should check both:
• Valid destination (if offsite redirects are allowed)
• Authorization of the person to go to those web pages
FortiWeb Study Guide
413
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
You apply both access control rules and parameter validation rules by selecting them in the protection profile.
When you’re configuring the parameter validation rule, be careful. Can you find the misconfiguration for the
constraints on the redirect_to parameter? Look at its data type. Do you know what matches this data
type?
FortiWeb Study Guide
414
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Great! You now have a greater understanding of the OWASP to 10 threat list.
In the next section we will discuss defining custom data types.
FortiWeb Study Guide
415
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
There may be cases where you want to adjust the predefined data types, or add your own.
FortiWeb Study Guide
416
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Look at the regular expressions that are in the predefined URI data type.
The predefined URI data type matches any valid URI – not just redirects to the same site. So it would still
allow redirects to another site, potentially a malicious one. Also, this data type also could block legitimate,
same-site redirects.
Finally, this regular expression matches URLs as you would type them into a browser – not ones that have
been URL encoded. (URL encoding translates some characters that are not allowed in a URL, such as
spaces, into entity encodings, such as ‘%20’. By default, FortiWeb only decodes 1 layer of URL encoding.)
To block redirects to another potentially malicious site or to match URL encoded inputs that have not been
fully decoded, we would customize the data type and set an advanced setting.
FortiWeb Study Guide
417
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
To do this quickly, copy and modify the second regular expression. (By the way, you can find more regular
expression tips and cookbook examples in the FortiWeb Administration Guide.)
In this example, we’ve started to modify the expression to match only acceptable data type for the redirect
input. By opening the regular expression validator, we can check the expression to avoid mismatches while
we write.
We’re matching and allowing only redirects to example.com, www.example.com, or ftp.example.com. To
indicate alternatives, we put the set in parentheses, and put a vertical bar between each possible alternative.
Redirects must use either HTTP, HTTPS, or FTP. Characters can use their URL-encoded forms:
%3A
:
%2F
/
%3F
?
%3D
=
%26
&
Some of these characters have special meanings in the PCRE regular expression syntax, so we precede
them with a backslash character to escape the regex interpreter, and treat them as literal characters to match.
For example, to match a literal question mark, you would type the expression:
\?
FortiWeb Study Guide
418
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
To prevent attackers from evading detection by encoding the URL twice or more, alternatively, you can enable
the option to undo it in the System > Config > Advanced menu. This is a global setting, so it can impact
performance of scanning every input, in every policy. Use it with caution and test your FortiWeb’s
performance. If necessary, adjust your data type instead.
FortiWeb Study Guide
419
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
Congratulations! You have successfully completed this lesson.
FortiWeb Study Guide
420
DO NOT REPRINT
© FORTINET
 PCI DSS 3.0 Compliance
In this lesson, you learned the risks that PCI tries to mitigate, and its new recommendation specifically for web
application firewalls such as FortiWeb. You also learned about how mitigating the OWASP Top 10 most
serious threats can help to protect financial data. You learned FortiWeb features that protect against those
threats, including:
• Credit card leaks
• Signatures for injection, XSS, and known vulnerability exploits
• Session management, cookie poisoning detection, and secure authentication
• Start page and page order enforcement
• Administrative and configuration file access control
• Parameter sanity checks, including hidden inputs and redirects
Because FortiWeb enforces data types by using regular expressions, you learned how you can customize it to
enforce your app’s specific data types. Finally, you learned how to avoid recording passwords and payment
card numbers in logs.
FortiWeb Study Guide
421
DO NOT REPRINT
© FORTINET
 Caching and Compression
In this lesson, you’ll learn how to cache common responses from the server for improved responsiveness in
your web apps, and how to handle response compression.
FortiWeb Study Guide
422
DO NOT REPRINT
© FORTINET
 Caching and Compression
In this lesson we will explore the following topics:
• Response cache
• Response compression
FortiWeb Study Guide
423
DO NOT REPRINT
© FORTINET
 Caching and Compression
First, let’s take a look at how FortiWeb can cache responses from your protected web servers. Did you know
that FortiWeb can do more than just secure your web apps? It can make them faster, too.
FortiWeb Study Guide
424
DO NOT REPRINT
© FORTINET
 Caching and Compression
Web pages don’t usually change every second, or even every hour. Many web pages – even ones generated
on-the-fly by a Tomcat servlet or PHP preprocessor for your content management system – are effectively
static. Usually an author writes the web page or uploads a file, and then that file never changes again. Yet
every time that a client requests the page, the server usually uses CPU and precious time to regenerate the
HTML. This increases load and round-trip time and reduces performance, but does not benefit the user. When
many clients visit your site, this also means that load on your servers and LAN traffic increases
proportionately. Many clients can quickly overwhelm your server, and adding many more servers is
expensive. In other words, the solution doesn’t scale well.
To solve this, a web app could cache responses that haven’t changed. However, there is a tradeoff: by
sacrificing some RAM to store the response, the server could conserve CPU cycles. If the web app doesn’t
have a cache of its own, sometimes cache plugins are available.
But not all web apps support cache. Plus, if you have a server farm, keeping the same cache on every server
wastes RAM. So it’s usually better to place the cache on a single server in front or on your FortiWeb.
FortiWeb Study Guide
425
DO NOT REPRINT
© FORTINET
 Caching and Compression
Like the web cache on FortiGate, if the content doesn’t appear to be dynamic, FortiWeb can keep a copy of
the response. That way, instead of repeatedly forwarding requests for the same content to the server,
FortiWeb can reply directly and quickly to the client.
This saves transmission and processing time on the back end. And the user is happier with a faster web
application.
FortiWeb Study Guide
426
DO NOT REPRINT
© FORTINET
 Caching and Compression
Cache on FortiWeb uses some of its RAM. So, before you enable cache, make sure that it can benefit your
web apps.
Cache will only improve the speed if you have many static files that are hosted locally. So if most of your files
are, dynamically generated pages based on search results, or personalized pages after a user logs in, or if
most files are hosted in a remote content delivery network (CDN) such as Akamai, then there may be no net
benefit to enabling FortiWeb’s cache.
FortiWeb Study Guide
427
DO NOT REPRINT
© FORTINET
 Caching and Compression
It makes sense that search result pages can’t be cached. But you may not be able to guess some of the other
things that also can’t be cached.
When the server sets a session cookie, even if the page itself is identical to other requests, the Cookie: HTTP
header isn’t, right? A session cookie is a unique session ID – different from all other replies on purpose, to
identify the client. Remember, if any part of the HTTP request – including that header – is unique, then the
page shouldn’t be cached.
FortiWeb also won’t cache if the response has an unknown content length. (This often occurs with streaming
video, such as for live news reports.) Cache has a fixed maximum size, and FortiWeb must be able to tell
where the content starts and ends, so it can’t cache a response if it can’t determine the size. Also, by
definition, live streams have dynamic content, not static.
FortiWeb Study Guide
428
DO NOT REPRINT
© FORTINET
 Caching and Compression
Let’s take a look at how to enable caching on FortiWeb. It’s very easy.
First, if there are any static URLs that you don’t want FortiWeb to cache, configure exceptions.
Can you find the misconfiguration in this example? Remember: there are some things that FortiWeb
automatically doesn’t cache because they are dynamic. So you don’t need to configure those as exceptions.
These include responses with session cookies, because session cookies are supposed to be unique IDs.
Next, configure the cache policy. In the simplest case, you just need to specify the maximum size that you
want to allocate to the cache. FortiWeb automatically tries to cache all static URLs until its cache is full.
Alternatively, if you want more fine-grained control, you can manually specify which URLs to cache. Then, in
your protection profile, select the cache policy. That’s it!
FortiWeb Study Guide
429
DO NOT REPRINT
© FORTINET
 Caching and Compression
Good job! You now know the purpose behind caching and how to implement it on FortiWeb.
In the next section we will discuss response compression.
FortiWeb Study Guide
430
DO NOT REPRINT
© FORTINET
 Caching and Compression
FortiWeb can also compress responses. This is another performance feature – something FortiWeb can do to
improve your user experience.
Compression can save you money, too. Mobile phone and 4G tablet data plans often have a bandwidth cap,
with penalty fees if you download too much. So, if your web applications are used frequently – like webmail at
a large company – the savings can be significant.
FortiWeb Study Guide
431
DO NOT REPRINT
© FORTINET
 Caching and Compression
Compression essentially makes a .zip file of each request before replying to the client. Clients automatically
decompress the received file.
Compression is another feature that web servers sometimes offer, but you may be able to improve
performance by having FortiWeb do it instead. This allows your servers use CPU more efficiently, and focus
on things such as page preprocessors and queries to the database. It also reduces the total bandwidth you
need to deliver each response to the client. This reduces bandwidth usage for Android and iPhone users, but
it also uses your WAN or Internet link more efficiently.
There are a few cases where you won’t want to use compression. If a file is too big to fit in FortiWeb’s
compression buffer, then FortiWeb won’t be able to compress it. Some file types don’t compress well, either.
For example, RPC clients are essentially using HTTP as a transport for binary. Binary is already somewhat
efficient without compression. So, compression rarely improves the file size of a binary enough to be worth the
CPU time.
FortiWeb Study Guide
432
DO NOT REPRINT
© FORTINET
 Caching and Compression
Let’s take a look at response compression in action.
Notice that the client’s request indicates that it supports GZIP compression. FortiWeb will remember this.
Since the client is using the GET method, the request is short and, therefore, uncompressed. But the server
replies with a web page, image file, movie, or whatever file was requested, and it’s often at least several
kilobytes. That’s why it’s important to compress the response.
Is that always true?
No. GET is the opposite of other HTTP methods. With POST or PUT, the client may be sending a large file –
not the server. Uncompressed requests have already been transmitted along most of the network path by the
time they reach FortiWeb, so, at that point, compression can’t provide much benefit. And the server’s reply is
a short acknowledgement, so compressing that won’t improve performance. But, FortiWeb will try response
compression regardless of the HTTP method.
FortiWeb Study Guide
433
DO NOT REPRINT
© FORTINET
 Caching and Compression
The best compression ratios are achieved when there is repetition in the data, such as HTML tags, JavaScript
functions, or CSS attributes that appear many times in the same file. As a result, plain text notes may not
compress well.
Some file types have native compression. ZIP archives are compressed, but so are MP4 movies, MP3 music,
and JPG photos. You might be surprised, but modern Microsoft Office files are compressed, too. In fact, if you
temporarily change their file extension from .docx to .zip, you can open the archive and see the XML files
inside.
Because it wouldn’t be logical to compress file types that are already compressed, FortiWeb won’t offer to
compress them.
FortiWeb Study Guide
434
DO NOT REPRINT
© FORTINET
 Caching and Compression
When does compression help? When you have long files, with repetitive bytes: GZIP’s Huffman coding is
good at representing these efficiently. With a Fortinet .conf file, the GZIP could be 13% of the original – a good
compression ratio.
But, these examples use natural, human languages. Written Chinese is already very compact, with almost no
repetition. So compression only reduces the file size of this UTF-8 plain text file by 1.5%. Compression is not
worth the CPU time.
An English translation of the same poem is less compact, but compression still doesn’t offer much advantage.
It reduces the file size by only 31%. Length improves the probability of repetition, though. Look at the second,
longer poem. It has a complex vocabulary, but it’s about three times as long. Its file size is reduced by 47%.
We’re finally reaching a 2:1 compression ratio. This still isn’t great, but now compression might improve
performance.
What about file formats that aren’t plain TXT files?
PDF file format is worse: it is a binary format with its own native compression; GZIP compression only
reduces the file size by 10%. But HTML gives us a better than 2:1 ratio.
FortiWeb Study Guide
435
DO NOT REPRINT
© FORTINET
 Caching and Compression
Here’s a real web page. For the HTML page alone, compression makes the transmitted file four times smaller
– a very big speed improvement. When compressing HTML, it’s typical to see a 75% to 80% file size
reduction.
FortiWeb Study Guide
436
DO NOT REPRINT
© FORTINET
 Caching and Compression
Let’s take a look at how to configure compression. Like cache, it’s simple.
First, configure any URLs that you want to exclude. Next, configure the compression policy. This specifies
which Internet file types you want FortiWeb to compress before forwarding the response to the client. (Internet
file types are the HTTP equivalent of email’s MIME types.) In most cases, you should configure FortiWeb to
compress all file types except text/plain.
When done, select the compression policy in the protection profile. That’s it!
FortiWeb Study Guide
437
DO NOT REPRINT
© FORTINET
 Caching and Compression
If you decide not to offload compression, then you must configure your FortiWeb to handle it when
compressed responses arrive from the web servers.
Compression is, effectively, low-grade encryption. It changes the traffic so that it won’t match signatures or
rewrite conditions. FortiWeb must undo the compression so that your signature policies and rewrite conditions
work.
FortiWeb Study Guide
438
DO NOT REPRINT
© FORTINET
 Caching and Compression
Depending on how much load your FortiWeb has, it may be better for your servers to do compress files
instead.
In that case, FortiWeb receives a precompressed file. Some patterns – such as information leak signatures
and HTML body rewrites – won’t match unless you undo the compression.
Think of uncompress rules as compression inspection – like SSL inspection. It prevents compression from
causing an accidental security bypass. For specific URLs and Content-Type:, you’ll configure FortiWeb to
temporarily undo the compression so that it can scan.
However, you don’t want to forward an uncompressed file. So, FortiWeb’s uncompression is only temporary.
After a rewrite or a scan where the erase action is required, FortiWeb automatically applies the compression
again. Alternatively, if no patterns match and no change is required, then FortiWeb doesn’t need to
recompress; it can just reuse the compressed original. Either way, FortiWeb forwards a compressed
response.
FortiWeb Study Guide
439
DO NOT REPRINT
© FORTINET
 Caching and Compression
Like a compression policies, uncompression policies are also based on file type. If you want to exclude any
responses from uncompression, you can do that, too.
FortiWeb Study Guide
440
DO NOT REPRINT
© FORTINET
 Caching and Compression
Congratulations! You have successfully completed this lesson.
FortiWeb Study Guide
441
DO NOT REPRINT
© FORTINET
 Caching and Compression
In this lesson, you learned two methods that you can use to improve the speed at which you deliver your web
apps to clients: cache and compression. You also learned how FortiWeb can buffer and uncompress a copy
of a precompressed packet in order to scan it, or modify it, or both, before forwarding it.
FortiWeb Study Guide
442
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
In this lesson, we’ll show you how to control application delivery – that is, the flow of HTTP traffic through
FortiWeb based on the HTTP layer, instead of lower-layer IP-based routing. (This is also called “HTTP
content routing”.)
We’ll also explain how to redirect or rewrite pieces of the request or response for better usability and security.
FortiWeb Study Guide
443
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
In this lesson we will explore the following topics:
• Redirects
• What is a capture group and what is a back reference?
• Rewrites
• HTTP Content Routing
FortiWeb Study Guide
444
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Let’s begin with redirects. This is usually the simplest thing you can do with FortiWeb’s rewriting rules.
Redirects also help you learn how to match traffic for rewriting, which we will talk about later.
FortiWeb Study Guide
445
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
When are redirects useful? Mostly to establish HTTP traffic flow.
When a page moves, or the makes a typo, you can tell the client to go to the new URL. This avoids 404
errors. It’s the most common use for redirects. On a larger scale, you can redirect people if the web app has
moved to a new domain name (for example, from webmail.example.com/mail to mail.example.com). You can
also translate the host name if each back-end web server has its own unique host name on the private
network.
These uses are simply infrastructure: they are required for the web app to work. But redirects can also be a
security feature: you can send users to your site’s secure HTTPS channel. Since redirecting clients won’t
change the URLs of hyperlinks in the web pages on the server, you’ll often combine a redirect with a rewrite,
which we’ll talk about later.
FortiWeb Study Guide
446
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
How do redirects work?
FortiWeb replies to a client’s request with a 301 or 302 code and a Location: header. This tells the browser
to look for that resource in another location. The location can include a full path such as
http://www.example.com/feed, or a relative URL such as /feed.
Next, the client requests again, this time with the updated URL.
Note: Because FortiWeb is inline, it’s in the right place to intercept the request and reply with the redirect.
FortiWeb can also modify traffic. In this example, the back-end web server’s response includes a Server:
Apache header. But we don’t want to tell potential attackers which web server we’re using. To cloak the
server type, we also configure a signature set and enable Alert & Erase for information disclosure. So the
replies that the client receives – both the first time and the second time – have been modified by FortiWeb.
Keep this in mind. We’ll use the same concept later for rewriting traffic.
FortiWeb Study Guide
447
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Here’s another example of a redirect. We’ll start from the beginning: when the client discovers which subnet
contains the virtual server, and what its MAC address is.
As you can see, the client asks for the IP of FortiWeb’s virtual server – not the back-end servers, which are
hidden to the client. Next, the client completes the TCP handshake with the reverse proxy FortiWeb, and
requests a page through HTTP.
At about the same time, FortiWeb establishes a second TCP connection to one of the protected web servers
behind it. Meanwhile, it replies to the client that the site should be accessed through HTTPS, not HTTP.
FortiWeb can do this because the Location: header can contain an entire path, including the protocol
prefix.
So the client attempts again. This time, it sets up a TLS 1.2 session with FortiWeb before making the page
request. When the server replies, FortiWeb forwards it through the secure TLS session to the client.
FortiWeb Study Guide
448
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
To configure the HTTP-to-HTTPS redirect that we just traced, in the Application Delivery menu, make a
URL rewriting rule. (Don’t be confused by the name – it can do more than just rewrite the URL line.)
Define the match criteria first. Since redirects act on incoming requests, indicate the traffic’s direction in the
Action Type field. Since you don’t want to redirect every request to the same place, you’ll also specify these
match conditions: the host and URL line in the HTTP header.
Once you’ve specified the match, the FortiWeb will return a 301 or 302 code, which causes clients to modify
the URL and try the request again. Where will the new, modified URL be? That’s what we define in the
Location field. To avoid making one rewriting rule for each URL – which could be 10,000 – we use capture
group variables to define the location.
FortiWeb Study Guide
449
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Great! You now know how to configure redirection on FortiWeb.
In the next section we will look at capture groups and back references.
FortiWeb Study Guide
450
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
What is a capture group? And, relatedly, how can we refer back to text that was stored by a capture group?
For URL rewriting rules, FortiWeb uses regular expressions. You may have noticed by now that FortiWeb
uses regex for many features. Because HTTP and its usual payload HTML are text based, and because regex
is designed for text-based patterns, it’s the perfect match.
FortiWeb Study Guide
451
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
In case you’ve never used regular expressions before, or haven’t used them with output, let’s take a look at
capture groups.
A capture group is a regular expression inside a pair of parentheses. When the text that you’re evaluating
matches the pattern inside the parentheses, the regex engine stores, or captures, the match temporarily by
putting it in RAM. It stores each piece of text in the same order which the engine evaluates the match:
1. Left-to-right
2. Outside-to-inside
FortiWeb Study Guide
452
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
In programming, the purpose of variables is to reuse the piece of data that you’ve stored. The same is true
here. When building the output, FortiWeb can use the data from your capture group variables.
Technically, this isn’t the only way you can refer back to data from capture groups. If you want to reuse parts
of the previous evaluations in the subroutine (which is the case with our HTTP-to-HTTPS rewrite), then you
would use $0 and so on. But to reuse parts of the current evaluation, use /0 and so on. That can be useful for
URLs with repeating text.
You can find many more useful examples of regular expressions in the FortiWeb Administration Guide and in
PCRE reference books.
FortiWeb Study Guide
453
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Now that we know what a capture group is, let’s look again at the match conditions for our HTTP-to-HTTPS
redirect.
First – and only if it’s an HTTP request, not HTTPS – you evaluate the Host: field in the HTTP header. In this
case, we match all of any text in that field, so any domain name will match. The regular expression to do this
is:
.*
It’s also sometimes called a greedy match because it makes the biggest match that it can. Since the host
name is relatively short, that’s OK. But if we were matching HTML in the body, (.*) could be a performance
problem. Why? Because if the HTML page is large, we don’t want to store the entire page in a capture group
in RAM every time the page is requested! “.*” can be tempting to use everywhere because it’s easy to
remember. But this is a perfect example of why you should think carefully. Match accurately. Usually, you
should use the fewest number of character comparisons that you can, not the most.
Because we’ve wrapped the greedy match in parentheses, and because this is the first match condition in the
table, this causes FortiWeb to store the packet’s whole host name in capture group 0.
FortiWeb Study Guide
454
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Next, we test to see if the URL line in the HTTP header matches. The URL line always begins with a forward
slash, and we want to capture the text after that, so the regular expression begins with:
^/
Then the capture group matches all text from that point until the end of the line, indicated by the dollar sign
($). It’s stored in capture group 1.
Now FortiWeb is ready to construct the entire Location: header for the universal redirect to HTTPS.
FortiWeb Study Guide
455
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
If you only want to redirect for www.example.com, then you could enter:
www\.example\.com
Alternatively, you could match the IPv4 address. The documentation has examples of regular expressions that
you can use for both.
A web site’s domain name usually exists in more than just the HTTP header, though. What about links in the
web pages?
If we were redirecting possibly all links for every page, it could make the web app slower. Clients would have
to request every page twice. Plus, every HTTP request is an opportunity for a man-in-the-middle to make an
HTTPS stripping attack, avoiding the HTTPS redirect. How can we improve that?
FortiWeb Study Guide
456
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Good job! You now know the about Capture Groups, Back References, and how to use them on FortiWeb
In the next section we will look at Rewrites.
FortiWeb Study Guide
457
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
The answer is rewrites. When FortiWeb is inline, it can do more than intercept. It can modify the traffic, too. If
FortiWeb rewrites absolute links to use the HTTPS address, then the client will only be redirected the first
time, when they begin a browsing session.
Rewrites exist on Apache, IIS, and other web servers, so rewrites may be familiar to you. But if the regular
expressions are complex, they can require significant processing time. So, if your server is spending most of
its processing time on rewrites, instead of querying the database and building the web page, you may be able
to improve performance by offloading the rewrites to FortiWeb.
FortiWeb Study Guide
458
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
There are many more reasons why you might want to rewrite traffic. We can’t fit them all here. Rewriting is
sometimes required for the web app to work. For example, your Internet DNS records might refer to public
host names that don’t match the web servers’ host names on your private network, such as www1, www2,
and so on. But rewriting can improve security, too.
In this example, we need the absolute links in the web pages to be changed from HTTP to HTTPS.
For example, FortiWeb can return 403 error codes to URLs that should not be publicly available, instead of
forwarding the web page from the server. It can also cloak server information disclosure in headers and the
body. If your web servers have already been compromised, FortiWeb can sanitize responses to safeguard
your users while your incident response team makes an ex post facto intrusion analysis. But even better,
FortiWeb can patch your applications on-the-fly, replacing vulnerable functions with safe ones.
FortiWeb Study Guide
459
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
If you need to rewrite HTML tags or UTF-8 encoded domain names, there are specific regular expression
examples that you can copy or modify from the FortiWeb Administration Guide.
FortiWeb Study Guide
460
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
When you configure a rewrite, you first indicate the direction of the traffic:
• Is it an incoming request?
• Is it an outgoing reply?
That’s because requests and replies have different HTTP headers and content, so the options will be different,
too.
When evaluating traffic for a match with your rewrite policy, FortiWeb doesn’t necessarily test for incoming or
outgoing, relative to the packet’s source IP and your defined server pools. Unlike FortiMail, FortiWeb doesn’t
need to. That’s because the headers and content of requests and replies are different.
So, regardless of direction, FortiWeb’s HTTP parser dissects the traffic. It splits it into its header fields and
body. It stores each part in a buffer. Then, depending on your rules, FortiWeb’s rewrite engine looks for the
corresponding buffer, and evaluates it for a match. If the traffic meets all match conditions, then FortiWeb
rewrites the specified parts of the HTTP layer.
FortiWeb Study Guide
461
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Look at the example in this slide. Look at the match conditions. Can you guess which URLs will match? What
are the capture groups? Now, what is the output?
We want to hide the .php file extension and WordPress-specific login URL from clients. This helps to prevent
attackers from fingerprinting our server’s software stack, but it also means that if we change our app later to
movable type or Drupal, the following will be true:
• People won’t need to fix their browser’s bookmarks
• We won’t have to configure any redirects to avoid 404 errors
To make this work, we need two rules:
• One to translate the incoming request’s URL to its real, server-side URL (which is shown here)
• One to translate hyperlinks in the reply to platform-agnostic URLs
FortiWeb Study Guide
462
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
On the left side, we see the second rule. It scans the reply body – which could be HTML or JavaScript – and
removes all instances of .php before FortiWeb forwards it to the client.
To apply our rules, we group them in a URL rewriting policy, then select them in the protection profile.
FortiWeb Study Guide
463
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Great! You now know how to configure rewrites on FortiWeb.
In the next section we will look at HTTP Content routing.
FortiWeb Study Guide
464
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Rewriting client requests has an interesting effect: it can change how you configure routing, or vice versa.
Why? Because FortiWeb has static and policy-based routes, like usual. They match traffic based upon the IP
layer’s source and destination. But FortiWeb can also route based upon the HTTP layer.
Let’s take a look.
FortiWeb Study Guide
465
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Like other load balancing methods, HTTP content routing can avoid servers that are down for maintenance. It
can also distribute TCP connections among servers in the pool. But unlike the other load balancing methods,
with HTTP content routing, you may have multiple server pools. Each one has a logical function.
For example, some servers might host only SharePoint, and others might host only Outlook Web App, while a
third server pool hosts both your e-commerce storefront and CRM portal. Depending on which web app the
client asks for, FortiWeb would route the request to the appropriate server pool.
HTTP content routing can match based n criteria that are also rewritable: Host:, URL, and Referer:. So if
you apply both, verify your match conditions. Do your match criteria look for the initial URL, or the rewritten
one, for example? If the interactions are complex, it can help to look at the Sequence of scans section of the
FortiWeb Administration Guide.
FortiWeb Study Guide
466
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
This shows an example of HTTP content routing based upon the Cookie: header.
When a user goes to the web site, at first, they don’t have any session ID. We’ve configured a rule on
FortiWeb that directs the first page request to a login server, which assigns a session ID.
By doing this, we can use the login server as a logical controller: the login server inserts a session ID with a
number in a range that always belongs to Web Server 2, or Web Server 3, and so on. On FortiWeb, we would
configure an HTTP content routing rule that routes requests with each range of session IDs to their assigned
servers. FortiWeb would forward the next request and all subsequent ones to the same back-end server. This
provides HTTP session persistence. And it can do so for a logical group – a server pool – not just to a single
server.
Because each server can host different web apps, FortiWeb allows you to select a separate protection profile
for each one. So, in the case of HTTP content routing, a policy may use multiple protection profiles.
FortiWeb Study Guide
467
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Let’s take a look at how to configure content routing. Begin by configuring your server pools. Each server pool
will be the target of traffic that matches the HTTP content route. Next, configure the content routes
themselves.
FortiWeb Study Guide
468
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
To apply your routes, in your server policy, select HTTP Content Routing from the in the Deployment Mode
drop-down menu. Then add each route to the table that appears. Just like you can configure a default
gateway at the IP layer, you can also configure a default route at the HTTP layer.
FortiWeb Study Guide
469
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
If a multiplexing device is in front of FortiWeb, and if it is intelligent enough to pipeline requests from the same
client, for the same web app, together in the same TCP connection, then you can enable the Match Once
setting.
This improves performance: for routing, FortiWeb will only evaluate the first request in the connection. It won’t
repeatedly evaluate content routes for the related requests. However, don’t enable the setting otherwise. If the
connection multiplexes unrelated requests from multiple clients, many requests could be routed to the wrong
server pool.
FortiWeb Study Guide
470
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
Congratulations! You have successfully completed this section
FortiWeb Study Guide
471
DO NOT REPRINT
© FORTINET
 HTTP Rewriting and Redirects
In this lesson, you learned about how you can redirect users to a secure site, and rewrite URLs in the headers
and in links in web pages. You also learned how rewriting can be both a convenience to users and a security
feature. To show how you can use parts of a match when constructing the new host name, URL or header,
this lesson explained how to use capture groups.
Finally, you also learned a different way that FortiWeb can use those same match criteria: FortiWeb can act
as an OSI Layer 7 switch to forward requests for specific web applications to specific servers.
FortiWeb Study Guide
472
DO NOT REPRINT
© FORTINET
 Troubleshooting
In this lesson, you’ll learn how to avoid common misconfigurations, diagnose false positives, solve
connectivity and storage issues, and optimize your FortiWeb’s performance.
FortiWeb Study Guide
473
DO NOT REPRINT
© FORTINET
 Troubleshooting
In this lesson we will explore the following topics:
• False positives
• SSL/TLS issues
• Performance
• Traffic flow and site statistics
• HA and FortiGuard
FortiWeb Study Guide
474
DO NOT REPRINT
© FORTINET
 Troubleshooting
Especially if you are installing a new, custom web app with FortiWeb, initially you may need to fine-tune rules
and signatures to avoid some false positives. False positives are requests that look similar to an attack, but
are actually normal traffic.
FortiWeb Study Guide
475
DO NOT REPRINT
© FORTINET
 Troubleshooting
When deploying FortiWeb for the first time, or when beginning to protect new web applications, the most
common diagnostic task can be to find an individual signature or rule that is accidentally blocking normal
traffic.
Because FortiWeb can block based upon multiple factors – the source IP address, the request rate, the data
type of inputs, the size of a file upload, and so on – you may need to adjust more than one setting. For a list of
scans and processing the FortiWeb applies to traffic, see the sequence of scans in the FortiWeb
Administration Guide or online help. In this list, you’ll notice one effect you may not expect: whitelisting does
not bypass all scans, just most.
Before the whitelist check, two scans occur. So, if a client begins a TCP flood, or is already being period
blocked, the white list will not immediately restore connectivity.
FortiWeb Study Guide
476
DO NOT REPRINT
© FORTINET
 Troubleshooting
Essentially, there are three steps to correcting most false positives.
Web app upgrades and patches can change your security requirements, causing false positives. URL
structure in Microsoft Outlook Web Application, for example, has changed significantly between 2003 and
later versions. WordPress vulnerabilities often vary by the installed plugins, too. So, if you have many falsepositives to fix, especially for HTTP constraints or input rules, auto learning can be a useful tool to help you
update your FortiWeb settings.
Remember: full enabled auto learning on all policies and ports can add significant latency. So if possible, use
some of the documented strategies for eliminating or reducing auto learning-related processing load while
protecting live traffic.
FortiWeb Study Guide
477
DO NOT REPRINT
© FORTINET
 Troubleshooting
If there are only a couple of false positives, then you can fix them easily.
1. Enable local storage of attack logs. Enable packet payloads – part of the packet that matched the rule or
signature.
2. In the attack log, find an entry for an attack that is actually normal traffic.
3. Click the row. The log message details should appear in a panel on the right side. If you scroll down to the
Packet Header section, the part of the request or reply that matched the signature is highlighted.
4. If you want to customize the signature or rule so that it will still block attacks, but not match your innocent
traffic, then do so. Otherwise, scroll up to the message portion of the attack log’s panel. Click the link to
either add an exception, or disable the signature entirely.
If you change your mind later, you can use the advanced mode when editing a signature policy to find
disabled signatures, and reenable them.
FortiWeb Study Guide
478
DO NOT REPRINT
© FORTINET
 Troubleshooting
If you’re adjusting behavior to create a custom signature, it can be helpful to know the ID and behavior of the
signature that triggered a false positive.
The ID indicates the category of attack that it was intended to block. The Found In and Match Sample fields
show what part of the request was being analyzed. When you create your custom signature, you should do
three things:
• Defend against that same attack, if possible
• Scan the same part of the request or reply
• Match the same dangerous traffic, but avoid matching normal traffic that was recorded in the packet
payload
FortiWeb Study Guide
479
DO NOT REPRINT
© FORTINET
 Troubleshooting
If FortiWeb is applying a period block, usually their entry on the temporary blacklist will expire before they
contact you. However, if they try the same thing again, they will immediately be blacklisted again. Even if you
white list their IP, this will not cancel the period block. You need to remove their entry in Blocked IPs.
Otherwise, you will have to wait for the entry to expire before you can test the new white list entry.
FortiWeb Study Guide
480
DO NOT REPRINT
© FORTINET
 Troubleshooting
A white list entry should not be a permanent solution. If a user’s laptop gets infected with a virus, or if their
phone is stolen, then that client is no longer in that person’s control. You don’t want FortiWeb’s security to be
nullified.
If you’re not sure how to write a custom signature, you could change the rule or signature’s action to Alert
Only instead. That way, the client will be able to use the application, but you will still be notified of potential
attacks. You can also continue to gather data about what normal traffic is accidentally matching the signature,
until you understand how to correct the rule or signature.
White lists are best for individual browsers, not for search engine crawlers.
FortiWeb Study Guide
481
DO NOT REPRINT
© FORTINET
 Troubleshooting
If the client isn’t a person – it’s a bot – then you should use different tactics. If all your sites should be easily
found on Google or Bing, for example, then you should whitelist them by their public IP on the Internet, in
FortiWeb’s list of known search engines.
Currently this is a global setting, not specific to each policy. So if you need that feature, or if you need to add
another search engine such as Duck Duck Go!, please contact us for a feature enhancement request.
FortiWeb Study Guide
482
DO NOT REPRINT
© FORTINET
 Troubleshooting
Search engine crawlers aren’t the only type of bots that may be trying to access your web apps. Blog
comment spam bots and content scrapers – scripts that steal web pages, images, and videos from other sites
– might also being trying to access. Often they’re used to populate sites so that their owners can get
advertising revenue without paying authors.
Sometimes, power users use command-line tools such as curl and wget to download web pages for offline
viewing, and – unless you block them – they will, by default, report their User-Agent: string.
Some bots, such as ContentSmartz, are designed specifically for malicious use. Because User-Agent: strings
are not authenticated or encrypted, it’s easy to fraudulently claim to be something more innocent such as
wget. This is why FortiWeb’s feature for known search engines doesn’t rely on that HTTP header.
If you think that a content scraper is abusing your sites, review the Bot Analysis page. You may want to
enable Real Browser Enforcement to protect your pages from theft.
FortiWeb Study Guide
483
DO NOT REPRINT
© FORTINET
 Troubleshooting
Good job! You now know how to identify and resolve false positive situations on FortiWeb.
In the next section we will look at SSL/TLS related issues.
FortiWeb Study Guide
484
DO NOT REPRINT
© FORTINET
 Troubleshooting
If your FortiWeb is scanning HTTPS, you can troubleshoot encryption–related issues.
FortiWeb Study Guide
485
DO NOT REPRINT
© FORTINET
 Troubleshooting
If HTTP works, but HTTPS is sometimes failing, it might not be a false positive. It might be a real attack.
Some versions of SSL and TLS have their own DoS vulnerabilities. Insecure session renegotiation is one. If
the following conditions are true, this is a good indicator these are real attacks, not normal traffic:
• Your DoS sensors are detecting other attacks from the same clients
• They are failing the Real Browser Enforcement test
• You are white listing search engine crawlers
If possible, you should disable insecure renegotiation to make SSL-related DoS attacks impossible.
So what are some examples of genuine misconfiguration issues?
FortiWeb Study Guide
486
DO NOT REPRINT
© FORTINET
 Troubleshooting
There are some misconfiguration issues that are possible with HTTPS. Here is an example of two common
ones.
FortiWeb Study Guide
487
DO NOT REPRINT
© FORTINET
 Troubleshooting
If the client and SSL terminator (this is FortiWeb or your web servers, depending on your operation mode)
don’t speak the same SSL or TLS protocol, then their proposals won’t match. This causes an unknown
protocol message in the attack logs.
In some cases, this may be normal, expected behavior. For example, if you’re required to be PCI DSS
compliant, you could see this error when some very old clients try to use your web app.
If the protocol is known, but the client and SSL terminator don’t support any of the same cipher suites, then
they won’t be able to negotiate a secure channel. This error is more rare, since there are currently more than
160 combinations. But is possible, especially if your web application or clients only supports a few specific,
rarely-used cipher suites, such as SEED, or very weak or very strong key strengths. You may want to use
Geo IP or another feature to block clients that are probing your network to see if weak ciphers are supported.
FortiWeb Study Guide
488
DO NOT REPRINT
© FORTINET
 Troubleshooting
This case is more rare, but you could also see some messages that indicate FortiWeb can’t inspect the
HTTPS traffic. This is caused by a combination of factors: a specific type of cipher suite and FortiWeb
operating in transparent inspection mode.
The perfect forward secrecy (PFS) mechanism is similar to how IPsec Phase I keys are temporary and used
to negotiate the real, more secure Phase II keys. The idea is that by periodically changing the keys inside a
secure tunnel, even if one key is decrypted, only part of the conversation has been compromised – not the
entire thing.
Obviously, in order to scan traffic, FortiWeb always must have the right keys to be able to decrypt the packet.
Otherwise, it can only scan lower-layer headers. So, if (due to the nature of transparent inspection) FortiWeb
is out-of-sync with the current keys, then packet inspection will fail. It’s normal for PFS with that operation
mode.
To fix this, on your web servers, you must disable those types of cipher suites. Here’s an example of how to
do this in an Apache 2 configuration file.
FortiWeb Study Guide
489
DO NOT REPRINT
© FORTINET
 Troubleshooting
Great! You are now able to resolve SSL/TLS related issues.
In the next section we will look at performance related topics.
FortiWeb Study Guide
490
DO NOT REPRINT
© FORTINET
 Troubleshooting
Once scans are functioning correctly, verify performance. Security should not be your bottleneck.
FortiWeb Study Guide
491
DO NOT REPRINT
© FORTINET
 Troubleshooting
Is performance normal? How do you know?
Begin by observing your system resources and bandwidth usage while FortiWeb is idle and during low traffic
periods, such as night time and weekends. Then, observe system resource usage on weekdays and holidays,
including expected traffic spikes such as marketing campaigns or quarterly financial reports to stockholders.
What is the normal range? What is the expected rate of growth?
FortiWeb Study Guide
492
DO NOT REPRINT
© FORTINET
 Troubleshooting
If you have an SNMP manager such as FortiManager or Cactus, SNMP traps and queries are a good way to
track traffic and system resource changes over time. You can use the collected data to help you plan for
network upgrades as your organization grows.
If SNMP shows sustained high resource usage, there are related traps to help you find the cause.
For example, if it correlates with the attack detected by signatures trap, then you may need to optimize a
custom signature’s regular expression. If possible, reduce the number of characters consumed or forwardlooking required in order to determine a match.
FortiWeb Study Guide
493
DO NOT REPRINT
© FORTINET
 Troubleshooting
High RAM or CPU usage can also be tracked in the logs. If you have a FortiWeb model with less RAM, you
may need to adjust your system alert thresholds. That way, that you don’t receive alert email or many log
messages and traps during normal load. You can specify the thresholds in Log & Report > Log Config >
Other Settings.
FortiWeb Study Guide
494
DO NOT REPRINT
© FORTINET
 Troubleshooting
You wouldn’t transmit your security logs over the Internet without encryption, right? The same principle
applies to alert email.
Since your mail servers may not be located in the same data center as FortiWeb, FortiWeb now supports
secure mail protocols to protect the messages while they are in transit.
To preserve performance while you are under a DoS attack, FortiWeb only records one log and sends one
alert email for multiple instances. This also prevents your inbox from being flooded. While the attack
continues, FortiWeb will continue to periodically record the event. The interval varies slightly, depending on
the type of attack.
FortiWeb Study Guide
495
DO NOT REPRINT
© FORTINET
 Troubleshooting
Like on FortiGate and other Fortinet products, if a process is consuming an abnormal amount of RAM, you
can immediately terminate the process. It may be respawned, so this is not a permanent solution, but it can
provide temporary relief while you enable debug logging.
In the example shown in this slide, a specific policy is consuming an abnormally high amount of RAM. If you
kill the process, and notice that it initially starts with much lower RAM usage, it could indicate a memory leak.
This would require a firmware upgrade to fix. In other cases, high RAM usage can be caused by
misconfiguration.
Debug logs can help you and Fortinet Technical Support locate the true cause.
FortiWeb Study Guide
496
DO NOT REPRINT
© FORTINET
 Troubleshooting
Just like your web applications, your FortiWeb has its own memory buffers. It uses them to temporarily store
information until it is done processing. Many of these buffers are configurable, so if you aren’t careful, your
configuration can decrease performance.
Avoid increasing your response cache and antivirus buffer, unless necessary. To harden your security,
configure FortiWeb with HTTP constraints that block any part that is too large to fit its HTTP or HTML parser
buffers.
Also be aware that the period block action does not always improve performance. Like any cache, it is a
shortcut to avoid repetitive CPU processing that has the same results. So if a client tries an attack only once,
then its entry in cache is still consuming RAM, but not providing any benefit. Using period block only improves
performance when the same client attacks your web apps many times.
FortiWeb Study Guide
497
DO NOT REPRINT
© FORTINET
 Troubleshooting
You can test for persistent, disk-stored cache by rebooting FortiWeb. Usually, cache is ephemeral, stored in
RAM.
So keep HTTP session timeouts, response cache, authentication session caches, and others as low as
possible without affecting normal traffic. This helps to keep RAM usage lower.
FortiWeb Study Guide
498
DO NOT REPRINT
© FORTINET
 Troubleshooting
Besides the OS and configuration, there are some files that FortiWeb stores on a flash disk or hard disk.
All files and databases are kept in persistent storage that won’t be lost when you power off FortiWeb. Each
physical disk can be subdivided into logical partitions, which are then mounted on a file system pointer in
RAM.
In the example shown in this slide, you can see that logs are stored on a partition that is about 30 GB large.
Currently, it contains very little data relative to its total capacity. But the 97 MB /data partition is almost half
full. Is this normal?
To answer that question, we need to know if /data indicates the hard disk or flash disk.
FortiWeb Study Guide
499
DO NOT REPRINT
© FORTINET
 Troubleshooting
In this slide, you can see that the 97 MB /data device corresponds to the size of the first firmware partition on
the internal flash disk. Since firmware doesn’t increase in size unless you upload an update, this disk usage is
probably normal.
Normally, you don’t need to repartition the disks; however, there can be exceptions. When FortiWeb added
the data analytics feature, it required more storage for the data analytics file. So, before loading the firmware
update, you were required to upload a special image to repartition the disk. As always, read your release
notes to see if there are any special instructions for upgrading.
FortiWeb Study Guide
500
DO NOT REPRINT
© FORTINET
 Troubleshooting
Logs and data analytics statistics are both stored in a database. So if your FortiWeb experiences an
unexpected power failure, you may need to check the hard disk for errors, and then also may need to reindex
the database. Otherwise, features that depend on them may fail.
FortiWeb Study Guide
501
DO NOT REPRINT
© FORTINET
 Troubleshooting
If you ever need to restart FortiWeb, it will terminate all current administrator sessions. If multiple people
configure FortiWeb, notify them to save their changes before you enter the exec reboot command. You can
use this command to show which accounts are currently logged in.
FortiWeb Study Guide
502
DO NOT REPRINT
© FORTINET
 Troubleshooting
Excellent! You are now able to identify and resolve Performance related issues.
In the next section we will discuss traffic flow and site statistics.
FortiWeb Study Guide
503
DO NOT REPRINT
© FORTINET
 Troubleshooting
FortiWeb has tools that you can use to study your normal traffic flows.
FortiWeb Study Guide
504
DO NOT REPRINT
© FORTINET
 Troubleshooting
You can download the data analytics database from Fortinet Technical Support. When you upload it to
FortiWeb, the Data Analytics option becomes usable in policies.
Data analytics queries your attack and traffic statistics, and HTTP return codes in server replies. It then
correlates them with specific regions of the world and attack categories.
FortiWeb Study Guide
505
DO NOT REPRINT
© FORTINET
 Troubleshooting
Data analytics is useful for more than just a security perspective.
If you need to measure the success of online sales campaigns in a new region, data analytics can help you to
measure this.
FortiWeb Study Guide
506
DO NOT REPRINT
© FORTINET
 Troubleshooting
If you need to analyze your network at a lower level, FortiWeb has many of the same network diagnostic tools
as FortiGate.
When viewing the NIC statistics, FortiWeb VM will show slightly different output.
For example, the driver will be for the virtual hardware, provided by Xen or VMware. The virtual MAC isusually
be dynamically generated at load time – it is not static. Unless you use a distributed virtual switch, you
shouldn’t notice any transmission errors. Separate vSwitches should also mean there are no transmission
errors. Some will be emulated. There is no actual twisted pair cable in a host-only virtualized network.
FortiWeb Study Guide
507
DO NOT REPRINT
© FORTINET
 Troubleshooting
You can view the ARP table. This can be useful if you need to find an IP address conflict, but also can be
used in HA. If you suspect a split-brain scenario – that is, both devices believe that they are the primary, and
that they should assign the IP addresses and virtual MAC to their physical ports, then log in to the local
console on each device. The ARP list will show that the ports on both devices have the same virtual MAC.
FortiWeb Study Guide
508
DO NOT REPRINT
© FORTINET
 Troubleshooting
To test your routing paths, FortiWeb has ping and traceroute commands.
FortiWeb Study Guide
509
DO NOT REPRINT
© FORTINET
 Troubleshooting
Also like FortiGate, you can use the command line to capture packets that arrive on or leave one of
FortiWeb’s network interfaces. If you save the output to a file, you can use the fgt2eth.pl Perl script to convert
it to a format that Wireshark can load.
You can download the converter here:
http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=11186
FortiWeb Study Guide
510
DO NOT REPRINT
© FORTINET
 Troubleshooting
Let’s look at a couple of examples.
If all you need to know is whether packets from a client using a specific protocol are arriving at FortiWeb on a
specific interface, this basic packet capture may be enough. It doesn’t filter out any packets. It only shows a
few main parts of the IP header, as indicated by the verbosity level number 1.
Since the command indicates to stop after three packets, we don’t have to press Ctrl+C to stop the capture.
FortiWeb Study Guide
511
DO NOT REPRINT
© FORTINET
 Troubleshooting
This is the packet capture that Fortinet Technical Support is more likely to request. It contains much more
detailed information, as indicated by verbosity level 6. This capture includes higher-level payloads that you
can load into a packet analyzer, such as Wireshark, to troubleshoot HTTP and other application-layer issues.
To avoid capturing distracting, irrelevant information, we’ve used the packet filter tcp port 443 to focus on
HTTPS traffic.
Stopping after three packets usually doesn’t gather enough information. In this example, the command runs
until the administrator presses Ctrl+C, as indicated by ^C.
By default, terminal emulators such as PuTTY or TeraTerm have limited buffer in RAM. To use the Perl script
to convert this output to Wireshark format, you must configure the terminal client to save the buffer to a plain
text file on your computer. If you’ve never done this before, see the FortiWeb CLI Reference.
FortiWeb Study Guide
512
DO NOT REPRINT
© FORTINET
 Troubleshooting
In most cases, FortiWeb can connect easily to FortiGuard. If your firewall blocks outgoing traffic however, this
information can help you to configure policies to allow it.
FortiWeb needs DNS, NTP, and HTTPS connectivity to the Internet. Depending on your configuration, it may
need other protocols too, such as SMTPS for alert email. For a complete list of protocols and default port
numbers used by FortiWeb’s various features, see the FortiWeb Administration Guide.
FortiWeb Study Guide
513
DO NOT REPRINT
© FORTINET
 Troubleshooting
If FortiGuard updates fail, these debug commands can help you to discover the cause.
The execute update-now command can also be useful if you have a FortiWeb VM model and you want to
force it to immediately authenticate its license, instead of waiting for the next retry interval.
FortiWeb Study Guide
514
DO NOT REPRINT
© FORTINET
 Troubleshooting
Good job! You are now able to view and interpret basic traffic flow and site statistics information.
In the next section we will look at high availability and FortiGuard related issues.
FortiWeb Study Guide
515
DO NOT REPRINT
© FORTINET
 Troubleshooting
If you have an HA cluster, and especially if you use FortiWeb VM, here are a few specific tips.
FortiWeb Study Guide
516
DO NOT REPRINT
© FORTINET
 Troubleshooting
Like FortiGate, FortiGuard services are licensed for each device, not for each cluster.
FortiWeb VM must be able to authenticate its license, just like FortiGuard services. This means that FortiWeb
VM must have a reliable connection to the Internet. It also means that you should not apply dynamic source
NAT to outbound connections from FortiWeb to FortiGuard, because this can make it look like the VM license
has been moved to a different location – or stolen. This can cause unexpectedly related symptoms, such as
slow ARP retraining during HA failover.
FortiWeb Study Guide
517
DO NOT REPRINT
© FORTINET
 Troubleshooting
Congratulations! You have successfully completed this section.
FortiWeb Study Guide
518
DO NOT REPRINT
© FORTINET
 Troubleshooting
In this lesson you learn how you can either fix the rules or signatures, create exceptions for specific URLs, or
disable the signature, when signatures or rules accidentally block innocent traffic. You also learned how to
handle content scrapers and search engine crawlers, which often have different settings than human web
browsers.
You learned how to monitor CPU, RAM, bandwidth, and disk space for abnormal usage. You learned that
while period block often improves performance, there is one case when that is not true. Finally, you learned
how to fix connectivity issues, including ones with FortiGuard and HA clusters.
FortiWeb Study Guide
519
Download