What role does device priority play in the HA setup of FortiWeb, and how is it configured?

Device priority determines the selection of the primary appliance in an active-passive HA group, with the appliance having the lowest priority number being favored as the primary. This setting can be modified via the CLI command 'execute ha manage ' where lower integers denote higher priority. By default, it is set to 5, on a scale of 0 to 9 . Hence, configuring device priority is a strategic decision to control which unit becomes primary, enhancing operational management.

Explain the process and benefits of configuring a protection profile for out-of-band topologies in FortiWeb.

Configuring a protection profile for out-of-band topologies involves setting up policies that can process traffic not directly interacted with by FortiWeb, such as in offline protection modes. This includes defining profiles that detect threats and vulnerabilities post-traffic processing, enabling analysis without directly handling traffic flow. The profile allows FortiWeb to evaluate security events after they are passed to it, assisting in identifying emerging vulnerabilities without interrupting live traffic flows. This strategy benefits organizations by enabling the monitoring, detection, and response to threats without affecting the production environment's operational load . It allows security measures to function parallel to actual traffic flow, preserving performance while enhancing security insights.

Discuss how FortiWeb uses certificate chains to validate SSL/TLS connections and the importance of a proper chain of trust.

FortiWeb requires SSL/TLS certificates to be associated with a recognized chain of trust, usually validated through a signing chain extending to a root CA that is trusted by clients. Uploading the full chain, including intermediary certificates, alongside the server certificate, ensures authenticity. FortiWeb includes mechanisms for importing and managing these certificate chains within its trusted CA store, which helps verify that incoming requests are legitimate and secure . This setup is vital for maintaining secure connections, preventing the spoofing of certificates, and ensuring encrypted communications integrity with end clients.

How does FortiWeb address redundancy and reliability in heartbeat interfaces within an HA configuration, and why is this crucial?

FortiWeb addresses redundancy and reliability in heartbeat interfaces by recommending dual heartbeat links between appliances configured for HA. One primary and one secondary link minimize the risk of both units functioning independently due to accidental disconnections, which can lead either to isolation when a heartbeat fails or load imbalance. It is crucial to prevent both available appliances from becoming active simultaneously, which could lead to network confusion and incorrect data processing . This redundancy ensures continuous service availability and integrity of data processing operations in case of faults in one link.

What are the potential impacts of not properly configuring the priority for HA appliances in FortiWeb?

Improper configuration of priority for HA appliances in FortiWeb can lead to unexpected failover behavior. If the device priority is not correctly set, an inappropriate appliance might become active, leading to possible service disruption, mismanagement of sessions, and a lack of failover predictability. This can have operational impacts where services are interrupted or incorrectly handled due to the prior primary device no longer managing processes as expected . Correct priority settings ensure orderly transitions between primary and secondary roles, maintaining system reliability and service continuity.

Illustrate the process and significance of creating and implementing user groups for HTTP authentication in FortiWeb.

Creating user groups in FortiWeb involves defining them under User > User Group in the web UI. These groups can contain a combination of local user accounts and remote queries (LDAP, RADIUS, NTLM). By organizing user accounts into groups, authentication rules can efficiently assign permissions to specific web request URLs. This grouping is crucial for managing access control, enabling FortiWeb to apply policies enforcing security on a user-by-user basis or by query group. This segregation ensures that resources are accessed only by authenticated and authorized personnel . Thus, it plays a crucial role in securing backend systems by dictating authorization realms.

What are the recommended configurations for session synchronization in an Active-Active-Standard HA group for FortiWeb, and how does FortiWeb ensure session continuity in such setups?

For an Active-Active-Standard HA group, session synchronization is important to maintain session continuity and load distribution. By default, session synchronization occurs via unicast on the heartbeat interface. Administrators can enhance this by deploying additional interfaces and opting for session synchronization via broadcasting when dealing with numerous appliances. This adjustment can be made using the 'set session-sync-broadcast {enable|disable}' in CLI, which is advised when scalability and performance need optimization . This adjustment maintains consistency and reliability across sessions by ensuring that all active nodes have the current session information.

Evaluate the implications of FortiWeb not strictly requiring a client certificate during SSL handshake.

Not strictly requiring a client certificate during SSL handshake in FortiWeb means SSL connections may be established without verifying the client's authenticity, which reduces security assurance for server-access interactions. When the 'Strictly Require Client Certificate' option is disabled, the appliance accepts requests even from unverified clients, potentially exposing backend systems to malicious activities . This less strict posture is less secure but may be chosen for environments prioritizing connectivity over security. However, it could lead to unauthorized access and increases the potential attack surface.

How does FortiWeb handle heartbeat and synchronization traffic in an HA configuration, and what are the potential pitfalls to watch out for?

FortiWeb manages heartbeat and synchronization traffic via designated network ports (e.g., port3 to port3, port4 to port4) between the HA group members. For a simple two-appliance configuration, a crossover cable is adequate, whereas a switch is necessary for more than two appliances. The configured ports must support Layer 2 multicast if a switch is used. To prevent unintentional failovers, dual heartbeat links should be implemented for redundancy, as a disconnection can lead the secondary system to assume the primary was lost, causing both to operate as primary appliances concurrently . Therefore, ensuring reliable and redundant heartbeat connections is crucial to avoid these pitfalls.

Explain how FortiWeb's Reserved Management Interface function operates within an HA configuration and why it might be used.

The Reserved Management Interface feature allows an interface to be dedicated for administrative access and not synchronized across HA members. This interface may be used for communicating with backend servers outside the server pool and offers isolated management access . This setup adds a layer of security and operational organization as administrative access is not tied to interfaces used for HA or network traffic, allowing uninterrupted management regardless of HA states.

Open navigation menu

Upload

0% found this document useful (0 votes)

1K views892 pages

FortiWeb 6.3.3 Administration Guide

Uploaded by

HajjiNizar

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

1K views892 pages

FortiWeb 6.3.3 Administration Guide

Uploaded by

HajjiNizar

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 892

FortiWeb Administration Guide

VERSION 6.3.3
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE
https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com

FORTINET COOKBOOK
https://cookbook.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM
https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT
https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

May 20, 2020

FortiWeb 6.3.3 Administration Guide
1st Edition
Change log 3

Change log

May 20, 2020 Initial release.

FortiWeb Administration Guide Fortinet Technologies Inc.

TABLE OF CONTENTS

Change log 3
Introduction 16
Architecture 18
Scope 18
What's new 20
New features 20
Enhancements 21
Key concepts 23
Workflow 23
Sequence of scans 25
IPv6 support 33
Solutions for specific web attacks 35
HTTP/HTTPS threats 35
DoS attacks 39
HTTP/2 support 40
HTTP sessions & security 42
FortiWeb sessions vs. web application sessions 44
Sessions & FortiWeb HA 46
FortiWeb high availability (HA) 48
Active-Passive HA 49
Standard Active-Active HA 49
High volume active-active HA 51
Administrative domains (ADOMs) 52
Defining ADOMs 53
Assigning administrators to an ADOM 55
How to use the web UI 55
System requirements 55
URL for access 56
Permissions 56
Maximum concurrent administrator sessions 59
Global web UI & CLI settings 59
Buttons, menus, & the displays 62
Shutdown 65
How to set up your FortiWeb 66
Appliance vs. VMware 66
Registering your FortiWeb 66
Planning the network topology 66
External load balancers: before or after? 67
How to choose the operation mode 70
Topology for Reverse Proxy mode 74
Topology for either of the transparent modes 77
Topology for Offline Protection mode 78
Topology for WCCP mode 80

FortiWeb Administration Guide Fortinet Technologies Inc.

Topologies for high availability (HA) clustering 80

Connecting to the web UI or CLI 84
Connecting to the web UI 84
Connecting to the CLI 86
Updating the firmware 89
Testing new firmware before installing it 90
Installing firmware 92
Installing alternate firmware 97
Changing the “admin” account password 101
Setting the system time & date 103
Setting the operation mode 105
Configuring High Availability (HA) basic settings 106
Basic settings 107
Configuring redundant interfaces in HA 112
Checking your HA topology information and statistics 113
HA heartbeat & active node election 114
Synchronization 116
Replicating the configuration without FortiWeb HA (external HA) 119
Configuring the network settings 124
To configure a network interface or bridge 124
Adding a gateway 142
Creating a policy route 146
Configuring DNS settings 150
Configuring HA settings specifically for active-passive and standard active-active modes 152
HA Static Route and Policy Route 152
Load-balancing algorithm 152
HA Health Check 153
Configuring HA settings specifically for high volume active-active mode 155
Allocating nodes 155
Creating traffic distribution 155
Defining your web servers & load balancers 160
Protected web servers vs. allowed/protected host names 160
Defining your protected/allowed HTTP “Host:” header names 160
Defining your web servers 163
Defining your proxies, clients, & X-headers 193
Defining your network services 198
Configuring virtual servers on your FortiWeb 199
Enabling or disabling traffic forwarding to your servers 200
Configuring FortiWeb to receive traffic via WCCP 201
Configuring the FortiWeb WCCP client settings 202
Viewing WCCP protocol information 204
Example: Using WCCP with FortiOS 5.2.x 204
Example: Using WCCP with FortiOS 5.4 206
Example: Using WCCP with multiple FortiWeb appliances 207
Example: Using WCCP with a Cisco router 209
Configuring basic policies 211
Example 1: Configuring a policy for HTTP 211
Example 2: Configuring a policy for HTTPS 212

FortiWeb Administration Guide Fortinet Technologies Inc.

Example 3: Configuring a policy for load balancing 212

Testing your installation 213
Reducing false positives 214
Testing for vulnerabilities & exposure 214
Expanding the initial configuration 215
Switching out of Offline Protection mode 215
Policies 217
How operation mode affects server policy behavior 217
Configuring the global object white list 218
Configuring a protection profile for inline topologies 223
Generating a protection profile using scanner reports 229
WhiteHat Sentinel scanner report requirements 229
Telefónica FAAST scanner report requirements 230
HP WebInspect scanner report requirements 231
Configuring a protection profile for an out-of-band topology or asynchronous mode of
operation 233
Client management 237
How client management works 238
Configuring threat weight 238
Configuring client management 240
Configuring an HTTP server policy 242
HTTP pipelining 254
Multiplexing client connections 256
Enabling or disabling a policy 256
Configuring traffic mirror 257
Enabling traffic mirror 257
Creating a traffic mirror rule 257
Configuring a traffic mirror policy 258
Configuring FTP security 259
Enabling FTP security 259
Creating an FTP command restriction rule 260
Creating an FTP file check rule 261
Configuring an FTP security inline profile 263
Before creating an FTP security inline profile 264
Creating an FTP server pool 265
Creating an FTP server policy 269
Before creating an FTP server policy 269
Enabling or disabling a policy 272
ADFS Proxy 274
FortiWeb as an ADFS proxy 274
The workflow of the ADFS authentication process 275

FortiWeb Administration Guide Fortinet Technologies Inc.

Configuring FortiWeb as an ADFS proxy 277

Configuring a virtual server 278
Creating an ADFS server pool 279
Uploading trusted CA certificates 283
Creating an ADFS server policy 285
Troubleshooting 288
FortiView 289
Interface 290
Topology 296
Single Server/Server Pool 296
Content Routing 298
Security 301
Countries 301
Threats 304
Server Policies 306
Threat Map 308
Bot Analysis 310
Scanner Integration 310
Traffic 313
Sources 313
Countries 315
Sessions 317
Sources 317
Policies 319
Ending sessions 321
Backups 322
Restoring a previous configuration 325
Debug log 326
Administrators 328
Configuring access profiles 331
Grouping remote authentication queries and certificates for administrators 333
Changing an administrator’s password 334
Certificate-based Web UI login 334
Users 337
Authentication styles 337
Via the “Authorization:” header in the HTTP/HTTPS protocol 337
Via forms embedded in the HTML 338
Via a personal certificate 340
Offloading HTTP authentication & authorization 340
Configuring local end-user accounts 342
Configuring queries for remote end-user accounts 343
Grouping users 354
Applying user groups to an authorization realm 355
Single sign-on (SSO) (site publishing) 359
Two-factor authentication 360

FortiWeb Administration Guide Fortinet Technologies Inc.

RSA SecurID authentication 360

Changing user passwords at login 361
Using Kerberos authentication delegation 361
Offloaded authentication and optional SSO configuration 365
To create an Active Directory (AD) user for FortiWeb 373
Example: Enforcing complex passwords 379
Tracking users 380
Secure connections (SSL/TLS) 386
Offloading vs. inspection 386
Supported cipher suites & protocol versions 388
SSL offloading cipher suites and protocols (Reverse Proxy and True Transparent
Proxy) 389
SSL inspection cipher suites and protocols (offline and Transparent Inspection) 392
Uploading trusted CA certificates 393
Grouping trusted CA certificates 395
How to offload or inspect HTTPS 396
Using session keys provided by an HSM 397
Generating a certificate signing request 399
Uploading a server certificate 402
Forcing clients to use HTTPS 409
HTTP Public Key Pinning 410
How to apply PKI client authentication (personal certificates) 411
Example: Generating & downloading a personal certificate from
Microsoft Windows 2003 Server 416
Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server 418
Example: Importing the personal certificate & private key to a client’s trust store on
Microsoft Windows 7 418
Uploading the CA’s certificate to FortiWeb’s trusted CA store 421
Configuring FortiWeb to validate client certificates 421
Configure FortiWeb to validate server certificates 423
Use URLs to determine whether a client is required to present a certificate 424
Using XML client certificates and server certificates for WS-Security rule 425
Seamless PKI integration 427
Revoking certificates 430
How to export/back up certificates & private keys 431
How to change FortiWeb's default certificate 431
Configuring OCSP stapling 432
Access control 433
Restricting access to specific URLs 433
Combination access control & rate limiting 437
Blacklisting & whitelisting clients 442
Blacklisting source IPs with poor reputation 442
Blacklisting & whitelisting countries & regions 445
Blacklisting & whitelisting clients using a source IP or source IP range 447
Blacklisting known bots 449
Protecting against cookie poisoning and other cookie-based attacks 450

FortiWeb Administration Guide Fortinet Technologies Inc.

Cross-Origin Resource Sharing (CORS) protection 453

Configuring allowed origin 453
Configuring CORS protection rule 454
Configuring CORS protection policy 456
URL encryption 457
Blocking known attacks & data leaks 461
Connecting to FortiGuard services 469
Choosing the virus signature database & decompression buffer 472
Accessing FortiGuard via a proxy 473
How often does Fortinet provide FortiGuard updates for FortiWeb? 474
Scheduling automatic signature updates 475
Manually initiating update requests 477
Uploading signature & geography-to-IP updates 478
Enforcing new FortiGuard signature updates 479
Receiving quarantined source IP addresses from FortiGate 480
False Positive Mitigation for SQL Injection signatures 481
Syntax-based SQL/XSS injection detection 482
Syntax-based SQL injection detection 482
Syntax-based XSS injection detection 484
Configure Syntax Based SQL/XSS Injection detection policies 488
Configuring exceptions for syntax-based SQL/XSS injection attack types 489
Example: Concatenating exceptions 492
Configuring action overrides or exceptions to data leak & attack detection signatures 493
Example: Concatenating exceptions 498
Filtering signatures 499
Defining custom data leak & attack signatures 499
Example: ASP .Net version & other multiple server detail leaks 503
Example: Zero-day XSS 505
Example: Local file inclusion fingerprinting via Joomla 507
Defeating cipher padding attacks on individually encrypted inputs 508
Defeating cross-site request forgery (CSRF) attacks 511
Addressing security vulnerabilities by HTTP Security Headers 515
Preventing zero-day attacks 519
Validating parameters (“input rules”) 519
Bulk changes to input validation rules 524
Preventing tampering with hidden inputs 524
Specifying allowed HTTP methods 529
Configuring allowed method exceptions 530
HTTP/HTTPS protocol constraints 532
Configuring HTTP protocol constraint exceptions 540
WebSocket protocol 545
Creating WebSocket security rules 545
Creating WebSocket security policies 547
Protection for Man-in-the-Browser (MiTB) attacks 549
Creating Man in the Browser (MiTB) Protection Rule 551
Creating an MiTB protection rule 551

FortiWeb Administration Guide Fortinet Technologies Inc.

Protecting the standard user input field 553

Protecting the passwords 554
Adding white list for the AJAX Request 555
Creating Man in the Browser (MiTB) Protection Policy 555
Protection for APIs 556
Configuring JSON protection 556
Importing JSON schema files 556
Creating JSON protection rules 557
Creating JSON protection policy 560
Configuring XML protection 561
Importing XML schema files 561
Creating XML protection rules 562
Creating XML protection policies 566
Importing WSDL files 567
Configuring exempted URLs 568
Configuring attack logs to retain packet payloads for XML protection 569
Creating WS-Security rules 570
OpenAPI Validation 573
Use cases 574
Creating OpenAPI files 583
Creating OpenAPI validation policies 586
Configuring mobile API protection 588
API gateway 591
Managing API users 591
Configuring API gateway policy 592
Configuring API gateway rules 593
Limiting file uploads 597
Restricting uploads by file type and size 597
Using FortiSandbox to evaluate uploaded files 597
Using ICAP server to detect threats 599
Configuring a file security rule 600
Creating a file security policy 601
Anti-defacement 605
Specifying files that anti-defacement does not monitor 609
Accepting or reverting changed files 610
Reverting a defaced website 610
Rate limiting 612
DoS prevention 612
Configuring application-layer DoS protection 612
Configuring network-layer DoS protection 621
Grouping DoS protection rules 624
Preventing slow and low attacks 625
Configuring protection rules for slow and low attacks 625
Rewriting & redirecting 628
Example: HTTP-to-HTTPS redirect 633
Example: Full host name/URL translation 636

FortiWeb Administration Guide Fortinet Technologies Inc.

Example: Sanitizing poisoned HTML 638

Example: Inserting & deleting body text 641
Example: Rewriting URLs using regular expressions 642
Example: Rewriting URLs using variables 642
Caching 644
What can be cached? 647
Compression 648
Configuring compression exemptions 648
Configuring compression offloading 649
Acceleration 652
Compliance 655
Database security 655
Authorization 656
Preventing data leaks 656
Vulnerability scans 656
Preparing for the vulnerability scan 657
Scheduling web vulnerability scans 658
Configuring vulnerability scan profiles 659
Running vulnerability scans 662
Viewing/downloading vulnerability scan reports 664
Advanced/optional system settings 666
Changing the FortiWeb appliance’s host name 666
Fail-to-wire for power loss/reboots 667
Customizing error and authentication pages (replacement messages) 668
Configuring an error or authentication page 668
Pre-login disclaimer message 669
Attack block page HTTP response codes 669
Macros in custom error and authentication pages 669
Customizing the message returned for LDAP errors (%%REPLY_TAG%% macro) 671
Configuring the integrated firewall 671
Network address translation (NAT) 675
Advanced settings 677
Example: Setting a separate rate limit for shared Internet connections 679
Monitoring your system 681
Status dashboard 681
System Information widget 683
FortiGuard Information widget 684
System Resources widget 688
Attack Log widget 689
HTTP Throughput Monitor widget 689
HTTP Hit History widget 690
Attack Event History widget 691
Event Log Console widget 694
Policy Sessions widget 694
Operation widget 695

FortiWeb Administration Guide Fortinet Technologies Inc.

Policy Status dashboard 696

Health Check Status 696
Session Count 697
RAID level & disk statuses 697
Logging 698
About logs & logging 698
Configuring logging 700
Viewing log messages 718
Coalescing similar attack log messages 723
Alert email 724
Configuring email settings 725
Configuring alert email for event logs 727
SNMP traps & queries 727
Configuring an SNMP community 729
MIB support 731
Reports 732
Customizing the report’s headers, footers, & logo 734
Restricting the report’s scope 735
Choosing the type & format of a report profile 737
Scheduling reports 738
Selecting the report’s file type & delivery options 739
Viewing & downloading generated reports 740
Blocked users 741
Monitoring currently blocked IPs 742
Monitoring currently tracked clients 743
FortiGuard updates 744
Vulnerability scans 744
Bot mitigation 745
Configuring threshold based detection 745
Configuring biometrics based detection 750
Configuring bot deception 752
Configuring known bots 754
Configuring bot mitigation policy 756
Machine learning 758
Enabling machine learning policy 759
Configuring anomaly detection policy 760
Allow sample collection for domains 763
IP List Type and Source IP list 764
Configuring machine-learning templates 764
Viewing domain data 768
Viewing anomaly detection log 775
Configuring bot detection profiles 780
Basic Concepts 780
Creating bot detection profiles 780
Limit sample collection from IPs 785
Exception URLs 786

FortiWeb Administration Guide Fortinet Technologies Inc.

Viewing bot detection model status 787

Viewing the bot detection violations 789
Fine-tuning & best practices 791
Hardening security 791
Topology 791
Administrator access 792
User access 795
Signatures & patches 796
Buffer hardening 796
Enforcing valid, applicable HTTP 798
Sanitizing HTML application inputs 798
Improving performance 798
System performance 798
Antivirus performance 798
Regular expression performance tips 799
Logging performance 800
Report performance 800
Vulnerability scan performance 801
Packet capture performance 801
TCP transmission performance tuning 801
Improving fault tolerance 802
Alerting the SNMP manager when HA switches the primary appliance 802
Reducing false positives 802
Regular backups 806
Downloading logs in RAM before shutdown or reboot 807
Downloading logs in RAM before shutdown or reboot 807
Troubleshooting 808
Frequently asked questions 808
How do I recover the password of the admin account? 810
What is the maximum number of ADOMs I can create? 810
How do I upload and validate a license for FortiWeb-VM? 810
How do I troubleshoot a high availability (HA) problem? 811
How do I upload a file to or download a file from FortiWeb? 813
Why did the FortiGuard service update fail? 814
Why is URL rewriting not working? 814
How do I create a custom signature that erases response packet content? 815
How do I reduce false positives and false negatives? 816
Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-
end servers even though set ip-forward is enabled? 816
How do I prevent cross-site request forgery (CSRF or XSRF) with a custom rule? 817
Why does my Advanced Protection rule that has both Signature Violation and HTTP
Response Code filters not detect any violations? 817
What's the difference between the Packet Interval Timeout and Transaction Timeout
filters in an Advanced Protection rule? 818
What ID numbers do I use to specify a Signature Violation filter when I use the CLI to
create a custom access rule? 818
Why is the Signature Violation filter I added to my Advanced Protection custom rule not
working? 819

FortiWeb Administration Guide Fortinet Technologies Inc.

Why don't my back-end servers receive the virtual server IP address as the source IP? 819
Why do I not see HTTP traffic in the logs? 819
Why do I see HTTP traffic in the logs but not HTTPS traffic? 822
How do I store traffic log messages on the appliance hard disk? 822
Why is the most recent log message not displayed in the Aggregated Attack log? 823
How can I sniff FortiWeb packets (packet capture)? 824
How do I trace packet flow in FortiWeb? 824
Why is the number of cookies reported in my attack log message different from the
number of cookies that message detail displays? 825
Why does the attack log message display the virtual server IP address as the
destination IP instead of the IP address of the back-end server that was the target of
the attack? 825
How do I detect which cipher suite is used for HTTPS connections? 825
How can I strengthen my SSL configuration? 825
Why can’t a browser connect securely to my back-end server? 826
How do I use performance tests to determine maximum performance? 826
How can I measure the memory usage of individual processes? 827
How can I use IPMI to shut down or power on FortiWeb remotely? 827
How do I reformat the boot device (flash drive) when I restore or upgrade the firmware?828
How do I set up RAID for a replacement hard disk? 828
Tools 829
Ping & traceroute 829
Log messages 830
Diff 830
Packet capture 831
Diagnostic commands in the CLI 836
Retrieving debug logs 836
How to troubleshoot 837
Establishing a system baseline 837
Determining the source of the problem 837
Planning & access privileges 838
Solutions by issue type 838
Connectivity issues 839
Resource issues 850
Login issues 852
Data storage issues 854
Bootup issues 854
Issues forwarding non-HTTP/HTTPS traffic 858
Resetting the configuration 858
Restoring firmware (“clean install”) 859
Appendix A: Port numbers 862
Appendix B: Maximum configuration values 865
Maximum values on FortiWeb-VM 876
Appendix C: Supported RFCs, W3C, & IEEE standards 877
RFCs 877
W3C standards 878
IEEE standards 879

FortiWeb Administration Guide Fortinet Technologies Inc.

Appendix D: Regular expressions 880

Regular expression syntax 880
What are back-references? 885
Cookbook regular expressions 886
Language support 888
Appendix E: How to purchase and renew FortiGuard licenses 890

FortiWeb Administration Guide Fortinet Technologies Inc.

Introduction 16

Introduction

FortiWeb is a web application firewall (WAF) that protects hosted web applications from attacks that target known and
unknown exploits. Using multi-layered and correlated detection methods, FortiWeb defends applications from known
vulnerabilities and zero-day threats. The Web Application Security Service from FortiGuard Labs uses information
based on the latest application vulnerabilities, bots, suspicious URL and data patterns, and specialized heuristic
detection engines to keep your applications safe.
FortiWeb also offers a machine-learning function that enables it to automatically detect malicious web traffic. In
addition to detecting known attacks, the feature can detect potential unknown zero-day attacks to provide real-time
protection for web servers.
FortiWeb allows you to configure these features:
l Vulnerability scanning and patching
l IP reputation, web application attack signatures, credential stuffing defense, anti-virus, and FortiSandbox Cloud
powered by FortiGuard
l Real-time attack insights and reporting with advanced visual analytics tools
l Integration with FortiGate and FortiSandbox for ATP detection
l Behavioral attack detection
l Advanced false positive and negative detection avoidance
FortiWeb hardware and virtual machine platforms are available for medium and large enterprises, as well as for service
providers.

Benefits
FortiWeb is designed specifically to protect web servers. It provides specialized application layer threat detection and
protection for HTTP and HTTPS services, including:
l Apache Tomcat
l nginx
l Microsoft IIS
l JBoss
l IBM Lotus Domino
l Microsoft SharePoint
l Microsoft Outlook Web App (OWA)
l RPC and ActiveSync for Microsoft Exchange Server
l Joomla
l WordPress
FortiWeb’s integrated web-specific vulnerability scanner drastically reduces challenges associated with protecting
regulated and confidential data by detecting your exposure to the latest threats, especially the OWASP Top 10
(https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).
FortiWeb’s HTTP firewall and denial-of-service (DoS) attack-prevention protects your web applications from attack.
Using advanced techniques to provide bidirectional protection against sophisticated threats like SQL injection and cross-
site scripting (XSS) attacks, FortiWeb also helps you defend against threats like identity theft, financial fraud, and
corporate espionage.

FortiWeb Administration Guide Fortinet Technologies Inc.

Introduction 17

FortiWeb provides the tools you need to monitor and enforce government regulations, industry best practices, and
internal security policies, including firewalling and patching requirements from PCI DSS
(https://www.pcisecuritystandards.org/security_standards/getting_started.php).
FortiWeb’s application-aware firewall and load balancing engine can:
l Secure HTTP/HTTPS applications.
l Prevent and reverse defacement.
l Improve application stability.
l Monitor servers for downtime & connection load.
l Reduces response times.
l Accelerate SSL/TLS. *
l Accelerate compression.
l Rewrite content on the fly.
* On VM models, acceleration is due to offloading the cryptography burden from the back-end server. On hardware
models, cryptography is also hardware-accelerated via ASIC chips.
FortiWeb significantly reduces deployment costs by consolidating WAF, hardware acceleration, load balancing, and
vulnerability scanning in a single platform with no per-user pricing. These features:
l Reduce the total resources required to protect your regulated, Internet-facing data.
l Ease the challenges associated with policy enforcement and regulatory compliance.

FortiWeb Administration Guide Fortinet Technologies Inc.

Introduction 18

Architecture

Client Administrator

Switch

FortiGate
FortiWeb

Protected Web
Servers

FortiWeb can be deployed in a one-arm topology, but is more commonly positioned inline to intercept all incoming client
connections and redistribute them to your servers. FortiWeb has TCP- and HTTP-specific firewalling capabilities.
Because it's not designed to provide security to non-HTTP/HTTPS web applications, it should be deployed behind a
firewall such as FortiGate that focuses on security for other protocols, including FTP and SSH.
Once FortiWeb is deployed, you can configure it from a web browser or terminal emulator on your management
computer.

Scope

This document describes how to set up and configure FortiWeb. It provides instructions to complete first-time system
deployment, including planning the network topology, and ongoing maintenance.
It also describes how to use the web user interface (web UI), and contains lists of default utilized port numbers,
configuration limits, and supported standards.
If you are using FortiWeb-VM, this document assumes that you have already followed the instructions in the FortiWeb-
VM Install Guide:
http://docs.fortinet.com/fortiweb/hardware
After completing How to set up your FortiWeb on page 66, you will have:

FortiWeb Administration Guide Fortinet Technologies Inc.

Introduction 19

l Administrative access to the web UI and/or CLI.

l Completed firmware updates, if any.
l Configured the system time, DNS settings, administrator password, and network interfaces will be configured.
l Set the operation mode.
l Configured basic logging.
l Created at least one server policy.
You can use the rest of this document to:
l Update the FortiWeb appliance.
l Reconfigure features.
l Use advanced features, such as anti-defacement.
l Diagnose problems.
This document does not provide a reference for the CLI. For that information, see FortiWeb CLI Reference.
This document is intended for system administrators, not end users. If you are accessing a website protected by
FortiWeb and have questions, please contact your system administrator.

FortiWeb Administration Guide Fortinet Technologies Inc.

What's new 20

What's new

New features

Introducing Deep Learning

As part of Machine Learning for Anomaly Detection, FortiWeb now builds mathematical models with fewer samples but
continues to collect samples and optimize the mathematical models as more samples are collected overtime. This
allows FortiWeb to provide protection much faster and to enhance accuracy over time.
For more information, see Configuring anomaly detection policy on page 760
New XSS Syntax Based Detection module
l XSS Syntax Based Detection is introduced to detect XSS injection attacks by analyzing the HTML/JavaScript
syntax.
l SQL Injection (Syntax Based Detection) is moved from Web Protection > Signatures to Web Protection >
Advanced Protection > SQL/XSS Syntax Based Detection.
For more information, see Syntax-based SQL/XSS injection detection on page 482.
Client management
Client management allows to track a client by either the recognized cookie or the source IP. When a client violates a
WAF rule, FortiWeb accumulates the threat score based on the configured threat weight value, and takes actions
accordingly. This feature replaces Device Tracking, Device Reputation, and Client Device Management.
For more information, see Client management on page 237.
Bad Robot and Known Search Engines integrated to Known Bots for better bot management
l Bad Robot is removed from the main signature class in Web Protection > Known Attacks > Signatures.
l Known Search Engines is removed from Server Objects > Global and Policy > Web Protection Profile.
l Both the modules are integrated into Bot Mitigation > Known Bots.
For more information, see Configuring known bots on page 754.
New AJAX block page for AJAX requests
You can now enable Replacement Message for AJAX requests in Config > Replacement Message > Replacement
Message.
For more information, see Configuring an error or authentication page on page 668.
Support for Cookieless clients in NTLM Delegation
The Site Publish module can now support NTLM delegation for cookieless clients.
For more information, see Offloaded authentication and optional SSO configuration on page 365
Additional information on Blocked IPs
A new "reason" column has been added in Monitor > Blocked IPs.
For more information, see Monitoring currently blocked IPs on page 742.
Parameter type in Global White List optimized

FortiWeb Administration Guide Fortinet Technologies Inc.

What's new 21

URL/Domain filters are added for parameter type in Global White List, allowing better granularity when certain
parameters need to bypass the security modules.
For more information, see Configuring the global object white list on page 218.
User tracking data shared across content routing rules
Web protection profiles using the same user tracking rules can share user tracking data now.
SameSite flag added in cookiesession1 to help prevent CSRF attacks
You can now assign a SameSite flag to internal cookies and set strict, lax or none value to define whether any request
from the third parties carries such cookies or not.
For more information, see server-policy policy.
Support for chunk encoded HTTP requests
FortiWeb can now parse the chunk encoded body in HTTP requests.
client-ip/server-ip support in diagnose debug flow filter module-detail
You can now specify a source and/or destination IP address to include or exclude module debug logs involving the
specified IP address.
For more information, see debug flow filter.

Enhancements

Login failure message optimization

"Failed to search user DN" and "Failed to bind LDAP server" login failure messages are replaced with generic "Failed to
login" message to avoid user enumeration attacks. You can view more login failure information in the event log.
Default block period value increase
The default value for "Period Block" is updated to 600 seconds to ensure higher security.
Bot Analysis moved to FortiView > Security
The Bot Analysis page is optimized to show detailed information on search engines and malicious bots.
For more information, see Bot Analysis on page 310.
Predefined policies in Custom Policy and Bot Mitigation Policy
l Predefined Bot Mitigation policies are added in Bot Mitigation Policy.
l Predefined Advanced Protection policy (alert only) is added in Custom Policy.
Device Tracking, Device Reputation, and Client Device Management removed
Device tracking related modules and configurations are removed from this release. Tracking is now done using the new
Client Management feature.
For more information, see Client management on page 237.
Least connection algorithm enhancement
When distributing new TCP connections to the server pool member, the Least Connection algorithm is enhanced to
avoid new connections always being processed by the same member.
Enhancements for Machine Learning Anomaly Detection

FortiWeb Administration Guide Fortinet Technologies Inc.

What's new 22

l You can re-admit a noisy sample to the legitimate sample pool.

l Threat Models have been optimized to reduce false positives.
l You can define an expiration time for patterns. All the samples related with the expired patterns will be cleared from
the database.
For more information, see Configuring anomaly detection policy on page 760
HA heartbeat enhancement
HA heartbeat is optimized to provide better stability and scalability.
Virtual IP limit lifted in high volume active-active HA mode
In addition to standalone, active-passive, standard active-active modes, now FortiWeb 1000E, 2000E, 3000E, 3010E,
and 4000E appliances in high volume active-active HA mode also support a maximum number of 6000 virtual IPs.
New regions support by FortiWeb Fabric Connectors for OCI platform
Fabric Connectors now support all available OCI regions.
Autoscaling enhancement on AWS
For the FortiWeb autoscaling solution on AWS, an elastic IP is now supported to access the master node.
Using templates to auto-deploy FortiWeb HA on AWS and Azure
FortiWeb HA group with up to eight members can be automatically deployed using templates on AWS and Azure.
Limiting access to specific source IP addresses
You can now define an Allow Only IP range in IP List to limit access to the application to specified IP addresses.
For more information, see Blacklisting & whitelisting clients on page 442.
FortiAnalyzer support for log export
Forwarding attack logs to FortiAnalyzer is now supported.
TCP buffer default value changed
The default value of tcp-buffer is changed to max.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 23

Key concepts

This chapter defines basic FortiWeb concepts and terms.

If you are new to FortiWeb, or new to network security, this chapter can help you to quickly understand:
l Workflow on page 23
l Sequence of scans on page 25
l IPv6 support on page 33
l Solutions for specific web attacks on page 35
l HTTP/2 support on page 40
l HTTP sessions & security on page 42
l HA heartbeat & active node election on page 114
l Administrative domains (ADOMs) on page 52
l How to use the web UI on page 55
l Shutdown on page 65

Workflow

Begin with How to set up your FortiWeb on page 66 for your initial deployment. These instructions guide you to the point
where you have a simple working configuration.
Ongoing use is located in subsequent chapters, and includes instructions for processes including:
l Backing up FortiWeb
l Updating FortiWeb
l Configuring optional features
l Adjusting policies if:
l New attack signatures become available
l Requirements change
l Fine-tuning performance
l Periodic web vulnerability scans if required by your compliance regime
l Monitoring for defacement or focused, innovative attack attempts from advanced persistent threats (APTs)
l Monitoring for accidentally blacklisted client IPs
Because policies consolidate many protection components, you should configure policies after you've configured those
components.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 24

This figure illustrates the general configuration process:

This figure illustrates the configuration process for setting up DoS protection:

1. Configure anti-DoS settings for each type:

l TCP connection floods (Limiting TCP connections per IP address on page 622)
l TCP SYN floods (Preventing a TCP SYN flood on page 624)
l HTTP floods (Preventing an HTTP request flood on page 619)
l HTTP access limits (Limiting the total HTTP request rate from an IP on page 613)
l Malicious IPs (TCP connection floods detected by session cookie instead of source IP address, which could be
shared by multiple clients; Limiting TCP connections per IP address by session cookie on page 616)

2. Group the settings together into a comprehensive anti-DoS policy (Grouping DoS protection rules on page 624).
3. Select the anti-DoS policy in a protection profile, and enable Configuring a protection profile for inline topologies
(Configuring a protection profile for inline topologies on page 223).
4. Select the protection profile in a server policy (Configuring an HTTP server policy on page 242).

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 25

Sequence of scans

FortiWeb applies protection rules and performs protection profile scans in the order of execution according to the below
table. To understand the scan sequence, read from the top of the table (the first scan/action) toward the bottom (the
last scan/action). Disabled scans are skipped.
You may find the actual scan sequence sometimes is different from what we list below in the scan sequence table.
There might be various reasons, for example, for the scans involving the whole request or response packet, its
sequence may vary depending on when the packet is fully transferred to FortiWeb. File Security is one of the scan
items that involve scanning the whole packet. FortiWeb scans Content-Type: and the body of the file for File
Security. While the Content-Type: is scanned instantly, the body of the file may be postponed after the subsequent
scans until the whole body of the file is done uploading to FortiWeb.
Please also note that when we talk about scan sequence, it refers to the sequence within the same packet. For
example, TCP Connection Number Limit precedes HTTP Request Limit in the scan sequence table. However, if
there are two packets containing HTTP traffic and TCP traffic respectively, and the HTTP packet arrives first, FortiWeb
thus checks the HTTP Connection Number Limit first.

To improve performance, block attackers using the earliest possible technique in the
execution sequence and/or the least memory-consuming technique. The blocking
style varies by feature and configuration. For example, when detecting Syntax-
based SQL/XSS injection, instead of blocking the SQL/XSS injection by its syntax,
you could log and block the injection by the black list defined in IP List. For details,
see each specific feature.

Execution sequence (web protection profile)

Scan/action Involves

Request from client to server

TCP Connection Number l Source IP address of the client in the IP layer.
Limit (TCP Flood Prevention) l Source port of the client in the TCP layer.

Add X-Forwarded-For: l X-Forwarded-For:

l X-Real-IP:
l X-Forwarded-Proto:
Client Management l Source IP address of the client depending on your configuration of
X-header rules.
This could be derived from either the SRC field in the IP header, or
the X-Forwarded-For: and X-Real-IP: HTTP headers. For
details, see Defining your proxies, clients, & X-headers on page 193.
l Cookie:
l Session state

IP List l Source IP address of the client depending on your configuration of

X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 26

Scan/action Involves

headers. For details, see Defining your proxies, clients, & X-headers
on page 193.
l Source IP address of the client in the IP layer.
Note: If a source IP is white listed, subsequent checks will be skipped.
IP Reputation Source IP address of the client depending on your configuration of X-
header rules. This could be derived from either the SRC field in the IP
header, or the X-Forwarded-For: and X-Real-IP: HTTP headers.
For details, see Defining your proxies, clients, & X-headers on page 193.

Quarantined source IP Source IP address of the client in the IP layer.

addresses
Known Bots l Source IP address of the client depending on your configuration of
X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193.
l Source IP address of the client in the IP layer.

Geo IP l Source IP address of the client depending on your configuration of

WebSocket protocol l Host:

l URL in HTTP header
l Origin:
l Upgrade:
l Frame Size/Message Size
l sec-websocket-extenstions

Add HSTS Header Strict-Transport-Security:

Protected Server Check Host:

Allow Method l Host:

l URL in HTTP header
l Request method in HTTP header

Mobile Application Token header

Identification
HTTP Request Limit/sec l Source IP address of the client depending on your configuration of
(HTTP Flood Prevention) X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193.
l Cookie:

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 27

Scan/action Involves

l Session state
l URL in the HTTP header
l HTTP request body

TCP Connection Number l Cookie:

Limit (Malicious IP) l Session state
l Source IP address of the client in the IP layer
l Source port of the client in the TCP layer

HTTP Request Limit/sec l ID field of the IP header

(Shared IP) (HTTP Access l Source IP address of the client depending on your configuration of
Limit) X-header rules.
This could be derived from either the SRC field in the IP header, or
the X-Forwarded-For: and X-Real-IP: HTTP headers. For
details, see Defining your proxies, clients, & X-headers on page 193.
l HTTP request body

HTTP Authentication Authorization:

Global Object White List l Cookie: cookiesession1

l URL if /favicon.ico, AJAX URL parameters such as __
LASTFOCUS, and others as updated by the FortiGuard Security
Service.

ADFS Proxy l Host:

l URL in HTTP header
l Request method in HTTP header
l Other request headers, especially the X-MS-* headers
l Parameters in the URL
l Cookies

URL Access l Source IP address of the client depending on your configuration of

Mobile API Protection l Host:

l URL in HTTP header
l Token header

Padding Oracle Protection l Source IP address of the client depending on your configuration of
X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 28

Scan/action Involves

l Host:
l URL in HTTP header
l Individually encrypted URL, cookie, or parameter

HTTP Protocol Constraints l Source IP address of the client depending on your configuration of
X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193.
l Content-Length:
l Parameter length
l Body length
l Header length
l Header line length
l Count of Range: header lines
l Count of cookies

File Security l Source IP address of the client depending on your configuration of

Parameter Validation l Host:

l URL in the HTTP header
l Name, data type, and length

Bot Deception l Host:

l URL in the HTTP header

Machine Learning - Bot l Source IP address of the client depending on your configuration of
Detection X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193.
l Host:
l URL in the HTTP header
l HTTP version
l Content-Type:
l Response status code
l Request method in HTTP header
l Referer:
l User-Agent:

Cross-site request forgery l <a href>

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 29

Scan/action Involves

(CSRF) attacks l <form>

Protection for Man-in-the- l Host:

Browser (MiTB) attacks l URL in HTTP header
l Request method in HTTP header
l Parameters in URL
l Content-Type:
Biometrics Based Detection l Source IP address of the client depending on your configuration of
X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193
l URL
l Host:
l X-Forwarded-For:

XML Protection l URL

l HTTP header
l Body

JSON Protection l URL

l HTTP header
l Body

Signatures l Source IP address of the client depending on your configuration of

SQL/XSS Syntax Based l Host:

Detection l Cookie:
l URL in HTTP header
l Parameters in URL and request body

Site Publish l Host:

l Cookie:
l URL of the request for the web application

Hidden Fields Protection l Host:

l URL in the HTTP header
l Name, data type, and length of <input type="hidden">

Custom Policy l Source IP address of the client depending on your configuration of

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 30

Scan/action Involves
X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193
l URL in the HTTP header
l HTTP header
l Parameter in the URL, or the HTTP header or body

Threshold Based Detection l Source IP address of the client depending on your configuration of
X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193
l URL
l Host:
l X-Forwarded-For:

User Tracking l Host:

l Cookie:
l Parameters in the URL
l URL in HTTP header
l HTTP body
l Client's certificate

API Gateway l Host:

l URL in HTTP header
l API Key as HTTP parameter in URL
l API Key as HTTP header
l Source IP address of the client depending on your configuration of
API user
l Request methods in HTTP header
l HTTP Referer depending on your configuration of API user

OpenAPI Validation l Host:

l HTTP headers, especially the content-type: headers
l URL in HTTP header
l Request method in HTTP header
l Parameters in URL
l Multipart filename

CORS Protection l Host:

l URL in HTTP header
l Origin:
l Request methods in HTTP header
l HTTP headers including Access-Control-Allow-Origin,
Access-Control-Request-Method, Access-Control-
Request-Headers, Access-Control-Max-Age, Access-

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 31

Scan/action Involves
Control-Expose-Headers, Access-Control-Allow-
Credentials, Access-Control-Allow-Methods, and
Access-Control-Allow-Headers.
URL Rewriting (rewriting & l Host:
redirection) l Referer:
l Location:
l URL in HTTP header
l HTML body

Machine Learning - Anomaly l Source IP address of the client depending on your configuration of
Detection X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193
l URL in the HTTP header
l Request method in HTTP header
l Parameter in the URL, or the HTTP header or body
l Content-Type:

File Compress Accept-Encoding:

Cookie Security Policy l Source IP address of the client depending on your configuration of
X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193
l Cookie:

Reply from server to client

Web Socket Protocol l Upgrade:

Chunk Decoding l Transfer-Encoding

l Raw body

Web Cache l Host:

l HTTP method
l Return code
l URL in the HTTP header
l Content-Type:
l HTTP headers
l Size in kilobytes (KB) of each URL to cache

Bot Deception l Host:

l URL in the HTTP header

Protection for Man-in-the- l Status code

Browser (MiTB) attacks l Response body

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 32

Scan/action Involves

Biometrics Based Detection l Source IP address of the client depending on your configuration of
X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
l URL
l Host:
l X-Forwarded-For:
l HTTP header
l Custom signature
l Body
l The latest HTTP transaction time
l The response content type
l Status code

Acceleration Content-Type:

Signatures l Source IP address of the client depending on your configuration of

X-header rules. This could be derived from either the SRC field in the
IP header, or the X-Forwarded-For: and X-Real-IP: HTTP
headers. For details, see Defining your proxies, clients, & X-headers
on page 193
l HTTP headers
l HTML Body
l URL in HTTP header
l Parameters in URL and body
l XML in the body of HTTP POST requests
l Cookies
l Headers
l JSON Protocol Detection
l Uploaded filename (MULTIPART_FORM_DATA_FILENAME)

Hidden Fields Protection l Host:

l URL in the HTTP header
l Name, data type, and length of <input type="hidden">

Custom Policy l HTTP response code

l Content-Type:
User Tracking l Status code
l HTTP headers
l HTML body

URL Rewriting (rewriting) l Host:

l Referer:
l Location:
l URL in HTTP header
l HTML body

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 33

Scan/action Involves

URL Encryption l Host:

l URL in HTTP header
l Referer:
l Location:
l Return code
l Content-Type:

HTTP Header Security l HTTP headers

IPv6 support

The features below support IPv6-to-IPv6 forwarding in different operation modes. See Planning the network topology on
page 66 for feature support in each operation mode.
NAT64 and NAT46 are supported only in Reverse Proxy mode. No matter the virtual server and the back-end server are
in IPv4 or IPv6 addresses, or mixed with both, IPv4-to-IPv6 and IPv6-to-IPv4 forwarding are fully supported by the
following features.
l IP/Netmask for all types of network interfaces and DNS settings
l Gateway and Destination IP/Mask for IP-layer static routes
l Virtual Server/V-zone
l Server Pool
l Protected Hostnames
l HTTP Server Policy
l X-Forwarded-For
l Client Management
l Cookie Security Policy
l Signatures
l Custom Policy
l Parameter Validation
l Hidden Fields Protection
l File Security
l HTTP Protocol Constraints
l URL Access
l API Gateway
l OpenAPI Validation
l Bot Mitigation Policy
l WebSocket Protocol
l Syntax-based SQL/XSS injection detection
l Man-in-the-Browser (MiTB) attacks
l Padding Oracle Protection

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 34

l Web Cache
l Acceleration
l Replacement Message
l CORS Protection
l Machine Learning - Anomaly Detection
l Machine Learning - Bot Detection
l FortiGate Quarantined IPs
l User tracking
l IP List (manual, individual IP blacklisting/whitelisting)
l File Compress
l Vulnerability scans
l Global Object White List
l Chunk decoding
l FortiGuard server IP overrides (see Connecting to FortiGuard services on page 469)
l URL Rewriting (also redirection)
l HTTP Authentication and LDAP, RADIUS, and NTLM profiles
l Geo IP
l DoS Prevention
l SNMP traps & queries
Features not yet supported are:

If a policy has any virtual servers or server pools that contain physical or domain
servers with IPv6 addresses, it does not apply these features, even if they are
selected.

l Shared IP
l IP Reputation
l Known bots
l Firewall
l Log-based reports
l Alert email
l Syslog and FortiAnalyzer IP addresses
l NTP
l FTP immediate/scheduled
l SCEP
l Anti-defacement
l HA/Configuration sync
l exec restore
l exec backup
l exec traceroute
l exec telnet

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 35

Solutions for specific web attacks

The types of attacks that web servers are vulnerable to are varied, and evolve as attackers try new strategies.
FortiWeb offers numerous configurable features for preventing web-related attacks, including denial-of-service (DoS)
assaults, brute-force logins, data theft, cross-site scripting attacks, among many more.

Early in your deployment of FortiWeb, configure and run web vulnerability scans to
detect the most common attack vulnerabilities. You can use this to discover attacks
to which you may be vulnerable. For details, see Vulnerability scans on page 656.

HTTP/HTTPS threats

Servers are increasingly being targeted by exploits at the application layer or higher. These attacks use HTTP/HTTPS
and may aim to compromise the target web server to steal information, deface it, post malicious files on a trusted site to
further exploit visitors to the site, or use the web server to create botnets.
Among its many threat management features, FortiWeb fends off attacks that use cross-site scripting, state-based
intrusion, and various injection attacks. This helps you comply with protection standards for:
l Credit-card data, such as PCI DSS 6.6
l Personally identifiable information, such as HIPAA
FortiWeb can also protect against threats at higher layers (HTML, Flash or XML applications). The below table lists
several HTTP-related threats and describes how FortiWeb protects servers from them.

Attack Technique Description Protection FortiWeb Solution

Adobe Flash binary Attackers attempt XSS, Decode and scan Flash action Enable AMF3 Protocol
(AMF) protocol attacks SQL injection or other message format (AMF) binary Detection on page 226
common exploits through data for matches with attack
an Adobe Flash client. signatures.

Botnet Utilizes zombies previously Use the FortiGuard IP IP Reputation on page

exploited or infected (or Reputation Service to gather 227
willingly participating), up-to-date threat intelligence
distributed usually globally, on botnets and block attacks.
to simultaneously
overwhelm the target when
directed by the command
and control server(s).

Brute force login attack An attacker attempts to Require strong passwords for Combination access
gain authorization by users, and throttle login control & rate limiting
repeatedly trying ID and attempts. on page 437
password combinations
until one works.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 36

Attack Technique Description Protection FortiWeb Solution

Clickjacking Code such as <IFRAME> Scan for illegal inputs to l Signatures on

HTML tags superimposes prevent the initial injection, page 224
buttons or other then apply rewrites to scrub l Parameter
DOM/inputs of the any web pages that have Validation on page
attacker’s choice over a already been affected. 225
normal form, causing the l Hidden Fields
victim to unwittingly provide Protection on page
data such as bank or login 225
credentials to the attacker’s l URL Rewriting on
server instead of the page 227
legitimate web server when
the victim clicks to submit
the form.

Cookie tampering Attackers alter cookies Validate cookies returned by l Cookie Security
originally established by the the client to ensure that they Policy on page 224
server to inject overflows, have not been altered from l Configuring an
shell code, and other the previous response from HTTP server policy
attacks, or to commit the web server for that HTTP on page 242
identity fraud, hijacking the session.
HTTP sessions of other
clients.

Cross-site request A script causes a browser to Specify web pages that l Defeating cross-
forgery (CSRF) access a website on which FortiWeb protects from CSRF site request forgery
the browser has already attacks using a special token. (CSRF) attacks on
been authenticated, giving page 511
a third party access to a Enforce web application l Configuring a
user’s session on that site. business logic to prevent protection profile
Classic examples include access to URLs from the for inline
hijacking other peoples’ same IP but different client. topologies on page
sessions at coffee shops or 223
Internet cafés. l Configuring an
HTTP server policy
on page 242

Cross-site scripting Attackers cause a browser Content filtering, cookie Cross Site Scripting on
(XSS) to execute a client-side security, disable client-side page 464
script, allowing them to scripts.
bypass security.

Denial of service (DoS) An attacker uses one or Watch for a multitude of TCP DoS Protection Policy
more techniques to flood a and HTTP requests arriving in on page 226
host with HTTP requests, a short time frame, especially
TCP connections, and/or from a single source, and
TCP SYN signals. These close suspicious connections.
use up available sockets Detect increased SYN signals,
and consume resources on close half-open connections

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 37

Attack Technique Description Protection FortiWeb Solution

the server, and can lead to before resources are

a temporary but complete exhausted.
loss of service for legitimate
users.

HTTP header overflow Attackers use specially Limit the length of HTTP HTTP Protocol
crafted HTTP/HTTPS protocol header fields, Constraints on page
requests to target web bodies, and parameters. 224
server vulnerabilities (such
as a buffer overflow) to
execute malicious code,
escalating to administrator
privileges.

Local file inclusion (LFI) LFI is a type of injection Block directory traversal Generic Attacks on
attack. However, unlike commands. page 465
SQL injection attacks, a
database is not always
involved. In an LFI, a client
includes directory traversal
commands (such as
../../for web servers on
Linux, Apple Mac OS X, or
Unix distributions) when
submitting input. This
causes vulnerable web
servers to use one of the
computer’s own files (or a
file previously installed via
another attack mechanism)
to either execute it or be
included in its own web
pages.

This could be used for

many purposes, including
direct attacks of other
servers, installation of
malware, and data theft of
/etc/passwd, display of
database query caches,
creation of administrator
accounts, and use of any
other files on the server’s
file system.

Many platforms have been

vulnerable to these types of

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 38

Attack Technique Description Protection FortiWeb Solution

attacks, including Microsoft

.NET and Joomla.

Man-in-the-middle A device located on the Redirect clients from HTTP to l HTTPS Service on
(MITM) same broadcast network or secure HTTPS, then encrypt page 247
between the client and all traffic and prevent l Configuring an
server observes subsequent accidental HTTP server policy
unencrypted traffic between insecure access. on page 242
them. This is often a l URL Rewriting on
precursor to other attacks page 227
such as session hijacking.

Remote file inclusion RFI is a type of injection Prevent inclusion of Generic Attacks on
(RFI) attack. However, unlike references to files on other page 465
SQL injection attacks, a web servers.
database is not always
involved. In an RFI, a client
includes a URL to a file on a
remote host, such as
source code or scripts,
when submitting input. This
causes vulnerable web
servers to either execute it
or include it in its own web
pages.

If code is executed, this

could be used for many
purposes, including direct
attacks of other servers,
installation of malware, and
data theft.

If code is included into the

local file system, this could
be used to cause other,
unsuspecting clients who
use those web pages to
commit distributed XSS
attacks.

Famously, this was used in

organized attacks by
Lulzsec. Attacks often
involve PHP web
applications, but can be
written for others.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 39

Attack Technique Description Protection FortiWeb Solution

Server information A web server reveals details Configure server software to l Information
leakage (such as its OS, server minimize information Disclosure on page
software and installed leakage. 466
modules) in responses or l To hide application
error messages. An structure and
attacker can leverage this servlet names,
fingerprint to craft exploits Rewriting &
for a specific system or redirecting on page
configuration. 628

SQL injection The web application Rely on key word searches, l Parameter
inadvertently accepts SQL restrictive context-sensitive Validation on page
queries as input. These are filtering and data sanitization 225
executed directly against techniques. l Hidden Fields
the database for Protection on page
unauthorized disclosure 225
and modification of data. l SQL Injection on
page 465

DoS attacks

A denial of service (DoS) attack or distributed denial-of-service attack (DDoS attack) is an attempt to overwhelm a web
server/site, making its resources unavailable to its intended users. DoS assaults involve opening vast numbers of
sessions/connections at various OSI layers and keeping them open as long as possible to overwhelm a server by
consuming its available sockets. Most DoS attacks use automated tools (not browsers) on one or more hosts to
generate the harmful flood of requests to a web server.
A DoS assault on its own is not true penetration. It is designed to silence its target, not for theft. It is censorship, not
robbery. In any event, a successful DoS attack can be costly to a company in lost sales and a tarnished reputation. DoS
can also be used as a diversion tactic while a true exploit is being perpetrated.
The advanced DoS prevention features of FortiWeb are designed to prevent DoS techniques, such as those examples
listed in Solutions for specific web attacks on page 35, from succeeding. For best results, consider creating a DoS
protection policy that includes all of FortiWeb’s DoS defense mechanisms, and block traffic that appears to originate
from another country, but could actually be anonymized by VPN or Tor. For details about policy creation, see DoS
prevention on page 612 and Blacklisting source IPs with poor reputation on page 442.

Attack Technique Description FortiWeb Solution

Botnet Utilizes zombies previously exploited or infected (or IP Reputation on page 227
willingly participating), distributed usually globally, to
simultaneously overwhelm the target when directed by
the command and control server(s). Well-known
examples include LOIC, HOIC, and Zeus.

Low-rate DoS Exploits TCP’s retransmission time-out (RTO) by sending l TCP Connection Number
short-duration, high-volume bursts repeated periodically Limit on page 622 (TCP
at slower RTO time-scales. This causes a TCP flow to flood prevention)

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 40

Attack Technique Description FortiWeb Solution

repeatedly enter a RTO state and significantly reduces l HTTP Request Limit/sec on
TCP throughput. page 619 (HTTP flood
prevention)
l TCP Connection Number
Limit on page 617(malicious
IP prevention)

Slow POST attack Sends multiple HTTP POST requests with a legitimate l URL Access on page 226
Content-Length: field. This tells the web server how l Allow Method on page 226
much data to expect. Each POST message body is then
transmitted at an unusually slow speed to keep the
connection from timing out, and thereby consuming
sockets.

Slowloris Slowly but steadily consumes all available sockets by l Header Length on page 533
sending partial HTTP requests sent at regular intervals. l Number of Header Lines in
Each HTTP header is never finished by a new line (/r/n) Request on page 535
according to the specification, and therefore the server
waits for the client to finish, keeping its socket open. This
slowly consumes all sockets on a web server without a
noticeable spike on new TCP/IP connections or
bandwidth.

Not all web servers are vulnerable, and susceptibility can

vary by configuration. Default Apache configurations may
be more vulnerable than a server like nginx that is
designed for high concurrency.

SYN flood Sends a stream of TCP SYN packets. The target server Syn Cookie on page 252
acknowledges each SYN and waits for a response (ACK).
Rather than respond, the attacker sends more SYN
packets, leaving each connection half-open, not fully
formed, so that it may not register on systems that only
monitor fully formed connections. Since each half-formed
connection requires RAM to remember this state while
awaiting buildup/tear-down, many SYN signals eventually
consume available RAM or sockets.

HTTP/2 support

If the FortiWeb is deployed in Reverse Proxy (see Topology for Reverse Proxy mode on page 74) or True Transparent
Proxy (see Topology for either of the transparent modes on page 77) mode, HTTP/2 web communication can be
protected by almost all the FortiWeb's security services except:
l WebSocket (see WebSocket protocol on page 545)
l NTML Authentication (see Configuring an NTLM server on page 349)

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 41

Note: HTTP/2 traffic will bypass the WebSocket and NTML authentication security services (even if the services are
well-configured).

How to enable HTTP/2 support

Deployment in Reverse Proxy mode

When the FortiWeb is operating in Reverse Proxy mode, it can provide end-to-end HTTP/2 security which requires both
clients and back-end servers running HTTP/2. Moreover, if the back web servers do not support HTTP/2, FortiWeb (in
Reverse Proxy mode) provides the HTTP/2 protections also with conversion protocols between HTTP/2 clients and
HTTP/1.1 back-end servers. This allows customers to enjoy HTTP/2 benefits without having to upgrade their web
servers. Therefore, when the FortiWeb is operating in Reverse Proxy mode, it requires two necessary configurations for
HTTP/2 security:
l Server Policy: Enable HTTP/2 in a Server Policy (see HTTP/2 on page 247), so that HTTP/2 can be negotiated
between FortiWeb and clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake, if
the client's browser supports HTTP/2 protocol. Then, FortiWeb can recognize HTTP/2 traffic and apply the security
services to it.
l Server Pool: Enable HTTP/2 for a Server Pool (see HTTP/2 on page 173) if your back-end web servers are
running HTTP/2. This indicates HTTP/2 communication between FortiWeb and the backend servers in the server
pool. HTTP/2 Traffic processed by FortiWeb will be forwarded to the back web servers through HTTP/2. However, if
your web servers do not support HTTP/2, keep the option disabled and FortiWeb will convert the processed HTTP/2
traffic to HTTP/1.x and forward it to the backend servers. Please note that enable this only if your back web
servers really support HTTP/2, or connections will go failed.

When FortiWeb operates in Reverse Proxy mode, HTTP Content Routing is partially
supported if HTTP/2 security inspection is enabled. In such cases, FortiWeb can
handle HTTP/2 for client requests, but traffic between FortiWeb and the server(s)
must use HTTP, so the HTTP/2 setting in a server pool configuration would have to
remain disabled. For details, see Routing based on HTTP content on page 180.

Deployment in True Transparent Proxy mode

Conversion between HTTP/2 clients and HTTP/1.1 back-end servers is not available when the FortiWeb is operating in
True Transparent Proxy mode. Therefore, FortiWeb's HTTP/2 inspection must work with the back web servers that
really support HTTP/2. When your FortiWeb is operating in True Transparent Proxy mode, only one configuration is
required to enable the HTTP/2 support:
l Server Pool: Enable SSL and HTTP/2 in a Server Pool (see To configure a server pool on page 170). Please
make sure your back-end web servers are running HTTP/2, or no HTTP/2 connections will be established between
clients and the back servers and enabling HTTP/2 support on the FortiWeb will be kind of meaningless.
Note: FortiWeb only supports HTTP/2 for HTTPS (SSL) connections (most browsers support HTTP/2 for only HTTPS).
Therefore, for deployment in Reverse Proxy or True Transparent Proxy mode, HTTPS or SSL on the FortiWeb must be
enabled for HTTP/2.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 42

HTTP sessions & security

The HTTP 1.1 protocol itself is stateless (e.g., has no inherent support for persistent sessions). Yet many web
applications add sessions to become stateful.
What is a session? What is statefulness?
How do they impact security on the web?
Sessions are a correlation of requests for individual web pages/data (“hits”) into a sense of an overall “visit” for a client
during a time span, but also retain some memory between events. They typically consist of a session ID coupled with its
data indicating current state. Classic examples include logins, showing previously viewed items, and shopping carts.
The reason why HTTP applications must add sessions is related to how software works: software often changes how it
appears or acts based upon:
l Input you supply (e.g. a mouse click or a data file)
l System events (e.g. time or availability of a network connection)
l Current state (i.e. the product of previous events—history)
At each time, some inputs/actions are known to be valid and possible, while others are not. Without memory of
history to define the current context, which actions are valid and possible, and therefore how it should
function, cannot be known.
When software cannot function without memory, it is stateful. Many important features—denying access if a person is
not currently logged in, for example, or shipping what has been added to a shopping cart—are stateful, and therefore
can’t be supported by purely stateless HTTP according to the original RFC. Such features require that web apps
augment the HTTP protocol by adding a notion of session memory via:
l Cookies per RFC 2965 (http://tools.ietf.org/html/rfc2965)
l Hidden inputs
l Server-side sessions
l Other means (see Authentication styles on page 337)
Because memory is an accumulation of input, sessions have security implications.
l Can a different client easily forge another session?
l Are session IDs reused in encrypt form data, thereby weakening the encryption?
l Are session histories used to check for invalid next URLs or inputs (state transitions)?
When sessions are not protected to prevent misuse, attackers can use software in unexpected ways to
expose vulnerabilities.
For example, let’s say there is a vending machine full of snacks. You must first insert the proper amount of money
before the machine will give you a selected snack. If you provide an insufficient amount of money for the selected
snack, the machine will do nothing.
The vending machine is designed so that it must be in a state in which it has received enough money before it will
dispense the snack (or return your change).

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 43

If the vending machine has no notion of states, it would dispense free snacks or change regardless of whether it had
received any money. While free snacks might make some hungry people happy, it's not the intended behavior. We
would say that the vending machine is broken.

Similar to the working vending machine, in the TCP protocol, a connection cannot be acknowledged (ACK) or data sent
(PSH) before the connection has been initiated (SYN). There is a definite order to valid operations, based upon the
operation that preceded it. If a connection is not already established—not in a state to receive data—then the receiver
will disregard it.
Similar to the broken vending machine, the naked HTTP protocol has no idea what the previous HTTP request was,
and therefore no way to predict what the next one might be. Nothing is required to persist from one request to the next.
While this was adequate at the time when HTTP was initially designed, when it purely needed to retrieve static text or
HTML documents, as the World Wide Web evolved, this was no longer enough. Static pages evolved into dynamic CGI-
generated and JavaScripted pages. Dynamic pages use programs to change the page. Scripted pages eventually
evolved to fully-fledged multimedia web applications with their own client-server architecture. As pages became
software in their own right, a need for sessions arose.
When a web application has its own native authentication, the session may correspond directly with its authentication
logs—server-side sessions may start with a login and end with a logout/session timeout. Within each session, there are
contexts that the software can use to determine which operations make sense. For example, for each live session, a
web application might remember:
l Who is the client? What is his/her user name?
l Where is the client?

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 44

l What pages has the client already seen today?

l What forms has the client already completed?
However, sessions alone are not enough to ensure that a client’s requested operations make sense. The client’s next
page request in the session could break the web application’s logic unless requests are restricted to valid ones.
For example, a web application session may remember that a client has authenticated to it. But unless the web
application also knows what pages a client is authorized to use, there might be nothing to prevent a client from
accessing unauthorized content.

If a web application doesn't enforce valid state transitions and guard session IDs and cookies from fraud (including side-
jacking attacks made famous by Firesheep) or cookie poisoning, web applications become vulnerable to state transition-
based attacks—attacks in which pages are requested out of the expected order, by a different client, or where inputs
used for the next page are not as expected. While many web applications reflect business logic in order to function, not
all applications validate state transitions to enforce application logic. Other web applications do attempt to enforce the
software’s logic, but do not do so effectively. In other cases, the state enforcement itself has bugs. These are all
common causes of security vulnerabilities.

Similar to plain HTTP, SSL/TLS also keeps track of what steps the client has
completed in encryption negotiation, and what the agreed keys and algorithms are.
These HTTPS sessions are separate from, and usually in addition to, HTTP
sessions. Attacks on SSL/TLS sessions are also possible, such as the SPDY
protocol/Deflate compression-related CRIME attack.

FortiWeb sessions vs. web application sessions

FortiWeb can add its own sessions to enforce the logic of your web applications, thereby hardening their security,
even without applying patches.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 45

Your web application may have its own sessions data—one or more. These are not
the same as FortiWeb sessions, unless FortiWeb is operating in a mode that does
not support FortiWeb session cookies, and therefore uses your web application’s
own sessions as a cue (see Session Key in Configuring a protection profile for
inline topologies on page 223).
FortiWeb does not replace or duplicate sessions that may already be implemented
in your web applications, such as the JSESSIONID parameter common in Java
server pages (JSP), or web applications’ session cookies such as the TWIKISID
cookie for Twiki wikis.
However, it can protect those sessions. To configure protection for your web
application’s own sessions, see options such as Cookie Security Policy, and
Hidden Fields Protection in Configuring a protection profile for inline topologies
on page 223.

For example, to limit the number of TCP connections of a same user per HTTP session, you can use session cookies to
identify the same user. Enable Client Management in inline web protection profile. When enabled and a client sends
requests:
1. For the first HTTP/HTTPS request from a client, FortiWeb embeds a cookie in the response’s Set-Cookie: field
in the HTTP header. It is named cookiesession1. (FortiWeb does not use source IP addresses and timestamps
alone for sessions: NAT can cloak multiple clients; clocks can be altered.)
2. Later requests from the same client must include this same cookie in the Cookie: field to be regarded as part of
the same session. Otherwise, the request will be regarded as session-initiating, and return to the first step.
Once a request’s session is identified by the session ID in this cookie (e.g.
K8BXT3TNYUM710UEGWC8IQBTPX9PRWHB), FortiWeb can perform any configured tracking or enforcement
actions that are based upon the requests that it remembers for that session ID, such as rate limiting per session ID
per URL (see Limiting the total HTTP request rate from an IP on page 613). Violating traffic may be dropped or
blocked, depending on your configuration.
3. After some time, if FortiWeb has not received any more requests, the session will time out.
For the next request from that client, if it contains the old session cookie, the time out period will be For the first
HTTP/HTTPS request from a client, FortiWeb embeds a cookie in the response’s Set-Cookie: field in the HTTP
header. It is named cookiesession1. (FortiWeb does not use source IP addresses and timestamps alone for
sessions: NAT can cloak multiple clients; clocks can be altered.)

Exceptions to this process include network topologies and operation modes that do
not support FortiWeb session cookies: instead of adding its own cookie, which is not
possible, FortiWeb can instead cue its session states from your web application’s
cookie. See Session Key in Configuring a protection profile for inline topologies on
page 223.

Traffic logs include the HTTP/HTTPS session ID so you can locate all requests in each session. Correlating requests by
session ID can be useful for forensic purposes, such as when analyzing an attack from a specific client, or when
analyzing web application behavior that occurs during a session so that you can design an appropriate policy to protect
it. For details, see Viewing log messages on page 718.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 46

Sessions & FortiWeb HA

The table of FortiWeb client session histories is not synchronized between HA members. If a failover occurs, the new
active appliance will recognize that old session cookies are from a FortiWeb, and will allow existing FortiWeb sessions
to continue. Clients’ existing sessions will not be interrupted.

Because the new active appliance does not know previous session history, after
failover, for existing sessions, FortiWeb cannot enforce actions that are based on:
l The count or rate of requests that it remembers for that session ID, such as rate
limiting per session ID per URL. For details, see Limiting the total HTTP
request rate from an IP on page 613.

New sessions will be formed with the current main appliance.

For details about what data and settings are synchronized by HA, see HA heartbeat on page 114 and HA heartbeat &
active node election on page 114.

Example: Magento & FortiWeb sessions during failover

A client might connect through a FortiWeb HA pair to an e-commerce site. The site runs Magento, which sets cookies in
a server pool. To prevent session stealing and other session-based attacks, Magento can track its own cookies and
validate session information in $_SESSION using server-side memory.

In the FortiWeb HA pair that protects the server pool, you have enabled Configuring a protection profile for inline
topologies on page 223 so that the active appliance (FortiWeb A) also adds its own cookie to the HTTP response from
Magento. The HTTP response therefore contains 2 cookies:
l Magento’s session cookie
l FortiWeb’s session cookie
The next request from the client echoes both cookies. It is for an authorized URL, so FortiWeb A permits the website to
respond.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 47

FortiWeb HA pair FortiWeb B

Standby
FortiWeb A
Active

View

Set-Cookie: name=cookiesession1...
on1.
..

Let’s say you then update FortiWeb A’s firmware. During the update, the standby appliance (FortiWeb B) briefly
assumes the role of the active appliance while FortiWeb A is applying the update and rebooting (e.g., a failover occurs).
After the failover, FortiWeb B would receive the next HTTP request in the session. Because it was previously the
standby when the client initiated the session, and FortiWeb session tables are not synchronized, FortiWeb B has no
knowledge of the FortiWeb session cookie in this request.
However, a FortiWeb session cookie is present. Therefore FortiWeb B would permit the new request (assuming that it
has no policy violations).

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 48

Active Cookies accepted

though sessions
Failover Modify
are not
synchronized
Standby

View
Co
ok
ie
:
na
me
=c
oo
ki
es

es
Cook si
ie: on
1.
Login name
=coo
kies
essi

..

Set-Cookie: name=cookiesession1...
on1.
..

Since web application sessions are not the same as FortiWeb sessions, Magento
sessions continue and are unaffected by the failover.

If the client deletes their FortiWeb session cookie or it times out, FortiWeb B regards the next request as a new
FortiWeb session, adding a new FortiWeb session cookie to Magento’s response and creating an entry in FortiWeb B’s
session table.

FortiWeb high availability (HA)

By default, FortiWeb appliances are each a single, standalone appliance. They operate independently.
If you have purchased more than one, however, you can configure multiple FortiWeb appliances in active-passive,
standard active-active, or high volume active-active HA mode. This improves availability so that you can achieve
99.999% service level agreement (SLA) uptimes regardless of, for example, hardware failure or maintenance periods.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 49

If you have multiple FortiWeb appliances but do not need failover, you can still
synchronize the configuration. This can be useful for cloned network environments
and externally load-balanced active-active HA. For details, see Replicating the
configuration without FortiWeb HA (external HA) on page 119.

You can use the FortiWeb WCCP feature to create an active-active HA group. You
synchronize the members using FortiWeb's configuration synchronization feature so
that each member is ready to act as backup if the other appliance is not available.
The WCCP server provides load balancing between the HA pair and redirects all
traffic to one member if the other member is unavailable. For details, see Example:
Using WCCP with multiple FortiWeb appliances on page 207.

Active-Passive HA

In Active-Passive HA, one appliance is elected to be the active appliance (also called the primary, main, or master),
applying the policies for all connections. The other is a passive standby (also called the secondary, or slave), which
assumes the role of the active appliance and begins processing connections only if the active appliance fails.
This is an example of an active-passive HA topology.

Standard Active-Active HA

A standard active-active HA group created in Reverse Proxy and True Transparent Proxy modes can consist of up to
eight FortiWebs. One of the member appliances will be selected as the master appliance, while the others are slaves.
The master appliance in a standard active-active HA group plays the role as the central controller to receive traffic from
clients and send the processed traffic to back-end web servers, and vice versa (the traffic shown in green in the following
graph). The master appliance distributes the traffic to all the HA members (including itself) according to the specified
load-balancing algorithm so that each FortiWeb appliance performs the security services to protect the traffic (the traffic
shown in red in the following graph).

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 50

This is an example of a standard active-active HA group:

The master node uses the following load-balancing algorithms to distribute received traffic over the available HA
members:
l By source IP: consistently distribute the traffic coming from a source to the same HA member (the default
algorithm).
l By connections: dynamically distribute traffic to a member who has the fewest connections processing.
l Round-Robin: distribute traffic among the available members in a circular order.
All the HA members, including the master appliance, are the candidates for the algorithms, unless failure is detected on
any of them. Traffic distribution is based on TCP/UDP sessions, which means once the first packet of a TCP/UDP
session is assigned to a member, the subsequent packets of the session will be consistently distributed to the same
appliance during a time period. For more details, see FortiWeb high availability (HA) on page 48.

Although algorithm By source IP distribute the subsequent traffic coming from the
same source IP address to a fix HA member, it performs weighted round-robin to
determine the member for the first packet coming from the IP address. You can
configure the weights between the members through the CLI command set
weight in system ha. For details, see FortiWeb CLI Reference.

If a slave failure is detected, the slave appliance will be ignored by the master for its traffic distribution. If the master
fails, one of the slave appliances will take it over as a master immediately (see How HA chooses the active appliance on
page 115).
Once the master appliance fails and a slave takes it over, subsequent traffic of all sessions that have been established
for longer than 30 seconds will be transferred to the new master for distribution (those sessions distributed to the
original master appliance by itself are not included, since the original master lost them while it failed). To distribute the
original sessions in the original way, the new master has to know how they are mapped. To provide a seamless takeover
for this, a master appliance must maintain the mapping information (called session information as well) for all the
sessions and synchronize it to all the other HA members all the time, so that when a slave becomes the master the
subsequent traffic of the original sessions can be destined to where they were.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 51

Although session synchronization in active-active HA guarantees a seamless

takeover, it brings extra CPU and bandwidth consumption as well. The session
synchronization is disabled by default, and you can enable it through the CLI
command set session-pickup in system ha. For details, see FortiWeb
CLI Reference.

High volume active-active HA

A high volume active-active HA group can be created in Reverse Proxy operation mode and supports up to eight
FortiWebs. One of the member appliances will be selected as the master appliance, while the others are slaves (see
How HA chooses the active appliance on page 115).
In high volume active-active mode, one or more unique virtual IPs are attached to each member. The traffic destined to
the virtual IPs is directed to the corresponding member. Once this member is down, its backup appliance can take over
the traffic to the virtual IPs.
Unlike the standard active-active HA mode where the master acts as a traffic distributor, the members in high volume
active-active mode don't reply on the master to distribute traffic, instead, they can directly receive traffic from the clients
and process the traffic independently. It significantly increases the traffic throughput of the HA group.
This is an example of a high volume active-active HA group:

See also

l Updating firmware on an HA pair on page 96

l SNMP traps & queries on page 727
l HA heartbeat on page 114
l How HA chooses the active appliance on page 115
l HA heartbeat & active node election on page 114
l Fail-to-wire for power loss/reboots on page 667

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 52

l Topologies for high availability (HA) clustering on page 80

l Replicating the configuration without FortiWeb HA (external HA) on page 119

Administrative domains (ADOMs)

Administrative domains (ADOMs) enable the admin administrator to constrain other FortiWeb administrators’ access
privileges to a subset of policies and protected host names. This can be useful for large enterprises and multi-tenant
deployments such as web hosting.
ADOMs are not enabled by default. Enabling and configuring administrative domains can only be performed by the
admin administrator.
Enabling ADOMs alters the structure of and the available functions in the GUI and CLI, according to whether or not you
are logging in as the admin administrator, and, if you are not logging in as the admin administrator, the administrator
account’s assigned access profile.

Differences between administrator accounts when ADOMs are enabled

admin administrator account Other administrators

Access to config global Yes No

Can create administrator accounts Yes No

Can create & enter all ADOMs Yes No

If ADOMs are enabled and you log in as admin, a superset of the typical CLI commands appear, allowing unrestricted
access and ADOM configuration.
config global contains settings used by the FortiWeb itself and settings shared by ADOMs, such as RAID and
administrator accounts. It does not include ADOM-specific settings or data, such as logs and reports. When configuring
other administrator accounts, an additional option appears allowing you to restrict other administrators to an ADOM.
If ADOMs are enabled and you log in as any other administrator, you enter the ADOM assigned to your account. A
subset of the typical menus or CLI commands appear, allowing access only to only logs, reports, policies, servers, and
LDAP queries specific to your ADOM. You cannot access global configuration settings, or enter other ADOMs.
By default, administrator accounts other than the admin account are assigned to the root ADOM, which includes all
policies and servers. By creating ADOMs that contain a subset of policies and servers, and assigning them to
administrator accounts, you can restrict other administrator accounts to a subset of the FortiWeb’s total protected
servers.
The admin administrator account cannot be restricted to an ADOM. Other administrators are restricted to their ADOM,
and cannot configure ADOMs or global settings.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 53

To enable ADOMs

1. Log in with the admin account.

Other administrators do not have permissions to configure ADOMs.

Back up your configuration. Enabling ADOMs changes the structure of your

configuration, and moves non-global settings to the root ADOM. For details
about how to back up the configuration, see Backups on page 322.

2. Go to System > Status > Status. From the System Information widget, in the Administrative Domains row,
click Enable.
FortiWeb terminates the session.
3. Log in again.
When ADOMs are enabled, and if you log in as admin, the navigation menu on the left changes: the top level lists
two ADOM items: Global and root.
Global contains settings that only admin or other accounts with the prof_admin access profile can change.
root is the default ADOM.
This menu and CLI structure change is not visible to non-global accounts; ADOM administrators’ navigation menus
continue to appear similar to when ADOMs are disabled, except that global settings such as network interfaces,
HA, and other global settings do not appear.
4. Continue by defining ADOMs. For details, see Defining ADOMs on page 53.

To disable ADOMs

1. Delete all ADOM administrator accounts.

Back up your configuration. Disabling ADOMs changes the structure of your

configuration, and deletes most ADOM-related settings. It keeps settings from
the root ADOM only. For details about how to back up the configuration, see
Backups on page 322.

2. Go to System > Status > Status, then in the System Information widget, in the Administrative Domains
row, click Disable.
3. Continue by reconfiguring the appliance. For details, see How to set up your FortiWeb on page 66.

See also

l Permissions on page 56
l Defining ADOMs on page 53
l Assigning administrators to an ADOM on page 55
l Administrators on page 328
l Configuring access profiles on page 331

Defining ADOMs

Some settings can only be configured by the admin account—they are global. Global settings apply to the appliance
overall regardless of ADOM, such as:

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 54

l Operation mode
l Network interfaces
l System time
l Backups
l Administrator accounts
l Access profiles
l FortiGuard connectivity settings
l HA and configuration sync
l SNMP
l RAID
l Vulnerability scans
l exec ping and other global operations that exist only in the CLI
Only the admin account can configure global settings.

In the current release, some settings, such as user accounts for HTTP
authentication, anti-defacement, and logging destinations are read-only for ADOM
administrators. Future releases will allow ADOM administrators to configure these
settings separately for their ADOM.

Other settings can be configured separately for each ADOM. They essentially define each ADOM. For example,
the policies of adom-A are separate from adom-B.
Initially, only the root ADOM exists, and it contains settings such as policies that were global before ADOMs were
enabled. Typically, you will create additional ADOMs, and few if any administrators will be assigned to the root
ADOM.
After ADOMs are created, the admin account usually assigns other administrator accounts to configure their ADOM-
specific settings. However, as the root account, the admin administrator does have permission to configure all settings,
including those within ADOMs.

To create an ADOM

1. Log in with the admin account.

Other administrators do not have permissions to configure ADOMs.
2. Go to Global > System > Administrative Domain > Administrative Domain.

The maximum number of ADOMs you can add varies by your FortiWeb model.
The number of ADOMs is limited by available physical memory (RAM), and
therefore also limits the maximum number of policies and sessions per ADOM.
See Appendix B: Maximum configuration values on page 865.

3. Click Create New, enter the Name, then click OK.

The new ADOM exists, but its settings are not yet configured. Alternatively, to configure the default root ADOM,
click root.
4. Do one of the following:
l assign another administrator account to configure the ADOM (continue with Assigning administrators to an
ADOM on page 55), or

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 55

l configure the ADOM yourself: in the navigation menu on the left, click the ADOM list on the top level to display
all the ADOMs, click the name of the new ADOM, then configure its policies and other settings as usual.
l configure the ADOM yourself: in the navigation menu on the left, click Administrative Domains, click the
name of the new ADOM, then configure its policies and other settings as usual.

See also

l Assigning administrators to an ADOM on page 55

l Administrative domains (ADOMs) on page 52
l Administrators on page 328
l Configuring access profiles on page 331
l Permissions on page 56

Assigning administrators to an ADOM

The admin administrator can create other administrators and assign their account to an ADOM, constraining them to
that ADOM’s configurations and data.

To assign an administrator to an ADOM

1. If you have not yet created any administrator access profiles, create at least one. For details, see Configuring
access profiles on page 331.
2. In the administrator account’s Access Profile on page 330, select the new access profile.
(Administrators assigned to the prof_admin access profile will have global access. They cannot be restricted to an
ADOM.)
3. In the administrator account’s Administrative Domain on page 331, select the account’s assigned ADOM.
Currently, in this version of FortiWeb, administrators cannot be assigned to more than one ADOM.

See also

l Administrators on page 328

l Configuring access profiles on page 331
l Defining ADOMs on page 53
l Permissions on page 56

How to use the web UI

This topic describes aspects that are general to the use of the web UI, a graphical user interface (GUI) that provides
access the FortiWeb appliance from within a web browser.

System requirements

The management computer that you use to access the web UI must have:

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 56

l A compatible web browser, such as Microsoft Edge 41 or greater, Mozilla Firefox 59 or greater, or Google Chrome
65 or greater
l Adobe Flash Player 10 or greater plug-in
To minimize scrolling, the computer’s screen should have a resolution that is a minimum of 1280 x 1024 pixels.

URL for access

For first-time connection, see Connecting to the web UI on page 84.

The default URL to access the web UI through the network interface on port1 is:
https://192.168.1.99
If the network interfaces were configured during installation of the FortiWeb appliance (see Configuring the network
settings on page 124), the URL and/or permitted administrative access protocols may no longer be in their default state.
In that case, use either a DNS-resolvable domain name for the FortiWeb appliance as the URL, or the IP address that
was assigned to the network interface during the installation process.
For example, you might have configured port2 with the IP address 192.0.2.155 and enabled HTTPS. You might have
also configured a private DNS server on your network to resolve FortiWeb.example.com to 192.0.2.155. In this case, to
access the web UI through port2, you could enter either https://FortiWeb.example.com/ or
https://192.0.2.155/.
For details about enabling administrative access protocols and configuring IP addresses for the FortiWeb appliance, see
Configuring the network settings on page 124.

If the URL is correct and you still cannot access the web UI, you may also need to
configure FortiWeb to accept login attempts for your administrator account from that
computer (that is, trusted hosts), and/or static routes. For details, see
Administrators on page 328 and Adding a gateway on page 142.

Permissions

Depending on the account that you use to log in to the FortiWeb appliance, you may not have complete access to all
CLI commands or areas of the web UI.
Together, both:
l Access profiles and
l Administrative domains (ADOMs)
control which commands and settings an administrator account can use.
Access profiles assign either:
l Read (view access)
l Write (change and execute access)
l Both Read and Write
l No access
to each area of the FortiWeb software.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 57

Similar to VDOMs on FortiGate, ADOMs on FortiWeb divide policies and other settings so that they each can be
assigned to a different administrators.

Areas of control in access profiles

Access profile setting Grants access to*

Admin Users System > Admin ... except Settings Web UI

admingrp config system admin CLI
config system accprofile
Auth Users User ... Web UI
authusergrp config user ... CLI

Log & Report Log & Report ... Web UI

loggrp config log ... CLI
execute formatlogdisk

Maintenance System > Maintenance except System Time tab Web UI

mntgrp diagnose system ... CLI
execute backup ...
execute factoryreset
execute rebootexecute restore ...
execute shutdown
diagnose system flash ...

Network Configuration System > Network ... Web UI

netgrp config system interface CLI
config system dns
config system v-zone
diagnose network ... except sniffer ...
Router Configuration Router ... Web UI
routegrp config router ... CLI

System Configuration System ... except Network, Admin, and Maintenance tabs Web UI
sysgrp config system except accprofile, admin, dns, interface, and CLI
v-zone
diagnose hardware ...
diagnose network sniffer ...
diagnose system ... except flash ...
execute date ...
execute ha ...
execute ping ...
execute ping-options ...
execute traceroute ...
execute time ...

Server Policy Policy > Server Policy ... Server Objects ... Application Delivery ... Web UI
Configuration

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 58

Access profile setting Grants access to*

traroutegrp config server-policy ... except custom-application ... CLI
config waf file-compress-rule

config waf http-authen ...

config waf url-rewrite ...
diagnose policy ...

Web Anti-Defacement Web Anti-Defacement ... Web UI

Management
wadgrp config wad ... CLI

Web Protection Policy > Web Protection ... Web UI

Configuration Web Protection ...
DoS Protection ...
wafgrp config system dos-prevention CLI
config waf except:
l config waf file-compress-rule
l config waf http-authen ...
l config waf url-rewrite ...
l config waf web-custom-robot
l config waf web-robot
l config waf x-forwarded-for
Web Vulnerability Web Vulnerability Scan ... Web UI
Scan Configuration
wvsgrp config wvs ... CLI

* For each config command, there is an equivalent get/ show command, unless otherwise noted.
config access requires write permission.
get/ show access requires read permission.

Unlike other administrator accounts, the administrator account named admin exists by default and cannot be deleted.
The admin administrator account is similar to a root administrator account. This administrator account always has full
permission to view and change all FortiWeb configuration options, including viewing and changing all other
administrator accounts and ADOMs. Its name and permissions cannot be changed. It is the only administrator account
that can reset another administrator’s password without being required to enter that administrator’s existing password.

Set a strong password for the admin administrator account, and change the
password regularly. By default, this administrator account has no password. Failure
to maintain the password of the admin administrator account could compromise
the security of your FortiWeb appliance.

For complete access to all commands and abilities, you must log in with the administrator account named admin.

See also

l Configuring access profiles on page 331

l Administrators on page 328

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 59

l Administrative domains (ADOMs) on page 52

l Trusted hosts on page 59

Trusted hosts

As their name implies, trusted hosts are assumed to be (to a reasonable degree) safe sources of administrative login
attempts.
Configuring the trusted hosts of your administrator accounts (Trusted Host #1 on page 330, Trusted Host #2 on page
330, and Trusted Host #3 on page 330) hardens the security of your FortiWeb appliance by further restricting
administrative access. In addition to knowing the password, an administrator must connect only from the computer or
subnets you specify. The FortiWeb appliance will not allow logins for that account from any other IP addresses. If all
administrator accounts are configured with specific trusted hosts, FortiWeb will ignore login attempts from all other
computers. eliminates the risk that FortiWeb could be compromised by a brute force login attack from an untrusted
source.
Trusted host definitions apply both to the web UI and to the CLI when accessed through Telnet, SSH, or the Status
dashboard on page 681. Local console access is not affected by trusted hosts, as the local console is by definition not
remote, and does not occur through the network.
Relatedly, you can white-list trusted end-user IP addresses. End users do not log in to the web UI, but their connections
to protected web servers are normally subject to protective scans by FortiWeb unless the clients are trusted. For details,
see Blacklisting & whitelisting clients using a source IP or source IP range on page 447.

See also

l Administrators on page 328

l Configuring access profiles on page 331
l Permissions on page 56

Maximum concurrent administrator sessions

If single administrator mode is enabled, you will not be able to log in while any other account is logged in. You must
either wait for the other person to log out, or power cycle the appliance.
For details, see How to use the web UI on page 55.

Global web UI & CLI settings

Some settings for connections to the web UI and CLI apply regardless of which administrator account you use to log in.

To configure administrator settings

1. Go to System > Admin > Settings.

To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the System Configuration category. For details, see Permissions on page 56.
2. Configure these settings:

Web Administration Ports

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 60

HTTP Type the TCP port number on which the FortiWeb appliance will listen for
HTTP administrative access. The default is 80.
The HTTP access to FortiWeb's GUI will be automatically redirected to
HTTPS.

This setting has an effect only if HTTP on page 128 is enabled as an

administrative access protocol on at least one network interface. For
details, see Configuring the network interfaces on page 126.

HTTPS Type the TCP port number on which the FortiWeb appliance will listen for
HTTPS administrative access. The default is 443.

This setting has an effect only if HTTPS on page 127 is enabled as an

administrative access protocol on at least one network interface. For
details, see Configuring the network interfaces on page 126.

HTTPS Server Select the certificate that FortiWeb uses for secure connections to its
Certificate Web UI. For details, see How to offload or inspect HTTPS on page 396.
Certificates stored in System > Admin > Admin Cert Local are listed
here for options. defaulthttpscert is the Fortinet factory default
certificate. For details, see How to change FortiWeb's default certificate
on page 431.

Config-Sync Type the TCP port number on which the FortiWeb appliance will listen for
configuration synchronization requests from the peer/remote FortiWeb
appliance. The default is 995.

For details, see Replicating the configuration without FortiWeb HA

(external HA) on page 119.

Note: This is not used by HA. See FortiWeb high availability (HA) on
page 48.

Timeout Settings
Idle Timeout Type the number of minutes that a web UI connection can be idle before
the administrator must log in again. The maximum is 480 minutes
(8 hours). To maintain security, keep the idle timeout at the default value
of 5 minutes.

Language
Web Administration Select which language to use when displaying the web UI.

Languages currently supported by the web UI are:

l English
l Simplified Chinese
l Traditional Chinese
l Japanese

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 61

The display’s web pages will use UTF-8 encoding, regardless of which
language you choose. UTF-8 supports multiple languages, and allows
them to display correctly, even when multiple languages are used on the
same web page.

For example, your organization could have websites in both English and
simplified Chinese. Your FortiWeb administrators prefer to work in the
English version of the web UI. They could use the web UI in English while
writing rules to match content in both English and simplified Chinese
without changing this setting. Both the rules and the web UI will display
correctly, as long as all rules were input using UTF-8.

Usually, your text input method or your management computer’s

operating system should match the display by also using UTF-8. If they
do not, your input and the web UI may not display correctly at the same
time.

For example, your web browser’s or operating system’s default encoding

for simplified Chinese input may be GB2312. However, you usually
should switch it to be UTF-8 when using the web UI, unless you are
writing regular expressions that must match HTTP client’s requests, and
those requests use GB2312 encoding.

Note: Regular expressions are impacted by language. For details, see

Language support on page 888.

Note: This setting does not affect the display of the CLI.
Password Policy

Minimum length Enable to set the minimum password length. The valid range is 8–128,
and the default value is 8.

Enable Single Admin Enable to activate login by single admin user.

User login

Character requirements Enable to configure the password characters, the upper/lower case,
numbers, and special characters.

Forbid password reuse Enable to set the number of history passwords that can not be reused.

Password expiration Enable to enter the valid period of the password. The valid range is 1–999
days.

3. Click Apply.

See also

l Configuring the network interfaces on page 126

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 62

Buttons, menus, & the displays

A navigation menu is located on the left side of the web UI. To expand a menu item, simply click it. To expand a
submenu item click the > button located next to the submenu name, or click the submenu name itself. To view the
pages located within a submenu, click the name of the page.

Do not use your browser’s Back button to navigate—pages may not operate
correctly. Instead, use the navigation menu, tabs, and buttons within the pages of
the web UI.

To expand or collapse an area of the menu, click the name of the area itself. Within each area may be multiple
submenus. To expand or collapse a submenu, click the > or v button next to the submenu name, or click the name of
the submenu itself.
Within each submenu may be one or more tabs or sub-panes, which are displayed to the right of the navigation menu, in
the content pane. At the top of the content pane is a toolbar. The toolbar contains buttons that enable you to perform
operations on items displayed in the content pane, such as importing or deleting entries.
Each tab or pane (per Permissions on page 56) displays or allows you to modify settings, using a similar set of buttons.

Common buttons and menus

Icon Description

Click to collapse a visible area.

Click to expand a hidden area.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 63

Icon Description

Click to view the first page’s worth of records within the tab. or pane.

If this button is grey, you are already viewing the first page.

Click to view the previous page’s worth of records within the tab or pane.

If this button is grey, you are viewing the first page.

To go to a specific page number, type the page number in the field and press Enter.

The total number of pages depends on the number of records per page.

Click to view the next page’s worth of records within the tab or pane.

If this button is grey, you are viewing the last page.

Click to view the last page’s worth of records within the tab or pane.

If this button is gray, you are already viewing the last page.

Click to create a new entry using only typical default values as a starting point.

Click to create a new entry by duplicating an existing entry.

To use this button, you must first mark a check box to select an existing entry upon which the
new entry will be based.

Click to modify an existing entry.

To use this button, you must first select which existing entry you want to modify.

Alternatively, you can double-click the existing entry, or right-click the entry and select Edit.

Click to remove an existing entry.

To use this button, you must first mark a check box to select which existing entry you want to
remove.
To delete multiple entries, either mark the check boxes of each entry that you want to delete,
then click Delete.
This button may not always be available. See Deleting entries on page 64.

Common buttons are not described in subsequent sections of this guide.

Some pages have unique buttons, or special behaviors associated with common buttons. Those buttons are described
in their corresponding section of this guide.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 64

See also

l Deleting entries on page 64

l Renaming entries on page 64

Deleting entries

Back up the configuration before deleting any part of the configuration. Deleted items cannot be recovered unless you
upload a backup copy of the previous configuration. For details, see Backups on page 322 and Restoring a previous
configuration on page 325.
To delete a part of the configuration, you must first remove all references to it.
For example, if you selected a profile named “Profile1” in a policy named “PolicyA”, that policy references “Profile1” and
requires it to exist. Therefore the appliance will not allow you to delete “Profile1” until you have reconfigured “PolicyA”
(and any other references) so that “Profile1” is no longer required and may be safely deleted. Predefined entries
included with the firmware cannot be deleted.

See also

l Buttons, menus, & the displays on page 62

l Renaming entries on page 64

Renaming entries

In the web UI, each entry’s name is not editable after you create and save it.
For example, let’s say you create a policy whose Name is “PolicyA”. While configuring the policy, you change your mind
about the policy’s name a few times, and ultimately you change the Name to “Blog-Policy”. Finally, you click OK to save
the policy. Afterwards, if you edit the policy, most settings can be changed. However, Name is greyed-out, and cannot
any longer be changed.
While you cannot edit Name, you can achieve the same effect by other means.

To rename an entry

1. Clone the entry, supplying the new name.

2. In all areas of the configuration that refer to the old name, replace the old entry name by selecting the new name.

FortiWeb Administration Guide Fortinet Technologies Inc.

Key concepts 65

If you do not know where your configuration refers to the entry that you want to
delete, to find the references, you can download a backup of the configuration
and use a plain text editor to search for the entry’s name.
Alternatively, if you need to rename an item that is only referenced in the core
configuration file, you can download a backup copy, use a plain text editor to find
and replace the entry’s old name, then restore the modified configuration backup
file to the appliance. Where there are many references, this may save time.

3. Delete the item with the old name.

See also

l Buttons, menus, & the displays on page 62

l Deleting entries on page 64

Shutdown

Always properly shut down the FortiWeb appliance’s operating system before turning off the power switch or
unplugging it. This causes it to finish writing any buffered data, and to correctly spin down and park the hard disks.

Do not unplug or switch off the FortiWeb appliance without first halting the operating
system. Failure to do so could cause data loss and hardware damage.

To power off the FortiWeb appliance

1. Access the CLI or web UI. For details, see Connecting to the web UI or CLI on page 84.
2. From the CLI console, enter the following command:
execute shutdown
Alternatively, if you are connected to the web UI, go to System > Status > Status, and in the Operation widget,
click Shut Down.
You may be able to hear the appliance become more quiet when the appliance halts its hardware and operating
system, indicating that power can be safely disconnected.
3. For hardware appliances, press the power button if there is one. Power supplies and switches vary by hardware
model. On some, you will press the power button. On others, you will flip the switch to either the off (O) or on (I)
position. When power is connected and the hardware is started, the power indicator LEDs should light. For details,
see the LED specifications in the QuickStart Guide for your model.
For FortiWeb-VM, in the hypervisor or VM manager, power off the virtual machine.
4. Disconnect the power cable from the power supply.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 66

How to set up your FortiWeb

These instructions will guide you to the point where you have a simple, verifiably working installation.
From there, you can begin to use optional features and fine-tune your configuration.
If you are deploying gradually, you may want to initially install your FortiWeb in Offline Protection mode during the
transition phase. In this case, you may need to complete the procedures in this section multiple times: once for Offline
Protection mode, then again when you switch to your permanent choice of operation modes. For details, see Switching
out of Offline Protection mode on page 215.
Time required to deploy varies by:
l Number of your web applications
l Complexity of your web applications

Appliance vs. VMware

Installation workflow varies depending on whether you are installing FortiWeb as a physical appliance or as a virtual
machine.
To install a physical FortiWeb appliance, follow the instructions in How to set up your FortiWeb on page 66 sequentially.
To install a virtual appliance, FortiWeb-VM, first follow the FortiWeb-VM Install Guide
(http://docs.fortinet.com/fortiweb/hardware), then continue with How to set up your FortiWeb on page 66.

Registering your FortiWeb

Before you begin, take a moment to register your Fortinet product at the Fortinet Customer Service & Support website:
https://support.fortinet.com
Many Fortinet services such as firmware updates, technical support, FortiGuard services, and FortiSandbox services
require product registration.
For details, see the Fortinet Knowledge Base Registration FAQ:
http://kb.fortinet.com/kb/documentLink.do?externalID=12071

Planning the network topology

To receive traffic intended for web servers that your FortiWeb appliance will protect, you usually must install the
FortiWeb appliance between the web servers and all clients that access them.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 67

The network configuration should make sure that all network traffic destined for the web servers must first pass to or
through the FortiWeb appliance (depending on your operation mode). Usually, clients access web servers from the
Internet through a firewall such as a FortiGate, so the FortiWeb appliance should be installed between the web servers
and the firewall.

n
je c tio
L in
S, SQ
, XS a cks
F las
h
L att
XM

Vi r

p ooﬁ
use
ng
s
ü
FortiGate + FortiWeb
IP s

Install a general purpose firewall such as FortiGate in addition to the FortiWeb

appliance. Failure to do so could leave your web servers vulnerable to attacks that
are not HTTP/HTTPS-based. FortiWeb appliances are not general-purpose
firewalls, and, if you enable IP-based forwarding, will allow non-HTTP/HTTPS traffic
to pass through without inspection.

Ideally, control and protection measures should only allow web traffic to reach
FortiWeb and your web servers. FortiWeb and FortiGate complement each other to
improve security.

Other topology details and features vary by the mode in which the FortiWeb appliance will operate. For example,
FortiWeb appliances operating in Offline Protection mode or either of the transparent modes cannot do network address
translation (NAT) or load-balancing; FortiWeb appliances operating in Reverse Proxy mode can.

External load balancers: before or after?

Usually you should deploy FortiWeb in front of your load balancer (such as FortiBalancer, FortiADC, or any other
device that applies source NAT), so that FortiWeb is between the load balancer and the clients. This has important
effects:
l Simplified configuration
l Un-scanned traffic will not reach your load balancer, improving its performance and security
l At the IP layer, from FortiWeb’s perspective, HTTP requests will correctly appear to originate from the real client’s
IP address, not (due to SNAT) your load balancer
Otherwise, attackers’ and legitimate clients’ IP addresses may be hidden by the load balancer.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 68

Alternatively, depending on the features that you require, you may be able to use
FortiWeb’s built-in load balancing features instead. For details, see Load Balancing
Algorithm on page 170.

This is an example of a network topology with a load balancer behind a FortiWeb:

Client
10.0.2.200
Web
Server 1
FortiWeb FortiADC
10.0.2.1 192.0.2.1
port2 port3

Block 10.0.2.200? Web

Server 2

ü
FortiWeb Sees
HTTP Client’s IP

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 69

This is an example of an incorrect configuration in which a load balancer is in front of a FortiWeb and there are no X-
headers:

Client
10.0.2.200
Web
Server 1
FortiADC FortiWeb
10.0.2.1 192.0.2.1 192.0.2.2 172.0.2.1
port2 port3 port2 port3

Block 192.0.2.1? Web

Server 2
SNAT Hides
HTTP Client’s IP
To prevent such an incorrect configuration, you must configure your devices to compensate if FortiWeb is behind your
load balancer. Configure your load balancer so that it does not multiplex HTTP requests from different clients into each
TCP connection with FortiWeb.
FortiWeb often applies blocking at the TCP/IP connection level, which could result in blocking innocent HTTP requests if
the load balancer is transmitting them within the same TCP connection as an attack. It could therefore appear to cause
intermittent failed requests. To account for this, configure your load balancer to insert or append an X-Forwarded-
For:, X-Real-IP:, or other HTTP X-header. Also configure FortiWeb to find the original attacker’s or client’s IP
address in that HTTP header, not in the IP session. For details, see Defining your proxies, clients, & X-headers on page
193.

Some features do not support using client IPs found in the X-header. For details,
see Defining your proxies, clients, & X-headers on page 193.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 70

This is an example of a correct configuration in which a load balancer is in front of a FortiWeb and there are X-headers:

Client
10.0.2.200
Web
Server 1
FortiADC FortiWeb
10.0.2.1 192.0.2.1 192.0.2.2 172.0.2.1
port2 port3 port2 port3

GET /index.php
X-Real-IP:
10.0.2.200,192.0.2.1 Block 10.0.2.200? Web
Server 2

ü
FortiWeb Sees
HTTP Client’s IP

Do not set any Action on page 463 to Period Block if the load balancer, or any other device in front of FortiWeb,
applies SNAT unless you have configured blocking based upon HTTP X-headers. Period blocking based upon the
source IP address at the IP layer will cause innocent requests forwarded by the SNAT device after an attack to be
blocked until the blocking period expires. It could therefore appear to cause intermittent service outages. For details,
see Blocking known attacks & data leaks on page 461.

How to choose the operation mode

Many things, including:

l Supported FortiWeb features
l Required network topology
l Positive/negative security model
l Web server configuration
vary by the operation mode. Choose the mode that best matches what you and your customers need.
Considerations are discussed in Supported features in each operation mode on page 71 and Matching topology with
operation mode & HA mode on page 74.
Because this is such a pivotal factor, consider the implications carefully before you make your choice. It
can be time-consuming to reconfigure your network if you switch modes later.

If you are not sure which operation mode is best for you, you can deploy in Offline
Protection mode temporarily.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 71

Supported features in each operation mode

Many features work regardless of the operation mode that you choose. For some features, support varies by the
operation mode. For example, rewriting requires an inline topology and synchronous processing, and therefore is only
supported in modes that work that way.
For the broadest feature support, choose Reverse Proxy mode.
If you require a feature that is not supported in your chosen operation mode, such as DoS protection or SSL/TLS
offloading, configure your web server or another network appliance to provide that feature. The table below lists the
features that are not universally supported in all modes/protocols.

Feature support for each operation mode

Feature Operation mode

Reverse True Trans- Transparent Offline Pro- WCCP

Proxy parent Proxy Inspection tection

HA (Active-passive) Yes Yes Yes Yes Yes

HA (Active-active- Yes Yes No No No

Standard)

HA (Active-active-High Yes No No No No
Volume)

Bridges/V-zones No Yes Yes No No

Network Firewall Yes Yes Yes No No

Fail-to-wire No Yes Yes No Yes

Config. Sync (Non-HA) Yes^ Yes Yes Yes Yes

File Upload Yes Yes Yes Yes Yes

AJAX Block Yes Yes No No Yes

Error Page Customization Yes Yes No No Yes

Threat Weight Yes Yes Yes Yes Yes

FortiGate Quarantined IPs Yes Yes No No Yes

ADFS Policy Yes No No No No

HSTS Header Yes Yes No No Yes

HPKP Header Yes Yes No No Yes

OCSP Stapling Yes Yes No No Yes

TLS 1.0/1.1/1.2 Support Yes Yes Yes~¶ Yes~¶ Yes

TLS 1.3 Support Yes~ Yes~ No No Yes~

Client Certificate Yes Yes No No Yes

Forwarding

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 72

Feature Operation mode

Reverse True Trans- Transparent Offline Pro- WCCP

Proxy parent Proxy Inspection tection

Client Certificate Yes Yes No No Yes

Verification

Statistic Yes Yes Yes Yes Yes

User Authentication Yes Yes No No Yes

Mobile Application Yes Yes Yes Yes Yes

Identification

HTTP/2 Support Yes Yes No No No

SSL/TLS Offloading Yes No No No No

Client Management Yes Yes Yes* Yes* Yes*

HTTP Content Routing Yes No No No No

Proxy Protocol Yes Yes Yes Yes No

Protected Hostnames Yes Yes Yes Yes Yes

Traffic Mirror Yes Yes No No No

Global White List Yes Yes Yes Yes Yes

X-Forwarded-For: Support Yes Yes Yes Yes Yes

URL Yes Yes No No Yes

Rewriting/Redirection

HTTP Authentication Yes Yes No No Yes

Site Publish Yes Yes No No Yes

File Compression Yes Yes No No Yes

Acceleration Yes Yes No No Yes

Caching Yes Yes No No Yes

Signatures Yes Yes Yes Yes Yes

Custom Signature Yes Yes Yes Yes Yes

Custom Policy Yes Yes Yes Yes Yes

Padding Oracle Security Yes Yes Yes Yes Yes

CSRF Protection Yes Yes No No Yes

HTTP Header Security Yes Yes No No Yes

Man in the Browser Yes Yes No No Yes

Protection Policy

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 73

Feature Operation mode

Reverse True Trans- Transparent Offline Pro- WCCP

Proxy parent Proxy Inspection tection

URL Encryption Yes Yes No No Yes

SQL/XSS Syntax Based Yes Yes Yes Yes Yes

Detection

Cookie Security Yes Yes No No Yes

Parameter Validation Yes Yes Yes Yes Yes

Hidden Fields Yes Yes Yes Yes Yes

HTTP Protocol Yes Yes Yes Yes Yes

Constraints

WebSocket Security Yes Yes No No Yes

Chunk Decode Yes Yes Yes Yes Yes

URL Access Yes Yes Yes Yes Yes

Allow Method Yes Yes Yes Yes Yes

CORS Protection Yes Yes No No Yes

Bot Mitigation Yes Yes No No Yes

Biometrics Based Yes Yes No No Yes

Detection

Threshold Based Yes Yes No No Yes

Detection

Bot Deception Yes Yes No No Yes

Known Bots Yes Yes No No Yes

JSON Protection Yes Yes Yes Yes Yes

XML Protection Yes Yes Yes Yes Yes

WS-Security Rule Yes Yes No No Yes

OpenAPI Validation Yes Yes Yes Yes Yes

Mobile API Protection Yes Yes Yes Yes Yes

API Gateway Yes Yes Yes Yes Yes

HTTP Access Limit Yes Yes No No Yes

Malicious IPs Yes Yes No No Yes

HTTP Flood Prevention Yes Yes No No Yes

TCP Flood Prevention Yes Yes No No Yes

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 74

Feature Operation mode

Reverse True Trans- Transparent Offline Pro- WCCP

Proxy parent Proxy Inspection tection

DoS Protection Yes Yes No No Yes

IP List Yes Yes Yes Yes Yes

Geo IP Yes Yes Yes Yes Yes

IP Reputation Yes Yes Yes Yes Yes

User Tracking Yes Yes Yes Yes Yes

Machine Learning - Yes Yes Yes Yes Yes

Anomaly Detection

Machine Learning - Bot Yes Yes Yes Yes Yes

Detection

^ Full configuration sync is not supported in Reverse Proxy mode.

§ Only the Alert action is supported.

* Requires that your web application have session IDs. For details, see Session Key on page 235.

~ DSA-encrypted server certificates are not supported.

¶ Diffie-Hellman key exchanges are not supported.

For the specific cipher suites that FortiWeb supports in each operating mode and protocol, see
Supported cipher suites & protocol versions on page 388.

Matching topology with operation mode & HA mode

Required physical topology varies by your choice of operation mode. It also varies depending on whether you
will operate a high availability (HA) cluster of FortiWeb appliances. You may need to consider 1 or 2 of the next sections:
l Topology for Reverse Proxy mode on page 74
l Topology for either of the transparent modes on page 77
l Topology for Offline Protection mode on page 78
l Topology for WCCP mode on page 80
l Topologies for high availability (HA) clustering on page 80

Topology for Reverse Proxy mode

This is the default operation mode, and the most common. Most features are supported. For details, see Supported
features in each operation mode on page 71.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 75

Requests are destined for a virtual server’s network interface and IP address on FortiWeb, not a web server directly.
FortiWeb usually applies full NAT. FortiWeb applies the first applicable policy, then forwards permitted traffic to a web
server. FortiWeb logs, blocks, or modifies violations according to the matching policy.

DNS A/AAAA record changes may be required in Reverse Proxy mode due to NAT.
Also, servers will see the IP of FortiWeb, not the source IP of clients, unless you
configure FortiWeb to insert/append to an HTTP X-header such as X-Forwarded-
For:. Verify that the server does not apply source IP-based features such as rate
limiting or geographical analysis, or, alternatively, that it can be configured to find
the original client’s source IP address in an HTTP X-header.

If you want to deploy without any IP and DNS changes to the existing network,
consider either of the transparent modes instead.

This is an example network topology for Reverse Proxy mode:

Client
Web
Server 1
192.0.2.2/24
FortiGate 10.0.2.1 port3
port2 192.0.2.1

Switch

192.0.2.3/24
FortiWeb
Web
Server 2

A client accesses two web servers over the Internet through a FortiWeb appliance. A firewall is installed between
FortiWeb and the Internet to regulate non-HTTP/HTTPS traffic. Port1 is connected to the administrator’s computer.
Port2 is connected to the firewall. Port3 is connected to a switch, which is connected to the web servers. The FortiWeb
appliance provides load-balancing between the two web servers.
Alternatively, this is an example that shows multiple protocols originating from the client in a one-arm topology in
Reverse Proxy mode:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 76

FortiWeb
Client

HTTP port3
192.0.2.2
HTTP & Only
SFTP port2 port3
10.0.2.1 192.0.2.1
Scanned
HTTP

FortiGate 192.0.2.3/24
SFTP Web
Servers

Only HTTP/HTTPS is routed through FortiWeb for additional scanning and processing before arriving at the servers.

Virtual servers can be on the same subnet as physical servers. This is one way to
create a one-arm HTTP proxy. For example, the virtual server 192.0.2.1/24 could
forward to the physical server 192.0.2.2.

However, this is often not recommended. Unless your network’s routing

configuration prevents it, it could allow clients that are aware of the physical server’s
IP address to bypass the FortiWeb appliance by accessing the physical server
directly.

By default when in Reverse Proxy mode, FortiWeb will not forward non-HTTP/HTTPS traffic from virtual servers to
your protected back-end servers. By defaut, IP-based forwarding/routing of unscanned protocols is disabled.

If you must forward FTP, SSH, or other protocols to your back-end servers, we recommend that you do not deploy
FortiWeb inline. Instead, use FortiGate VIP port forwarding to scan then send FTP, SSH, etc. protocols directly to the
servers, bypassing FortiWeb. Deploy FortiWeb in a one-arm topology where FortiWeb receives only HTTP/HTTPS from
the FortiGate VIP/port forwarding, then relays it to your web servers. Carefully test to verify that only firewalled traffic
reaches your web servers.

If this is not possible, and you require FortiWeb to route non-HTTP protocols above the TCP layer, you may be able to
use the config router setting command. For details, see FortiWeb CLI Reference. For security and
performance reasons, this is not recommended.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 77

Topology for either of the transparent modes

No changes to the IP address scheme of the network are required. Requests are destined for a web server, not the
FortiWeb appliance. More features are supported than Offline Protection mode, but fewer than Reverse Proxy, and may
vary if you use HTTPS (see also Supported features in each operation mode on page 71).
Unlike with Reverse Proxy mode, with both transparent modes, web servers will see the source IP address of clients.
You can configure VLAN subinterfaces on FortiWeb, or omit IP address configuration entirely and instead assign a
network port to be a part of a Layer 2-only bridge.

In both transparent modes, the appliance will forward non-HTTP/HTTPS

protocols. That is, routing /IP-based forwarding for unscanned protocols is
supported. This facilitates the pass-through of other protocols such as FTP or SSH
that may be necessary for a true drop-in, transparent solution.

This is an example of a network topology for either True Transparent Proxy or Transparent Inspection mode:

192.168.1.4/24
Web Web
Server 2 Server 1
192.168.1.3/24

Switch

Client
port4
192.168.1.1/24 (bridge1)
LAN
LA
port3
(bridge1)
FortiGate port1
172.16.1.10/24 FortiWeb

Administrator

A client accesses a web server over the Internet through a FortiWeb appliance. A firewall is installed between the
FortiWeb appliance and the Internet to regulate non-HTTP/HTTPS traffic. Port1 is connected to the administrator’s
computer. Port3 is connected to the firewall. Port4 is connected to the web servers. Port3 and port4 have no IP address
of their own, and act as a V-zone (bridge). Because port3 and port4 have hardware support for fail-to-wire, this topology
also gives you the option of configuring fail-open behavior in the event of FortiWeb power loss.
True Transparent Proxy mode and Transparent Inspection mode are the same in topology aspect, but due to
differences in the mode of interception, they do have a few important behavioral differences:
l True Transparent Proxy—FortiWeb transparently proxies the traffic arriving on a network port that belongs to
a Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. FortiWeb logs, blocks,

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 78

or modifies violations according to the matching policy and its protection profile. This mode supports user
authentication via HTTP but not HTTPS.
l Transparent Inspection—FortiWeb asynchronously inspects traffic arriving on a network port that belongs to
a Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. (Because it is
asynchronous, it minimizes latency.) FortiWeb logs or blocks traffic according to the matching policy and its
protection profile, but does not otherwise modify it. (It cannot, for example, offload SSL, load-balance connections,
or support user authentication.

Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than
Alert cannot be guaranteed to be successful in Transparent Inspection mode. The
FortiWeb appliance will attempt to block traffic that violates the policy. However,
due to the nature of asynchronous inspection, the client or server may have already
received the traffic that violated the policy.

Topology for Offline Protection mode

“Out-of-band” is an appropriate descriptor for this mode. Minimal changes are required. It does not introduce any
latency. However, many features are not supported. For details, see Supported features in each operation mode on
page 71.

Most organizations do not permanently deploy their FortiWeb in Offline Protection

mode. Instead, they will use it as a way to learn about their web servers’
vulnerabilities and to configure some of the FortiWeb during a transition period,
after which they will switch to an operation mode that places the appliance inline
(between clients and web servers).
Switching out of Offline Protection mode when you are done with transition can
prevent bypass problems that can arise as a result of misconfigured routing. It also
offers you the ability to offer protection features that cannot be supported in a SPAN
port topology.

Requests are destined for a web server, not the FortiWeb appliance. Traffic is duplicated from the flow and sent on an
out-of-line link to the FortiWeb through a switched port analyzer (SPAN or mirroring) port. Unless there is a policy
violation, there is no reply traffic from FortiWeb. Depending on whether the upstream firewalls or routers apply source
NAT (SNAT), the web servers might be able to see and use the source IP addresses of clients.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 79

This is an example of a network topology in Offline Protection mode:

Client
Web
Server 1
192.168.1.3/24

FortiGate

Switch

192.168.1.1/24 192.168.1.4/24
FortiWeb resets TCP
port2 Web
connection if it
Server 2
detects policy
violation
FortiWeb
A client accesses two web servers over the Internet through a FortiWeb. A firewall is installed between the FortiWeb and
the Internet to regulate non-HTTP/HTTPS traffic. Port1 is connected to the administrator’s computer. Port2 is
connected to the firewall, and thereby to a switch, which is connected to the web servers. The FortiWeb provides
detection, but does not load-balance, block, or otherwise modify traffic to or from the two web servers. Alternatively, you
could connect a FortiWeb operating in Offline Protection mode to the SPAN port of a switch.

Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than
Alertcannot be guaranteed to be successful in Offline Protection mode. The
FortiWeb appliance will attempt to block traffic that violates the policy by mimicking
the client or server and requesting to reset the connection. However, the client or
server may receive the reset request after it receives the other traffic due to possible
differences in routing path metrics and latency.

FortiWeb monitors traffic received on the data capture port’s network interface (regardless of the IP address) and
applies the first applicable policy. Because it is not inline with the destination, it does not forward permitted traffic.
FortiWeb logs or blocks violations according to the matching policy and its protection profile. If FortiWeb detects a
malicious request, it sends a TCP RST (reset) packet through the blocking port to the web server and client to attempt to
terminate the connection. It does not otherwise modify traffic. (It cannot, for example, offload SSL, load-balance
connections, or support user authentication.)

If you select Offline Protection mode, you can configure Blocking Port on page 246
to select the port from which TCP RST (reset) commands are sent to block traffic
that violates a policy.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 80

Topology for WCCP mode

WCCP mode does not require changes to the IP address scheme of the network. Requests are destined for a web
server and not the FortiWeb appliance. This operation mode supports the same feature set as True Transparent Proxy
mode. However, like Reverse Proxy mode, web servers see the FortiWeb network interface IP address and not the IP
address of the client. For details, see Supported features in each operation mode on page 71.
This is an example of a network topology in WCCP mode:

192.168.1.5/24
Web Web
Server 2 Server 1
Client 192.168.1.4/24
port2
192.168.1.1/24
port1
Switch
non-HTTP

port3 FortiGate
172.22.80.1/24
HTTP
and
HTTPS

Scanned
HTTP and
HTTPS
port3
172.22.80.100/24
FortiWeb

A client accesses a web server over the Internet through a FortiWeb appliance. In this one-arm topology, a firewall is
configured as a WCCP server that routes HTTP/HTTPS traffic arriving on port1 to a FortiWeb configured as a WCCP
client. The firewall directs non-HTTP/HTTPS traffic to the switch directly. On the FortiWeb, Port3 is configured for the
WCCP protocol and connected to the firewall.
FortiWeb applies the first applicable policy, logs, blocks, or modifies violations according to the matching policy, and
then returns permitted traffic to the firewall. The firewall is configured to route HTTP/HTTPS traffic arriving on port3 to
the switch.

Topologies for high availability (HA) clustering

Valid HA topologies vary by whether you use either:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 81

l FortiWeb active-passive HA
l FortiWeb active-active HA
l An external HA/load balancer
To carry heartbeat and synchronization traffic between the HA pair, the heartbeat interface on both HA appliances must
be connected through crossover cables or through switches.

If you use a switch to connect the heartbeat interfaces, they must be reachable by
Layer 2 multicast.

This is an example of a active-passive HA network topology in Reverse Proxy mode:

To fail over, standby sends

gratuitous ARP . This causes
network to transfer all FortiWeb
VMAC & IP addresses to
ports linked to standby . FortiWeb HA pair
Active (Failed) Servers
port1 192.168.1.2-4
port1 10.0.0.1 port2
vserver1 10.0.1.1 192.168.1.1
vserver2 10.0.2.1
Heartbeat

Links

port3 port4
FortiGate Switch

port1 port2

Clients arp reply 10.0.0.1 arp reply 192.168.1.1

is-at 00:09:0f:09:00:00 Standby is-at 00:09:0f:09:00:02
(00:09:0f:09:00:00) (00:09:0f:09:00:02)
arp reply 10.0.1.1
is-at 00:09:0f:09:00:00
(00:09:0f:09:00:00)
arp reply 10.0.2.1
is-at 00:09:0f:09:00:00
(00:09:0f:09:00:00)

If the active appliance fails, the standby appliance assumes the IP addresses and load of the failed appliance.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 82

This is an example for an active-active HA network topology in Reverse Proxy mode:

A FortiWeb active-active HA cluster can be consist of up to eight FortiWebs. All the cluster members operate as an
active appliance together, which means each of the members can simultaneously handle the traffic between clients and
the back web servers. In an active-active HA cluster, there is one appliance selected as the master and the others are
slaves. Like a central controller, only the master appliance receives traffic from clients and web servers; it will distribute
received traffic to the cluster members (including itself), so that each FortiWeb appliance performs the security services
to monitor traffic.
Similar to the active-passive HA deployment, the operation of active-active HA cluster requires heartbeat detection,
configuration and session synchronization between the cluster members. If the master appliance fails, one of the slaves
will take it over. The heartbeat interfaces of all the HA appliances must be connected directly with crossover cables or
through switches to carry the heartbeat and synchronization traffic between the HA cluster members.
If FortiWeb will not be operating in Reverse Proxy mode, typically you would not configure an HA network topology.
Configuring an HA network topology in other operation modes could require changes to your network scheme, which
defeats one of the key benefits of other operating modes: they require no IP changes.
Instead, most customers use an existing external load balancer/HA solution in conjunction with FortiWeb configuration
synchronization to preserve an existing active-active or active-passive topology.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 83

This is an example of a network topology in True Transparent Proxy mode with configuration synchronization and
external HA via FortiADC:

FortiWeb
Client transparent proxy
192.168.1.1
port2 Switch

FortiGate 192.168.1.2/24

Web
Active-Active Configuration Server 1
HA via Synchronization
FortiADC
FortiADC

Web
FortiGate Server 2
192.168.1.3/24
port2
192.168.1.1 Switch
FortiWeb
transparent proxy

Unlike with FortiWeb HA, the external HA device detects when a FortiWeb has failed and then redirects the traffic
stream; FortiWeb has no way of actively notifying the external HA device. To monitor the live paths through your
FortiWeb configuration, you could configure your HA device to poll either:
l A back-end web server, or
l An IP on each FortiWeb bridge (V-zone)

You can use configuration synchronization to replicate the FortiWeb configuration

without HA(that is, no load balancing and no failover). Configuration synchronization
has no special topology requirement, except that synchronized FortiWebs should be
placed in identical topologies. For details, see Replicating the configuration without
FortiWeb HA (external HA) on page 119.

See also

l Fail-to-wire for power loss/reboots on page 667

l Topology for Reverse Proxy mode on page 74
l Topology for either of the transparent modes on page 77
l FortiWeb high availability (HA) on page 48
l HA heartbeat on page 114
l Replicating the configuration without FortiWeb HA (external HA) on page 119

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 84

Connecting to the web UI or CLI

To configure, maintain, and administer the FortiWeb appliance, you need to connect to it. There are two methods:
Web UI—A graphical user interface (GUI), from within a web browser. It can display reports and logs, but lacks many
advanced diagnostic commands. For usage, see How to use the web UI on page 55.
Command line interface (CLI)—A text interface similar to DOS or UNIX commands, from a Secure Shell (SSH) or
Telnet terminal, or from the JavaScript CLI Console widget in the web UI (System > Status > Status). It provides
access to many advanced diagnostic commands as well as configuration, but lacks reports and logs. For usage, see
FortiWeb CLI Reference.
Access to the CLI and/or web UI through your network is not yet configured if:
l you are connecting for the first time
l you have just reset the configuration to its default state
l you have just restored the firmware
In these cases, you must initially connect your computer directly to FortiWeb, using the default settings.

If you are installing a FortiWeb-VM virtual appliance, you should have already
connected if you followed the instructions in the FortiWeb-VM deploy Guide
(http://docs.fortinet.com/fortiweb/hardware). If so, you can skip this chapter and
continue with Changing the “admin” account password on page 101.

Via the direct connection, you can use the web UI or CLI to configure FortiWeb’s basic network settings. Once this is
done, you will be able to place FortiWeb on your network, and use FortiWeb through your network.

Until the FortiWeb appliance is configured with an IP address and connected to your
network, you may prefer to connect the FortiWeb appliance directly to your
management computer, or through a switch, in a peer network that is isolated from
your overall network. This will improve security during setup. However, isolation is
not required.

Connecting to the web UI

You can connect to the web UI using its default settings:

Network Interface port1

URL https://192.168.1.99/

Administrator admin
Account

Password

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 85

Requirements

l A computer with an RJ-45 Ethernet network port

l A web browser such as Microsoft Internet Explorer version 6.0 or greater, or Mozilla Firefox 3.5 or greater
l A crossover Ethernet cable

To connect to the web UI

1. On your management computer, configure the Ethernet port with the static IP address 192.168.1.2 with a netmask
of 256.256.256.0.
2. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiWeb appliance’s port1.
3. Start your browser and enter the following URL:
https://192.168.1.99
(Remember to include the “s” in https://.)
Your browser connects the appliance.
If you do not see the login page due to an SSL cipher error during the connection, and you are connecting to the
trial license of FortiWeb-VM or a LENC version of FortiWeb, then your browser must be configured to accept
encryption of 64-bit strength or less during the handshake. RC2 and DES with less than 64-bit strength is
supported. AES and 3DES is not supported in these versions.
For example, in Mozilla Firefox, if you receive this error message:
ssl_error_no_cypher_overlap
To support HTTPS authentication, the FortiWeb appliance ships with a self-signed security certificate, which it
presents to clients whenever they initiate an HTTPS connection to the FortiWeb appliance. When you connect,
depending on your web browser and prior access of the FortiWeb appliance, your browser might display two
security warnings related to this certificate:
l The certificate is not automatically trusted because it is self-signed, rather than being signed by a valid
certificate authority (CA). Self-signed certificates cannot be verified with a proper CA, and therefore might be
fraudulent. You must manually indicate whether or not to trust the certificate.
l The certificate might belong to another website. The common name (CN) field in the certificate, which usually
contains the host name of the website, does not exactly match the URL you requested. This could indicate
server identity theft, but could also simply indicate that the certificate contains a domain name while you have
entered an IP address. You must manually indicate whether this mismatch is normal or not.
Both warnings are normal for the default certificate. TLS v1.0 is supported.
4. Verify and accept the certificate, either permanently (the web browser will not display the self-signing warning
again) or temporarily. You cannot log in until you accept the certificate.
For details on accepting the certificate, see the documentation for your web browser.
5. In the Name field, type admin, then click Login. In its default state, there is no password for this account.
Login credentials entered are encrypted before they are sent to the FortiWeb appliance. If your login is successful, the
web UI appears. To continue by updating the firmware, see Updating the firmware on page 89. Otherwise, to continue
by setting an administrative password, see Changing the “admin” account password on page 101.

If 3 incorrect login or password attempts occur in a row, your IP address will be

temporarily blacklisted from the GUI and CLI (network, not console). This is to
protect the appliance from brute force login attacks. Wait 1 minute, then attempt the
login again.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 86

Connecting to the CLI

Using its default settings, you can access the CLI from your management computer in three ways via:
l the Web UI
l A local console connection
l An SSH connection, either local or through the network
Secure Shell (SSH) provides both secure authentication and secure communications to the CLI. Supported SSH
protocol versions, ciphers, and bit strengths include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1.
These are the default settings to connect to the CLI via SSH:

Network Interface port1

IP Address 192.168.1.99

SSH Port Number 22

Administrator admin
Account

Password

If you are not connecting for the first time, nor have you just reset the configuration
to its default state or restored the firmware, administrative access settings may have
already been configured. In this case, access the CLI using the IP address,
administrative access protocol, administrator account and password already
configured, instead of the default settings.

Alternatively, you can access the CLI via SSH and a public-private key pair. However, to use this option, you first access
the CLI using the CLI Console widget (part of the web UI status dashboard) or via SSH and password to upload the
public key. For details, see To connect to the CLI using an SSH connection and public-private key pair on page 88.
The following procedures describe connection using PuTTY software; steps may vary with other terminal emulators.

To use the CLI in the web UI

You must have already completed To connect to the web UI on page 85.
1. In the top-right corner of the window from any location in the web UI, click the Console Access icon:

The console will open on top of the current window of the Web UI.
2. To detach the CLI Console from the Web UI, click the Detach icon in the toolbar of the CLI Console window:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 87

The CLI Console will open in a new tab in your browser.

To connect to the CLI using a local console connection

You must have:

l A computer with an available serial communications (COM) port
l The RJ-45-to-DB-9 or null modem cable included in your FortiWeb package
l Terminal emulation software such as PuTTY
(http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
1. Using the RJ-45-to-DB-9 or null modem cable, connect your computer’s serial communications (COM) port to the
FortiWeb appliance’s console port.
2. Verify that the FortiWeb appliance is powered on.
3. On your management computer, start a terminal emulation software such as PuTTY.
4. In the Category tree on the left, go to Connection > Serial and configure these settings:

Serial line to COM1 (or, if your computer has

connect to multiple serial ports, the name
of the connected serial port)

Speed (baud) 9600

Data bits 8

Stop bits 1

Parity None

Flow control None

5. In the Category tree on the left, go to Session (not the sub-node, Logging) and from Connection type, select
Serial.
6. Click Open.
7. Press the Enter key to initiate a connection.
The login prompt appears.
8. Type admin then press Enter twice. (In its default state, there is no password for the admin account.)
The CLI displays the following text, followed by a command line prompt:
Welcome!
You can now enter commands. To continue by updating the firmware, see Updating the firmware on page 89.
Otherwise, to continue by setting an administrative password, see Changing the “admin” account password on page
101. For information about how to use the CLI, see FortiWeb CLI Reference.

To connect to the CLI using an SSH connection and password

You must have:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 88

l a computer with an RJ-45 Ethernet port

l a crossover Ethernet cable (if connecting directly) or straight-through Ethernet cable (if connecting through a switch
or router)
l a FortiWeb network interface configured to accept SSH connections (In its default state, port1 accepts SSH. You
may need to connect directly first in order to configure a static route so that, later, you can connect through routers.
For details, see Adding a gateway on page 142.)
l terminal emulation software such as PuTTY
(http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html)
1. On your management computer, configure the Ethernet port with the static IP address 192.168.1.2 with a netmask
of 256.256.256.0.
2. Using the Ethernet cable, connect your computer’s Ethernet port to the FortiWeb appliance’s port1.
3. Verify that the FortiWeb appliance is powered on.
4. On your management computer, start PuTTY.
Initially, the Session category of settings is displayed.
5. In Host Name (or IP Address), type 192.168.1.99.
6. In Port, type 22.
7. From Connection type, select SSH.
8. Select Open.
The SSH client connects to the FortiWeb appliance.
The SSH client may display a warning if this is the first time you are connecting to the FortiWeb appliance and its
SSH key is not yet recognized by your SSH client, or if you have previously connected to the FortiWeb appliance but
it used a different IP address or SSH key. If your management computer is directly connected to the FortiWeb
appliance with no network hosts between them, this is normal.
9. Click Yes to verify the fingerprint and accept the FortiWeb appliance’s SSH key. You cannot log in until you accept
the key.
The CLI displays a login prompt.
10. Type admin and press Enter. by default, this account has no password.

If 3 incorrect login or password attempts occur in a row, your IP address will be

temporarily blacklisted from the GUI and CLI (network, not console). This is to
protect the appliance from brute force login attacks. Wait 1 minute, then attempt the
login again.

The CLI displays a prompt, such as:

FortiWeb#
You can now enter commands. To continue by updating the firmware, see Updating the firmware on page 89.
Otherwise, to continue by setting an administrative password, see Changing the “admin” account password on page
101.
For information about how to use the CLI, see FortiWeb CLI Reference.

To connect to the CLI using an SSH connection and public-private key pair

1. Create a public-private key pair using a key generator.

2. Save the private key to the location on your management computer where your SSH keys are stored.
3. Connect to the CLI using either the CLI Console widget on the web UI dashboard or via anSSH connection. For
details, see To connect to the CLI using an SSH connection and password on page 87.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 89

4. Use the following CLI command to copy the public key to FortiWeb using the CLI commands:
config system admin
edit admin
set sshkey <sshkey>
end
where <sshkey> is the public key data.
The following data is an example of an ssh public key:
“ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDJWw9hWG6KC+RYViLmPVN283mNIwOVE9EyO+Rk
SsQgqZzc/NkzWpR4A3f6egYUZ1TY3ERYJ350zpvtmVoM8sbtDyLjuj/OYqZWLr06jjd+
NBKNbl9crqGdcoi+5WYZ9qo8NKgW4yXrmcNzdM46c708mrKNc9cfVlCk2kJSNNEY8FRX
fm3Ge7y0aNRuBBQ6n9LkYWSoW+AETwNt8ZS0/9tJ9gV6V6J4071Y8xSfM1VDJQwdneuX
CpVrs3Fg1DijUdritp7W8ptxqgbLvdkRObaTvpEGSl6rBPZcsqQFCCgn1QHdE9UxoPA7
jpSrEZ/Gkh63kz5KC6dZgUg0G2IrIgXt”

5. To log in using the private key, open a connection to the CLI using SSH. For details, see To connect to the CLI
using an SSH connection and password on page 87.
6. When FortiWeb displays the CLI prompt, use the following command to log in using the public key:
ssh -i <privatekey>

where <privatekey> is the name of the private key stored on your management computer.

For information about how to use the CLI, see FortiWeb CLI Reference.

Updating the firmware

Your FortiWeb comes with the latest operating system (firmware) when shipped. However, if a new version released
since your appliance shipped, you should install it before you continue the installation.
Fortinet periodically releases FortiWeb firmware updates to include enhancements and address security issues. Once
you register your FortiWeb, firmware is available for download through Fortinet Customer Service & Support at:
https://support.fortinet.com
Installing new firmware can overwrite attack signature packages using the versions of the packages that were current at
the time that the firmware image was built. To avoid repeat updates, update the firmware before updating your
FortiGuard packages.
New firmware can also introduce new features which you must configure for the first time.
For information about a particular firmware release, see the Release Notes for that release at:
http://docs.fortinet.com/fortiweb/release-information

In addition to major releases that contain new features, Fortinet releases patch
releases that resolve specific issues without containing new features and/or changes
to existing features. It is recommended to download and install patch releases as
soon as they are available.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 90

See also

l Testing new firmware before installing it on page 90

l Installing firmware on page 92
l Installing alternate firmware on page 97

Testing new firmware before installing it

You can test a new firmware image by temporarily running it from memory, without saving it to disk. By keeping your
existing firmware on disk, if the evaluation fails, you do not have to re-install your previous firmware. Instead, you can
quickly revert to your existing firmware by simply rebooting the FortiWeb appliance.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 91

To test a new firmware image

1. Download the firmware file from the Fortinet Technical Support website:
https://support.fortinet.com/
2. Connect your management computer to the FortiWeb console port using a RJ-45-to-DB-9 serial cable or a null-
modem cable.
3. Initiate a connection from your management computer to the CLI of the FortiWeb appliance.
For details, see Connecting to the web UI or CLI on page 84.
4. Connect port1 of the FortiWeb appliance directly or to the same subnet as a TFTP server.
5. Copy the new firmware image file to the root directory of the TFTP server.
6. If necessary, start your TFTP server. If you do not have one, you can temporarily install and run one such as tftpd
on your management computer:
Windows: http://tftpd32.jounin.net
Mac OS X: From the Terminal, enter the man tftp command.
Linux: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_
Guide/s1-netboot-tftp.html

Because TFTP is not secure, and because it does not support authentication
and could allow anyone to have read and write access, you should only run it on
trusted administrator-only networks, never on computers directly connected to
the Internet. If possible, immediately turn off tftpd off when you are done.

You have only three seconds to press a key. If you do not press a key soon
enough, the FortiWeb appliance reboots and you must log in and repeat the
execute reboot command.

If you successfully interrupt the startup process, the following messages appears:
[G]: Get firmware image from TFTP server.
[F]: Format boot device.
[B]: Boot with backup firmware and set as default.
[Q]: Quit menu and continue to boot with default firmware.
[H]: Display this list of options.

Enter G,F,B,Q,or H:

Please connect TFTP server to Ethernet port "1".

11. Type G to get the firmware image from the TFTP server.
The following message appears:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 92

Enter TFTP server address [192.168.1.168]:

12. Type the IP address of the TFTP server and press Enter.
The following message appears:
Enter local address [192.168.1.188]:
13. Type a temporary IP address that can be used by the FortiWeb appliance to connect to the TFTP server.
The following message appears:
Enter firmware image file name [image.out]:
14. Type the firmware image file name and press Enter.
The FortiWeb appliance downloads the firmware image file from the TFTP server and displays a message similar
to the following:
MAC:00219B8F0D94
###########################
Total 28385179 bytes data downloaded.
Verifying the integrity of the firmware image..
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?

If the download fails after the integrity check with the error message:

invalid compressed format (err=1)

but the firmware matches the integrity checksum on the Fortinet Technical
Support website, try a different TFTP server.

15. Type R.
The FortiWeb image is loaded into memory and uses the current configuration, without saving the new firmware
image to disk.
16. To verify that the new firmware image was loaded, log in to the CLI and type:
get system status
17. Test the new firmware image.
l If the new firmware image operates successfully, you can install it to disk, overwriting the existing firmware, using
the procedure Installing firmware on page 92.
l If the new firmware image does not operate successfully, reboot the FortiWeb appliance to discard the temporary
firmware and resume operation using the existing firmware.

See also

l Installing firmware
l Installing alternate firmware

Installing firmware

You can use either the web UI or the CLI to upgrade or downgrade the appliance’s operating system.
If you are installing a firmware version that requires a different size of system partition, you may be required to format
the boot device before installing the firmware by re-imaging the boot device. Consult the Release Notes. In that case,
do not install the firmware using this procedure. Instead, see Restoring firmware (“clean install”) on page 859.
Firmware changes are either:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 93

l an update to a newer version

l a reversion to an earlier version
To determine if you are updating or reverting the firmware, go to System > Status > Status and in the System
Information widget, see the Firmware Version row. (Alternatively, in the CLI, enter the command get system
status.)
For example, if your current firmware version is:
FortiWeb-VM 4.32,build0531,111031

changing to
FortiWeb-VM 4.32,build0530,110929
an earlier build number (530) and date (110929 means September 29, 2011), indicates that you are reverting.

Back up all parts of your configuration before beginning this procedure. Some
backup types do not include the full configuration. For full backup instructions, see
Backups on page 322.

Reverting to an earlier firmware version could reset settings that are not compatible
with the new firmware. For example, FortiWeb 5.0 configuration files are not
compatible with previous firmware versions. If you later decide to downgrade to
FortiWeb 4.4.6 or earlier, your FortiWeb appliance will lose its configuration.
To restore the configuration, you will need a backup that is compatible with the older
firmware.

For details about reconnecting to a FortiWeb appliance whose network interface

configuration was reset, see Connecting to the web UI or CLI on page 84.

To install firmware via the web UI

1. Download the firmware file from the Fortinet Technical Support website:
https://support.fortinet.com/
2. Log in to the web UI of the FortiWeb appliance as the admin administrator, or an administrator account whose
access profile contains Read and Write permissions in the Maintenance category.

Updating firmware on an HA pair requires some additions to the usual steps for a
standalone appliance. For details, see Updating firmware on an HA pair on page
96.

3. Go to System > Status > Status.

4. In the System Information widget, in the Firmware Version row, click Update.
The Firmware Upgrade/Downgrade dialog appears.

5. Click Browse to locate and select the firmware file that you want to install, then click OK.
6. Click OK.
Your management computer uploads the firmware image to FortiWeb. FortiWeb installs the firmware and restarts.
The time required varies by the size of the file and the speed of your network connection.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 94

If you are downgrading the firmware to a previous version, and the settings are
not fully backwards compatible, the FortiWeb appliance may either remove
incompatible settings, or use the feature’s default values for that version of the
firmware. You may need to reconfigure some settings.

7. Clear the cache of your web browser and restart it to ensure that it reloads the web UI and correctly displays all
interface changes. For details, see your browser's documentation.
8. To verify that the firmware was successfully installed, log in to the web UI and go to System > Status > Status.
In the System Information widget, the Firmware Version row indicates the currently installed firmware version.
9. If you want to install alternate firmware on the secondary partition, follow Installing alternate firmware on page 97.
10. Continue with Changing the “admin” account password on page 101.

Installing firmware replaces the current attack definitions with those included in the
firmware release that you're installing. If you are updating or rearranging an existing
deployment, after you install new firmware, make sure that your attack definitions
are up-to-date. For details, see Manually initiating update requests on page 477.

To install firmware via the CLI

1. Download the firmware file from the Fortinet Customer Service & Support website:
https://support.fortinet.com/
If you are downgrading the firmware to a previous version, FortiWeb reverts the configuration to default values for
that version of the firmware. You will need to reconfigure FortiWeb or restore the configuration file from a backup.
For details, see Connecting to the web UI or CLI on page 84 and, if you opt to restore the configuration, Restoring a
previous configuration on page 325.
2. Connect your management computer to the FortiWeb console port using a RJ-45-to-DB-9 serial cable or a null-
modem cable.

Updating firmware on an HA pair requires some additions to the usual steps for a
standalone appliance. For details, see Updating firmware on an HA pair on page
96.

3. Initiate a connection from your management computer to the CLI of the FortiWeb appliance, and log in as the
admin administrator, or an administrator account whose access profile contains Read and Write permissions in
the Maintenance category. For details, see Permissions on page 56.
4. Connect port1 of the FortiWeb appliance directly or to the same subnet as a TFTP server.
5. Copy the new firmware image file to the root directory of the TFTP server.
6. If necessary, start your TFTP server. If you do not have one, you can temporarily install and run one such as tftpd
on your management computer:
Windows: http://tftpd32.jounin.net
Mac OS X: From the Terminal, enter the man tftp command.
Linux: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_
Guide/s1-netboot-tftp.html

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 95

7. Verify that the TFTP server is currently running, and that the FortiWeb appliance can reach the TFTP server.
To use the FortiWeb CLI to verify connectivity, enter the following command:
execute ping 192.168.1.168
where 192.168.1.168 is the IP address of the TFTP server.
8. Enter the following command to download the firmware image from the TFTP server to FortiWeb:
execute restore image tftp <name_str> <tftp_ipv4>
where <name_str> is the name of the firmware image file and <tftp_ipv4> is the IP address of the TFTP
server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is
192.168.1.168, enter:
execute restore image tftp image.out 192.168.1.168
One of the following messages appears:
This operation will replace the current firmware version!
Do you want to continue? (y/n)
or:
Get image from tftp server OK.
Check image OK.
This operation will downgrade the current firmware version!
Do you want to continue? (y/n)
9. Type y.
The FortiWeb appliance downloads the firmware image file from the TFTP server. The FortiWeb appliance installs
the firmware and restarts:
MAC:00219B8F0D94
###########################
Total 28385179 bytes data downloaded.
Verifying the integrity of the firmware image.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?
The time required varies by the size of the file and the speed of your network connection.

If the download fails after the integrity check with the error message:

invalid compressed format (err=1)

but the firmware matches the integrity checksum on the Fortinet Technical
Support website, try a different TFTP server.

10. To verify that the firmware was successfully installed, log in to the CLI and type:
get system status
The firmware version number is displayed.
11. If you want to install alternate firmware on the secondary partition, follow Installing alternate firmware on page 97.
12. Continue with Changing the “admin” account password on page 101.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 96

Installing firmware replaces the current FortiGuard packages with those included
with the firmware release that you are installing. If you are updating or rearranging
an existing deployment, after you install new firmware, make sure that your attack
definitions are up-to-date. For details, see Manually initiating update requests on
page 477.

See also

l Updating firmware on an HA pair on page 96

l Installing alternate firmware on page 97
l Manually initiating update requests on page 477

Updating firmware on an HA pair

Installing firmware on an HA pair is similar to installing firmware on a single, standalone appliance.

If downgrading to a previous version, do not use this procedure. The HA daemon on the standby appliance might
detect that the main appliance has older firmware, and attempt to upgrade it to bring it into sync, undoing your
downgrade.
Instead, switch out of HA, downgrade each appliance individually, then switch them back into HA mode.
To ensure minimal interruption of service to clients, use the following steps.

This update procedure is only valid for upgrading from FortiWeb 4.0 MR4 or later.

If you are upgrading from FortiWeb 4.0 MR3 or earlier, the active appliance will not
automatically send the new firmware to the standby appliance(s); you must quickly
connect to the standby and manually install the new firmware while the originally
active appliance is upgrading and rebooting. Alternatively, switch the appliances out
of HA mode, upgrade them individually, then switch them back into HA mode.

To update the firmware of an HA pair

1. Verify that both of the members in the HA pair are powered on and available on all of the network interfaces that
you have configured. If required ports are not available, HA port monitoring could inadvertently trigger an additional
failover and traffic interruption during the firmware update.
2. Log in to the web UI of the primary appliance as the admin administrator.
Alternatively, log on with an administrator account whose access profile contains Read and Write permissions in
the Maintenance category. For details, see Permissions on page 56.
3. Install the firmware on the primary appliance. For details, see Installing firmware on page 92. When installing via
the web UI, a message will appear after your web browser has uploaded the file:
Sending the new firmware file to the standby. Please wait and keep the web GUI
untouched...

Closing your browser window or using the back or forward buttons can interrupt the
upgrade process, resulting in a split brain problem — both the upgrade of the
initial master and HA will be interrupted, because both appliances will believe they
are the main appliance.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 97

The primary appliance will transmit the firmware file to the standby appliance over its HA link.The standby appliance will
upgrade its firmware first; on the active appliance, this will be recorded in an event log message such as:
Member (FV-1KC3R11111111) left HA group
After the standby appliance reboots and indicates via the HA heartbeat that it is up again, the primary appliance will
begin to update its own firmware. During that time, the standby appliance will temporarily become active and process
your network’s traffic. After the original appliance reboots, it indicates via the HA heartbeat that it is up again. Which
appliance will assume the active role of traffic processing depends on your configuration (see How HA chooses the
active appliance on page 115):
l If FortiWeb high availability (HA) on page 48 is enabled, the cluster will consider your FortiWeb high availability
(HA) on page 48 setting. Therefore both appliances usually make a second failover in order to resume their original
roles.
l If FortiWeb high availability (HA) on page 48 is disabled, the cluster will consider uptime first. The original primary
appliance will have a smaller uptime due to the order of reboots during the firmware upgrade. Therefore it will not
resume its active role; instead, the standby will remain the new primary appliance. A second failover will not occur.
Reboot times vary by the appliance model, and also by differences between the original firmware and the firmware you
are installing, which may require the installer to convert the configuration and/or disk partitioning schemes to be
compatible with the new firmware version.

See also

l Installing firmware on page 92

l FortiWeb high availability (HA) on page 48

Installing alternate firmware

You can install alternate firmware which can be loaded from its separate partition if the primary firmware fails. This can
be accomplished via the web UI or CLI.

To install alternate firmware via the web UI

1. Download the firmware file from the Fortinet Customer Service & Support website:
https://support.fortinet.com/
2. Log in to the web UI of the FortiWeb appliance as the admin administrator, or an administrator account whose
access profile contains Read and Write permissions in the Maintenance category.

Updating firmware on an HA pair requires some additions to the usual steps for a
standalone appliance. For details, see Updating firmware on an HA pair on page
96.

3. Go to System > Maintenance > Backup & Restore.

To access this part of the web UI, your administrator account’s access profile must have Read and
Writepermission to items in the Maintenancecategory. For details, see Permissions on page 56.
4. Select the Local Backup tab.
5. In the Firmware area, in the row of the alternate partition, click Upload and Reboot.
The Firmware Upgrade/Downgrade dialog appears.
6. For From, select the hard disk from which you want to install the firmware file.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 98

7. Click Browse to locate and select the firmware file that you want to install, then click OK.
8. Click OK.
Your management computer uploads the firmware image to FortiWeb. FortiWeb installs the firmware and restarts.
The time required varies by the size of the file and the speed of your network connection.

9. Clear the cache of your web browser and restart it to ensure that it reloads the web UI and correctly displays all
interface changes. For details, see your browser's documentation.
10. To verify that the firmware was successfully installed, log in to the web UI and go to System > Status > Status.
In the System Information widget, the Firmware Version row indicates the currently installed firmware version.

To install alternate firmware via the CLI

1. Download the firmware file from the Fortinet Technical Support website:
https://support.fortinet.com/
2. Connect your management computer to the FortiWeb console port using a RJ-45-to-DB-9 serial cable or a null-
modem cable.
3. Initiate a connection from your management computer to the CLI of the FortiWeb appliance, and log in as the
admin administrator, or an administrator account whose access profile contains Read and Write permissions in
the Maintenance category. For details, see Permissions on page 56.
4. Connect port1 of the FortiWeb appliance directly or to the same subnet as a TFTP server.
5. Copy the new firmware image file to the root directory of the TFTP server.
6. If necessary, start your TFTP server. If you do not have one, you can temporarily install and run one such as tftpd
on your management computer:
Windows: http://tftpd32.jounin.net
Mac OS X: From the Terminal, enter the man tftp command.
Linux: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_
Guide/s1-netboot-tftp.html

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 99

You have only 3 seconds to press a key. If you do not press a key soon enough,
the FortiWeb appliance reboots and you must log in and repeat the execute
reboot command.

Enter G,F,B,Q,or H:

Please connect TFTP server to Ethernet port "1".

10. Type G to get the firmware image from the TFTP server.
The following message appears:
Enter TFTP server address [192.168.1.168]:
11. Type the IP address of the TFTP server and press Enter.
The following message appears:
Enter local address [192.168.1.188]:
12. Type a temporary IP address that can be used by the FortiWeb appliance to connect to the TFTP server.
The following message appears:
Enter firmware image file name [image.out]:
13. Type the firmware image file name and press Enter.
The FortiWeb appliance downloads the firmware image file from the TFTP server and displays a message similar
to the following:
MAC:00219B8F0D94
###########################
Total 28385179 bytes data downloaded.
Verifying the integrity of the firmware image.
Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?

If the download fails after the integrity check with the error message:

invalid compressed format (err=1)

but the firmware matches the integrity checksum on the Fortinet Technical
Support website, try a different TFTP server.

14. Type B.
The FortiWeb appliance saves the backup firmware image and restarts. When the FortiWeb appliance reboots, it is
running the primary firmware.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 100

See also

l Booting from the alternate partition on page 100

l Installing firmware on page 92
l Manually initiating update requests on page 477

Booting from the alternate partition

System > Maintenance > Backup & Restore lists the firmware versions currently installed on your FortiWeb
appliance.
Each appliance can have up to two firmware versions installed. Each firmware version is stored in a separate partition.
The partition whose firmware is currently running is noted with a white check mark in a green circle in the Active
column.

To boot into alternate firmware via the web UI

Install firmware onto the alternate partition. For details, see Installing alternate firmware on page 97.
1. Go to System > Maintenance > Backup & Restore, and select the Local Backup tab.
To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the Maintenance category. For details, see Permissions on page 56.
2. In the Firmware area, click Boot alternate firmware.
A warning message appears.
3. Click OK.
A message appears instructing you to refresh your browser in a few minutes after the appliance has booted the
other firmware.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 101

To boot into alternate firmware via the local console CLI

1. Install firmware onto the alternate partition. For details, see Installing alternate firmware on page 97.
2. Connect your management computer to the FortiWeb console port using a RJ-45-to-DB-9 serial cable or a null-
modem cable.
3. Initiate a connection from your management computer to the CLI of the FortiWeb appliance, and log in as the
admin administrator, or an administrator account whose access profile contains Read and Write permissions in
the Maintenance category.
For details, see Connecting to the web UI or CLI on page 84.
4. Enter the following command to restart the FortiWeb appliance:
execute reboot
5. As the FortiWeb appliances starts, a series of system startup messages appear.
Press any key to display configuration menu........
Immediately press a key to interrupt the system startup.

You have only 3 seconds to press a key. If you do not press a key soon enough,
the FortiWeb appliance reboots and you must log in and repeat the execute
reboot command.

Enter G,F,B,Q,or H:

Please connect TFTP server to Ethernet port "1".

6. Type B to reboot and use the backup firmware.

See also

l Installing alternate firmware on page 97

Changing the “admin” account password

The default administrator account, named admin, initially has no password.

Unlike other administrator accounts, the admin administrator account exists by default and cannot be deleted. The
admin administrator account is similar to a root administrator account. This administrator account always has full
permission to view and change all FortiWeb configuration options, including viewing and changing all other
administrator accounts. Its name and permissions cannot be changed.
Before you connect the FortiWeb appliance to your overall network, you should configure the admin account with a
password to prevent others from logging in to the FortiWeb and changing its configuration.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 102

Set a strong password for the admin administrator account, and change the
password regularly. Failure to maintain the password of the admin administrator
account could compromise the security of your FortiWeb appliance. As such, it can
constitute a violation of PCI DSS compliance and is against best practices. For
improved security, the password should be at least eight characters long, be
sufficiently complex, and be changed regularly.

To change the admin administrator password via the web UI

1. Go to System > Admin > Administrators.

To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the Admin Users category. For details, see Permissions on page 56.
2. In the row corresponding to the admin administrator account, mark its check box.
3. Click Change Password.
4. In the Old Password field, do not enter anything. In its default state, there is no password for the admin
administrator account.
5. In the New Password field, enter a password with sufficient complexity and number of characters to deter brute
force attempts and other attacks.
6. In the Confirm Password field, enter the new password again to confirm its spelling.

If you have configured Password Policy in System > Admin > Settings,
follow the settings when entering the new password.

7. Click OK.
8. Click Logout.
FortiWeb logs you out. To continue using the web UI, you must log in again. The new password takes effect the next
time that admin administrator account logs in.

To change the admin administrator password via the CLI

Enter the following commands:

config system admin
edit admin
set password <new-password_str> ''
end
exit

where <new-password_str> is the password for the administrator account named admin.

FortiWeb logs you out. To continue working in the CLI, you must log in again using the new password.

If you have configured admin-lockout-threshold and admin-lockout-

duration via CLI, FortiWeb will lock the account according to the login failure
times and lockout duration you have set. See FortiWeb CLI Reference for details.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 103

Setting the system time & date

You can either manually set the FortiWeb system time or configure the FortiWeb appliance to automatically keep its
system time correct by synchronizing with a Network Time Protocol (NTP) server.

For many features to work, including scheduling, logging, and SSL/TLS-dependent

features, the FortiWeb system time must be accurate.

To configure the system time via the web UI

1. Go to System > Maintenance > System Time.

The Time Settings dialog appears in a pop-up window.
Alternatively, go to System > Status > Status. In the System Information widget, in the System Time row,
click Change.
To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the Maintenance category. For details, see Permissions on page 56.
2. For Time Zone, select the time zone where FortiWeb is located.
3. If you want FortiWeb to automatically synchronize its clock with an NTP server (recommended), configure these
settings:

Synchronize with NTP Select this option to automatically synchronize the date and time of
Server the FortiWeb appliance’s clock with an NTP server, then configure the
Server on page 103 and Sync Interval on page 103 before you click
Apply.
Server Type the IP address or domain name of an NTP server or pool, such
as pool.ntp.org. IPv4 and IPv6 address are both supported here.
To find an NTP server that you can use, go to http://www.ntp.org.

Sync Interval Enter how often in minutes the FortiWeb appliance should
synchronize its time with the NTP server. For example, entering 1440
causes the FortiWeb appliance to synchronize its time once a day.

NTP requires that FortiWeb be able to connect to the Internet on UDP port 123.

Otherwise, select Set Time, then manually set the current date and time. If you want FortiWeb to automatically
adjust its own clock when its time zone changes between daylight saving time (DST) and standard time, enable
Automatically adjust clock for daylight saving changes.The clock will be initialized with the manually
specified time when you click OK.
4. Click OK.
If you manually configured the time, or if you enabled NTP and the NTP query for the current time succeeds, the new
clock time should appear for the System Time in the System Information widget. (If the query reply is slow, you may
need to wait a couple of seconds, then click Refresh to update the display in System time.)

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 104

If the NTP query fails, the system clock will continue without adjustment. If FortiWeb’s time was 3 hours late, for
example, the time will still be 3 hours late. Verify your DNS server IPs, your NTP server IP or name, routing, and that
your firewalls or routers do not block or proxy UDP port 123.

To configure NTP via the CLI

To synchronize with an NTP server, enter the following commands:

config system global
set ntpsync enable
set timezone <timezone_index>
set ntpserver {<server_fqdn> | <server_ipv4> | <server_ipv6>}
end

where:
l <timezone_index> is the index number of the time zone in which the FortiWeb appliance is located (to view the
list of valid time zones and their associated index numbers, enter a question mark)
l {<server_fqdn> | <server_ipv4> | <server_ipv6>} is a choice of either the IPv4 address, IPv6
address, or fully qualified domain name (FQDN) of the NTP server, such as pool.ntp.org

If your NTP query succeeds, the new clock time should appear when you enter the command:
get system status

To manually set the date and time via the CLI

To manually configure the FortiWeb appliance’s system time and disable the connection to an NTP server, enter the
following commands:
config system global
set ntpsync disable
set timezone <timezone_index>
set dst {enable | disable}
end
execute time <time_str>
execute date <date_str>

where:
l <timezone_index> is the index number of the time zone in which the FortiWeb appliance is located (to view the
list of valid time zones and their associated index numbers, enter a question mark)
l dst {enable | disable} is a choice between enabling or disabling daylight saving time (DST) clock
adjustments
l <time_str> is the time for the time zone in which the FortiWeb appliance is located according to a 24-hour clock,
formatted as hh:mm:ss (hh is the hour, mm is the minute, and ss is the second)
l <date_str> is the date for the time zone in which the FortiWeb appliance is located, formatted as yyyy-mm-dd
(yyyy is the year, mm is the month, and dd is the day)

See also

l System Information widget on page 683

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 105

Setting the operation mode

Once the FortiWeb appliance is mounted and powered on, you have physically connected the FortiWeb appliance to
your overall network, and you have connected to either the FortiWeb appliance’s web UI or CLI, you must configure the
operation mode.
You will usually set the operation mode once when setting up FortiWeb. Exceptions include if you install the FortiWeb
appliance in Offline Protection mode for evaluation or transition purposes, before deciding to switch to another mode for
more feature support in a permanent deployment. See also Switching out of Offline Protection mode on page 215.

The physical topology must match the operation mode. For details, see Planning
the network topology on page 66 and How to choose the operation mode on page
70.

FortiWeb models that use Data Plane Development Kit (DPDK) for packet processing (for example, models 3000E,
3010E and 4000E) reboot automatically when you change the operation mode to or from Offline Protection.

To configure the operation mode via the web UI

Back up your configuration before changing the operation mode. For details, see
Backups on page 322. Changing modes deletes any policies not applicable to the
new mode, all static routes, V-zone IPs, TCP SYN flood protection settings, and
VLANs. You also must re-cable your network topology to suit the operation mode,
unless you are switching between the two transparent modes, which have similar
network topology requirements.

1. Go to System > Config > Operation.

Alternatively, go to System > Status > Status. In the System Information widget, next to Operation Mode,
click Change.
To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the System Configuration category. For details, see Permissions on page 56.
2. From Operation Mode, select one of the following modes:
l Reverse Proxy
l Offline Protection
l True Transparent Proxy
l Transparent Inspection
l WCCP
For details, see How to choose the operation mode on page 70.
If you are selecting True Transparent Proxy, Transparent Inspection mode, or WCCP, configure the following:
Management IP—Specify the IP address to access the web UI. FortiWeb assigns this management IP address to
port1.
Default Gateway—Set to the IP address of the next hop router.
3. Click Apply.
4. If you have not yet adjusted the physical topology to suit the new operation mode, see Planning the network
topology on page 66. You may also need to reconfigure IP addresses, static routes, bridges, and virtual servers,
and enable or disable SSL on your web servers.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 106

To configure the operation mode via the CLI

Back up your configuration before changing the operation mode. For details, see
Backups on page 322. Changing modes deletes any policies not applicable to the
new mode, all static routes, V-zone IPs, and VLANs. You may also need to re-cable
your network topology to suit the operation mode. Exceptions may include switching
between the two transparent modes, which have similar network topology
requirements.

1. Enter the following commands:

config system settings
set opmode {offline-protection | reverse-proxy | transparent | transparent-inspection
| wccp}
end
where {offline-protection | reverse-proxy | transparent | transparent-inspection|
wccp} specifies the operation mode.
2. If you are changing to True Transparent Proxy, Transparent Inspection, or WCCP mode, also enter the following
commands:
config system settings
set gateway <gateway_ipv4>
end
where <gateway_ipv4> is the IP address of the gateway router. For details, see Adding a gateway on page 142.
FortiWeb will use the gateway setting to create a corresponding static route under config router static
with the first available index number. Packets will egress through port1, the hard-coded management network
interface for the transparent and WCCP operation modes.
3. If you have not yet adjusted the physical topology to suit the new operation mode, see Planning the network
topology on page 66. You may also need to reconfigure IP addresses, static routes, bridges, and virtual servers,
and enable or disable SSL/TLS on your web servers.

See also

l Planning the network topology on page 66

l Configuring the network settings on page 124
l Adding a gateway on page 142
l Configuring a bridge (V-zone) on page 133
l Configuring virtual servers on your FortiWeb on page 199
l How operation mode affects server policy behavior on page 217

Configuring High Availability (HA) basic settings

If you want to deploy the FortiWeb appliances in HA mode, it's recommended to first complete the HA basic settings
introduced in this topic before you start setting other configurations.
When basic settings are done, there will be heartbeat links between the HA member to synchronize configuration. The
active unit’s configuration is almost entirely synchronized to the passive appliance, so that changes made to the active
appliance are propagated to the standby or slave appliance, ensuring that it is prepared for a failover. See
Synchronization on page 116 for configurations and data that are synchronized in HA group.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 107

HA requirements
l For active-passive HA, you need two identical physical FortiWeb appliances; for standard or high volume active-
active HA, you need two or more (up to eight) identical physical FortiWeb appliances and firmware versions. For
introductions on the HA modes, see FortiWeb high availability (HA) on page 48.
l Redundant network topology: if the active or master appliance fails, physical network cabling and routes must be
able to redirect web traffic to the standby or slave appliances. For details, see Topologies for high availability (HA)
clustering on page 80.
l At least one physical port on each HA appliance connected via crossover cables, or through switches. For details,
see HA heartbeat on page 114.
l For FortiWeb-VM:
l A valid license for all HA members. You cannot configure HA with trial licenses.
l Configure the vNetwork interfaces that carry heartbeat and synchronization traffic to operate in promiscuous
mode and accept MAC address changes.
l Ensure the HA members have the same number of ports and are configured with the same amount of memory
and vCPUs.

FortiWeb-VM supports HA. However, if you do not wish to use the native HA, you
can use your hypervisor or VM environment manager to install your virtual
appliances over a hardware cluster to improve availability. For example, VMware
clusters can use vMotion or VMware HA.

Basic settings

Basic settings apply for all the HA modes, including active-passive, standard active-active, and high volume active-
active modes.
To configure HA:
1. If the HA group will use FortiGuard services, license all FortiWeb appliances in the HA group, and register them
with the Fortinet Customer Service & Support website:
https://support.fortinet.com/
FortiWebs in an HA group use the FortiGuard Distribution Server (FDS) to validate licenses and contracts. The
master appliance maintains a connection with the FDS, and each slave appliance verifies its license status via the
master appliance's connection. The master appliance will also use the connection with the FDS to forward contract
information to each slave appliance.

If you license only the primary appliance in an HA group, after a failover, the
secondary appliance will not be able to use the FortiGuard service. This could
cause traffic to be scanned with out-of-date definitions, potentially allowing
newer attacks.

2. Cable both appliances into a redundant network topology.

For details, see Configuring redundant interfaces on page 140.
3. Physically link the FortiWeb appliances that will be members of the HA group.
For the HA group, you must link at least one of their ports (e.g. port4 to port4) for heartbeat and synchronization
traffic between members of the HA group. You can either:
l Link two appliances directly via a crossover cable (for only two appliances in a group)
l Link the appliances through a switch (for more than two appliances in a group)

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 108

If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must be reachable by Layer 2
multicast. To improve fault tolerance and reliability, link the ports through two separate switches. Do not connect
these switches to your overall network, which could introduce a potential attack point, and could also allow network
load to cause latency in the heartbeat, which could cause an unintentional failover.
Note: If the heartbeat is accidentally interrupted for an active-passive HA group, such as when a network cable is
temporarily disconnected, the secondary appliance will assume that the primary unit has failed, and become the
new primary appliance. If no failure has actually occurred, both FortiWeb appliances will be operating as primary
appliances simultaneously.

To avoid unintentional failovers due to accidental detachment or hardware

failure of a single heartbeat link, make two heartbeat links.

For example, you might link port3 to port3 on the other appliance, and link
port4 to port4 on the other appliance, then configure both appliances to use
those network interfaces for heartbeat and synchronization.

4. Log in to all the appliances as the admin administrator account.

Accounts whose access profile includes Read and Write permissions to the System Configuration area can
configure HA, but may not be able to use features that may be necessary when using HA, such as logs and network
configuration.
5. On all the appliances, go to System > High Availability > Settings.
To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the System Configuration category. For details, see Permissions on page 56.
By default, each FortiWeb appliance operates as a single, standalone appliance: only the Configured HA mode
drop-down list appears, with the Standalone option selected.
6. For Mode, select Active-Passive, Active-Active-Standard, or Active-Active-High Volume as desired.

Fail-open is disabled when the FortiWeb appliance is configured as part of an HA

pair. For details about fail-to-wire, see Fail-to-wire for power loss/reboots on
page 667.

Additional options appear that enable you to configure HA.

7. Configure these settings:

Device Priority Type the priority of the appliance when selecting the active-passive primary (or active-
active master) appliance in the HA group. On active-passive standby or active-active
slave devices, this setting can be reconfigured using the CLI command execute ha
manage <serial-number_str> <priority_int>. For details, see FortiWeb
CLI Reference.
This setting is optional. The smaller the number, the higher the priority. The valid range is
0 to 9. The default is 5.
Note: By default, unless you enable Override on page 108, uptime is more important
than this setting. For details, see How HA chooses the active appliance on page 115.

Override Enable to make Device Priority on page 108 a more important factor than uptime when
selecting the main appliance. See How HA chooses the active appliance on page 115.

Group-name Type a name to identify the HA pair if you have more than one.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 109

This setting is optional, and does not affect HA function.

The maximum length is 63 characters.

Group ID Type a number that identifies the HA group.

All the members of the HA group must have the same group ID. If you have more
than one HA group on the same network, each HA group must have a different group ID.
Changing the group ID changes the group’s virtual MAC address.
The valid range is 0 to 63. The default value is 0.

Session Pickup Available only in Active-Active-Standard mode.

Enable so that the master unit in the HA group synchronizes the session table with all
group units. If a group unit fails, the HA session table information is available to the
remaining group units which can use the session table to resume connections without
interruption.
Enable for session fail-over protection. If this is not required, disabling may reduce CPU
usage and reduce HA heartbeat network bandwidth usage.
Note: Only sessions that have been established for longer than 30 seconds will be
synchronized.

Layer 7 Enable so that FortiWeb enforces session persistence between the master and slave
Persistence appliances at the application layer.
Synchronization Note: This option is available only when the Mode is Active-Passive.
Monitor Interface Select one or more network interfaces that each directly correlate with a physical link.
These ports will be monitored for link failure.

Port monitoring (also called interface monitoring) monitors physical network ports to verify
that they are functioning properly and linked to their networks. If the physical port fails or
the cable becomes disconnected, a failover occurs. You can monitor physical interfaces,
but not VLAN subinterfaces or 4-port switches.

If you select a link aggregate interface, failover occurs only if all the physical network
interfaces in the logical interface fail. For details, see Link aggregation on page 136.

Note: To prevent an unintentional failover, do not configure port monitoring until you
configure HA on all the appliances in the HA group, and have plugged in the cables to link
the physical network ports that will be monitored.

Heartbeat Select which port(s) on this appliance that all the appliances will use to send heartbeat
Interface signals and synchronization data (configuration synchronization for active-passive HA, or
configuration and session synchronization for active-active HA) between each other (i.e.
the HA heartbeat link).
Connect this port to the same port number on the other HA group members. (e.g., If you
select port3 for the primary heartbeat link, connect port3 on this appliance to port3 on
the other appliances.)
At least one heartbeat interface must be selected on each appliance in the HA group.
Ports that currently have an IP address assigned for other purposes (that is, virtual servers
or bridges) cannot be re-used as a heartbeat link.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 110

If a switch is used to connect the heartbeat interfaces, the heartbeat interfaces must be
reachable by Layer 2 multicast.
If a port is selected as the heartbeat interface, then MTU will be automatically changed
from the default 1500 to 1400 to establish HA connection in VXLAN environments.
Tip: If enough ports are available, you can select both a primary heartbeat interface and
a secondary heartbeat interface on each appliance in the HA pair to provide heartbeat link
redundancy. (You cannot use the same port as both the primary and secondary heartbeat
interface on the same appliance, as this is incompatible with the purpose of link
redundancy.)
Note: The master appliance uses the heartbeat interface to synchronize its session table
to other appliances in an Active-Active-Standard HA group by default. However, you
can use extra interfaces for the session synchronization by configuring set session-
sync-dev <port_number> in CLI command config system ha. Moreover, the
appliance synchronizes sessions to others in unicast by default, but you can choose to
synchronize sessions via broadcasting by configuring set session-sync-
broadcast {enable|disable} in the CLI command config system ha.
Broadcasting is recommended if an Active-Active-Standard HA group contains many
appliances. For details, see FortiWeb CLI Reference.

Reserved This option applies to active-passive and standard active-active modes.

Management Enable to reserve network interfaces for this HA member. The configurations of the
Interface reserved interfaces, including the IP address and other settings, are not synchronized
with other HA members.
The reserved network interface can be used for the administrative access to the GUI and
CLI of this member. You can also use it to connect this member to back-end servers that
are not in the server pool of the HA group. If the reserved network interfaces are not in the
same subnet with the management computer or the back-end servers, you need to
configure the next-hop gateways in HA Static Route or HA Policy route.
The configurations in the Static Route and Policy Route (System > Network > Route)
are synchronized by all the HA members, but the configurations in HA Static Route or
HA Policy route are applied only to this specific member.
For details on the static route and policy route, see Adding a gateway and Creating a
policy route.
Interface Specifies the network interfaces to be reserved. The interfaces that are already used in
the HA group configuration are excluded from the list.

HA Health Check Enable to check whether the server policies are running properly on the HA group.
Available only if the HA mode is Active-Active-Standard.

8. Click Apply.
All the appliances join the HA group by matching their Group ID on page 109. They begin to send heartbeat and
synchronization traffic to each other through their heartbeat links.
To determine which appliance currently has the role of the main appliance, on System > High Availability >
Settings, in the HA Member table, view the HA Role column:
l main/master—The appliance in this row is currently active. The active appliance applies policies to govern
the traffic passing to your web servers. Also called the primary, master, or main appliance.
l standby—The appliance in this row is currently passive, and is not actively applying policies. The passive
appliance listens to heartbeat traffic and port monitoring for signs that the main appliance may have become

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 111

unresponsive, at which point it will assume the role of the main appliance. Also called the secondary or
standby appliance.
l slave—The appliance in this row is the slave node in active-active modes.
If both appliances believe that they are the main:
l Test the cables and/or switches in the heartbeat link to verify that the link is functional.
l Verify that you have selected the heartbeat port or ports in Heartbeat Interface on page 109. Make sure that
the primary and secondary link is not crossed (that is, the primary heartbeat interface is not connected to the
secondary heartbeat interface on the other appliance).
l Verify that the Group ID on page 109 matches on both appliances.
l Verify that the ports on Monitor Interface on page 109 are linked and up (available).
l If the heartbeat link passes through switches and/or routers, you may need to adjust the time required after a
reboot to assess network availability before electing the main appliance. To do this, use the the boot-time
<seconds_int> command. For details, see FortiWeb CLI Reference.
l For debugging logs, use the diagnose system ha status and diagnose debug application
hatalk level commands. For details, see FortiWeb CLI Reference.
9. To monitor the HA group for failover, you can use SNMP (see Configuring an SNMP community on page 729), log
messages (see Configuring logging on page 700), and alert email (see Alert email on page 724).
If the failover time is too long, from the CLI, enter config system ha and configure these settings:

arps <arp_int> Enter the number of times that the FortiWeb appliance will broadcast address resolution
protocol (ARP) packets (IPv4 environment) or Neighbor Solicitation (NS) packets (IPv6
environment) when it takes on the main role. Even though a new NIC has not actually
been connected to the network, FortiWeb does this to notify the network that a different
physical port has become associated with the IP address and virtual MAC of the HA pair.
This is sometimes called “using gratuitous ARP packets to train the network,” and can
occur when the main appliance is starting up, or during a failover. Also configure arp-
interval <seconds_int> on page 111.
Normally, you do not need to change this setting. Exceptions include:
l Increase the number of times the main appliance sends gratuitous ARP packets if
your HA pair takes a long time to fail over or to train the network. Sending more
gratuitous ARP packets may help the failover to happen faster.
l Decrease the number of times the main appliance sends gratuitous ARP packets if
your HA pair has a large number of VLAN interfaces and virtual domains. Because
gratuitous ARP packets are broadcast, sending them may generate a large amount
of network traffic. As long as the HA pair still fails over successfully, you could reduce
the number of times gratuitous ARP packets are sent to reduce the amount of traffic
produced by a failover.
The valid range is 1–16. The default value is 10.

arp-interval Enter the number of seconds to wait between each broadcast of ARP/NS packets.
<seconds_int> Normally, you do not need to change this setting. Exceptions include:
l Decrease the interval if your HA pair takes a long time to fail over or to train the
network. Sending ARP packets more frequently may help the failover to happen
faster.
l Increase the interval if your HA pair has a large number of VLAN interfaces and
virtual domains. Because gratuitous ARP packets are broadcast, sending them may
generate a large amount of network traffic. As long as the HA pair still fails over
successfully, you could increase the interval between when gratuitous ARP packets

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 112

are sent to reduce the rate of traffic produced by a failover.

The valid range is 1–20. The default value is 3.

Even when a FortiWeb appliance broadcasts gratuitous ARP/NS packets once it

takes on the master role after a failover occurs, some equipment in the network
may not immediately detect that there is a new primary unit in the group. To
make sure that all equipment defects the failover, you can use the following CLI
command:
config system ha
set link-failed-signal enable
end
For details, see FortiWeb CLI Reference.

If your HA link passes through switches and/or routers, and inadvertent failovers
occur when rebooting the HA pair, you can increase the maximum time to wait for a
heartbeat signal after a reboot by configuring boot-time <limit_int>. See
FortiWeb CLI Reference.

Configuring redundant interfaces in HA

You can create an HA group with redundant interfaces that eliminate potential single points of failure. Redundant
interfaces consist of at least two physical interfaces. At any given time, only one of the physical interfaces has traffic
going through it; the other interfaces act as backups in the event that the active interface fails.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 113

This is an example of an HA group with redundant interfaces:

For details, see Configuring redundant interfaces on page 140.

Checking your HA topology information and statistics

After completing your HA deployment, you can manage the HA topology and view information and statistics for each HA
unit.
Go to System > High Availability > HA Topology. From here, you can select the master unit or slaves in the group,
and a pop-up window will appear with the option to disconnect them. If you select a slave in the group, the pop-up will
also provide options to view its attack logs, event logs, and traffic logs. On the log page, you can click the Download
button to download the logs of the slaves. To view logs for the master unit in the group, go to Log&Report > Log
Access and select the log(s) you want to view.
From System > High Availability > HA Topology, click View HA Statistics in the top right corner of the window.
The following information about each unit in the group is displayed:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 114

For best fault tolerance, make sure that your topology is fully redundant, with no
single points of failure.

For example, in the above image, the switch, firewall, and Internet connection are
all single points of failure. If any should fail, websites would be unavailable despite
the HA group. To prevent this, you would add a dual ISP connection to separate
service providers, preferably with their own redundant pathways upstream. You
would also add a standby firewall, and a standby switch. For details, see Configuring
redundant interfaces on page 140.

HA heartbeat & active node election

HA heartbeat

You can group multiple FortiWeb appliances together as a high availability (HA) group (see FortiWeb high availability
(HA) on page 48). The heartbeat traffic indicates to other appliances in the HA group that the appliance is up and
“alive.”
Heartbeat traffic between HA members occurs over the physical network ports selected in Heartbeat Interface.
Heartbeat traffic uses multicast on port number 6065 and the IP address 239.0.0.1. The HA IP addresses are hard-
coded and cannot be modified.

Ensure that switches and routers that connect to heartbeat interfaces are configured
to allow level2 frames. See Normal IP packets are 802.3 packets that have an
Ethernet type (Ethertype) field value of 0x0800. Ethertype values other than 0x0800
are understood as level2 frames rather than IP packets. on page 115.

Failover is triggered by any interruption to either the heartbeat or a port monitored network interface whose length of
time exceeds your configured limits (Detection Interval and Heartbeat Lost Threshold). When the active (or master)
appliance becomes unresponsive, the standby (or slave) appliance:
1. Assumes the virtual MAC address of the failed primary unit and broadcasts ARP/NS packets so that other
equipment in the network will refresh their MAC forwarding tables and detect the new primary unit
2. Assumes the role of the active appliance and scans network traffic
The heartbeat timeout is calculated by:
Heartbeat timeout = Detection Interval x Heartbeat Lost Threshold
Time required for traffic to be redirected to the new active appliance varies by your network’s responsiveness to
changeover notification and by your configuration:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 115

Total failover time = ARP/NS Packet Numbers x ARP/NS Packet Interval(sec) + Network responsiveness +
Heartbeat timeout
For example, if:
l Detection Interval is 3 (i.e. 0.3 seconds)
l Heartbeat Lost Threshold is 2
l ARP/NS Packet Numbers is 3
l ARP/NS Packet Interval (sec) is 1
l Network switches etc. take 2 seconds to acknowledge and redirect traffic flow
then the total time between the first unacknowledged heartbeat and traffic redirection could be up to 5.6 seconds.

The above settings can be configured in the CLI using the system ha command.
For details, see FortiWeb CLI Reference.

Normal IP packets are 802.3 packets that have an Ethernet type (Ethertype) field value of 0x0800. Ethertype values
other than 0x0800 are understood as level2 frames rather than IP packets.
By default, HA uses the following Ethertypes:
l Ethertype 0x8890—For HA heartbeat packets that HA members use to find other member and to verify the status
of other members while the HA group is operating.
l Ethertype 0x8893—For HA sessions that synchronize the HA configurations.
Because heartbeat packets are recognized as level2 frames, the switches and routers that connect to heartbeat
interfaces require a configuration that allows them. If these network devices drop level2 frames, they prevent heartbeat
traffic between the members of the HA group.
In some cases, if you connect and configure the heartbeat interfaces so that regular traffic flows but heartbeat traffic is
not forwarded, you can change the configuration of the switch that connects the HA heartbeat interfaces to allow level2
frames with Ethertypes 0x8890 and 0x8893 to pass.

For HA Ethertype, only numbers between 0x8890–0x889f can be used; also,

different HA Ethertype shall use different numbers.

How HA chooses the active appliance

Members in an HA group may or may not resume their active and standby roles when the failed appliance resumes
responsiveness to the heartbeat.
Since the current active appliance will by definition have a greater uptime than a failed previous active appliance that
has just returned online, assuming each has the same number of available ports, the current active appliance usually
retains its status as the active appliance, unless Override is enabled. If Override is enabled, and if Device Priority of
the returning appliance is higher, it will be elected as the active appliance in the HA group.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 116

If Override is disabled, HA considers (in order):

1. The most available ports

For example, if two FortiWeb appliances, FWB1 and FWB2, were configured to monitor two ports each, and FWB2
has just one port currently available according to Port Monitor, FWB1 would become the active appliance,
regardless of uptime or priority. But if both had 2 available ports, this factor alone would not be able to determine
which appliance should be active, and the HA group would proceed to the next consideration.
2. The highest uptime value
Uptime is reset to zero if an appliance fails, or the status of any monitored port (per Port Monitor) changes.
3. The smallest Device Priority number (that is, 0 has the highest priority)
4. The highest-sorting serial number

Serial numbers are sorted by comparing each character from left to right, where 9
and z are the greatest values, and result in highest placement in the sorted list.

If Override is enabled, HA considers (in order):

1. The most available ports

2. The smallest Device Priority number (that is, 0 has the highest priority)
3. The highest uptime value
4. The highest-sorting serial number
If the heartbeat link occurs through switches or routers, and the active appliance is very busy, it might require more
time to establish a heartbeat link through which it can negotiate to elect the active appliance. You can configure the
amount of time that a FortiWeb appliance will wait after it boots to establish this connection before assuming that
the other appliance is unresponsive, and that it should become the active appliance. For details, see the boot-
time <seconds_int> setting in FortiWeb CLI Reference.

See also

l FortiWeb high availability (HA) on page 48

l Replicating the configuration without FortiWeb HA (external HA) on page 119

Synchronization

The configurations of the active (or master ) node is automatically synchronized to all the members in the HA group.
Synchronization ensures that all appliances in the group remain ready to process traffic, even if you only change one of
the appliances. Synchronization traffic uses TCP on port number 6010 and a reserved IP address.

Configurations synchronized by HA

HA group uses the heartbeat link to automatically synchronize most of their configuration. Synchronization includes:
l Core CLI-style configuration file (fwb_system.conf)
l X.509 certificates, certificate request files (CSR), and private keys
l HTTP error pages
l FortiGuard IRIS Service database

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 117

l FortiGuard Security Service files (attack signatures, predefined data types & suspicious URLs, known web crawlers
& content scrapers, global white list, vulnerability scan signatures)
l FortiGuard Antivirus signatures
l Geography-to-IP database
and occurs immediately when an appliance joins the group, and thereafter every 30 seconds.
Although they are not automatically synchronized for performance reasons due to large size and frequent updates, you
can manually force HA to synchronize. For instructions, see execute ha synchronize in the FortiWeb CLI
Reference (https://docs.fortinet.com/document/fortiweb/).

If you do not want to configure HA (perhaps you have a separate network appliance
implementing HA externally), you can still replicate the FortiWeb’s configuration on
another FortiWeb appliance. For details, see Replicating the configuration without
FortiWeb HA (external HA) on page 119

Data that is not synchronized by HA

In addition to the HA configuration, some data is also not synchronized.

l FortiWeb HTTP sessions—FortiWeb appliances can use cookies to add and track its own sessions, functionality
that is not inherently provided by HTTP. For details, see HTTP sessions & security on page 42. This state-tracking
data corresponds in a 1:1 ratio to request volume, and therefore can change very rapidly. To minimize the
performance impact on an HA group, this data is not synchronized.

Failover will not break web applications’ existing sessions, which do not reside on
the FortiWeb, and are not the same thing as FortiWeb’s own HTTP sessions. The
new active appliance will allow existing web application sessions to continue. For
details, see FortiWeb sessions vs. web application sessions on page 44.
FortiWeb sessions are used by some FortiWeb features. After a failover, these
features may not work, or may work differently, for existing sessions. (New
sessions are not affected.) See the description for each setting that uses session
cookies. For details, see Sessions & FortiWeb HA on page 46.
Note: All sessions that are shorter than 30 seconds will not be synchronized. Only
sessions that have been established for longer than 30 seconds will be
synchronized.

l SSL/TLS sessions—HTTPS connections are stateful in that they must be able to remember states such as the
security associations from the SSL/TLS handshake: the mutually supported cipher suite, the agreed parameters,
and any certificates involved. Encryption and authentication in SSL/TLS cannot function without this. However, a
new primary FortiWeb’s lack of existing HTTPS session information is gracefully handled by re-initializing the
SSL/TLS session with the client.This does not impact to the encapsulated HTTP application, has only an initial
failover impact during re-negotiation, and therefore is not synchronized.
l Log messages—These describe events that happened on that specific appliance. After a failover, you may notice
that there is a gap in the original active appliance’s log files that corresponds to the period of its downtime. Log
messages created during the time when the standby was acting as the active appliance (if you have configured
local log storage) are stored there, on the original standby appliance. For details about configuring local log
storage, see Configuring logging on page 700.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 118

l Generated reports—Like the log messages that they are based upon, PDF, HTML, RTF, and plain text reports
also describe events that happened on that specific appliance. As such, report settings are synchronized, but report
output is not. For details about this feature, see Reports on page 732.
l Machine learning data—Machine learning database is synchronized from the master node to the slave node only
in Active-Passive mode. The data is synchronized every 10 minutes.
In Active-Active modes, the database is not synchronized.

Configuration settings that are not synchronized by HA

All configuration settings on the active FortiWeb are synchronized to the standby or slave FortiWeb except these
settings:

Host name The host name distinguishes each member of the FortiWeb HA group. For
details, see Changing the FortiWeb appliance’s host name on page 666.

Network interfaces In Active-Passsive mode, only the FortiWeb appliance acting as the main
appliance, actively scanning web traffic, is configured with IP addresses on its
(Reverse Proxy or Offline network interfaces (or bridge). The standby appliance only uses the configured
Protection mode only) IP addresses if a failover occurs, and the standby appliance therefore assumes
the role of the main appliance.
or In standard Active-Active mode, all the group members actively scan web traffic.
The IP address configured for the master appliance is synchronized to and used
Bridge by all the group members.
In high volume Active-Active mode, the IPv4 and IPv6 addresses configured for
(True Transparent Proxy or the interfaces on each appliance are not synchronized.
Transparent Inspection mode
For details, see Configuring the network interfaces on page 126 or Configuring a
only)
bridge (V-zone) on page 133.
If you have configured reserved management ports for an HA member, that
configuration, including administrative access and other settings, is not
synchronized.

Firewall In high volume Active-Active mode, the firewall settings configured in System >
Firewall are not synchronized.
In Active-Passive and standard Active-Active modes, the firewall settings are
synchronized to all members.

Static Route/Policy Route In high volume Active-Active mode, the static route and policy route configured in
System > Network > Route are not synchronized.
In Active-Passive and standard Active-Active modes, these settings are
synchronized to all members.

HA Static Route/HA Policy The HA static route and policy route configured in System > High Availability
Route > Settings > HA Static Route/ System > High Availability > Settings >
HA Policy Route are not synchronized to all HA members.
HA static route and policy route are only available in Active-Passive and standard
Active-Active modes.

RAID level RAID settings are hardware-dependent and determined at boot time by looking at
the drives (for software RAID) or the controller (hardware RAID), and are not
stored in the system configuration. Therefore, they are not synchronized. For

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 119

details, see RAID level & disk statuses on page 697.

HA active status and priority The HA configuration, which includes FortiWeb high availability (HA) on page 48,
is not synchronized because this configuration must be different on the primary
and secondary appliances.

Replicating the configuration without FortiWeb HA (external HA)

Configuration synchronization provides the ability to duplicate the configuration from another FortiWeb appliance
without using FortiWeb high availability (HA). The synchronization is unilateral push; it is not a bilateral
synchronization. It adds any missing items, and overwrites any items that are identically named, but does not delete
unique items on the target FortiWeb, nor does it pull items from the target to the initiating FortiWeb.
Replicating the configuration can be useful in some scenarios where you cannot use, or do not want, FortiWeb HA:
l External active-active HA (load balancing) could be provided by the firewall, the router, or an HTTP-aware load
balancer such as FortiADC.
l External active-passive HA (failover) could be provided by a specialized failover device, instead of the FortiWebs
themselves, for network load distribution, latency, and performance optimization reasons. The failover device must
monitor for live routes.
l Multiple identical non-HAFortiWeb appliances in physically distant locations with the same network scheme
might be required to have the same (maybe with a few extra different) server policies, and therefore management
could be simplified by configuring one FortiWeb and then replicating that to the others.
In such cases, you may be able to save time and preserve your existing network topology by synchronizing a FortiWeb
appliance’s configuration with another FortiWeb. This way, you do not need to individually configure each one, and do
not need to use FortiWeb HA.
This is an example of a configuration synchronization network topology:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 120

FortiGate FortiWeb
Client
Web
Server
Farm 1
Switch
Router
Configuration
Synchronization

FortiWeb
Router Web
Server
Farm 2
FortiGate Switch

FortiWeb

Administrator

FortiGate

Web
Server Switch
Farm 3

Configuration synchronization is not a complete replacement for HA. Each

synchronized FortiWeb does not keep any heartbeat link (no failover will occur and
availability will not be increased) nor does it load balance with the other.
Additionally, configuration synchronization will not delete items on the target
FortiWeb if the item’s name is different. Also it will not import items that exist on the
target, but not on your local FortiWeb.
If you require such features, either use FortiWeb HA instead, or augment
configuration synchronization with an external HA/load balancing device such as
FortiADC.

Like HA, due to hardware-based differences in valid settings, configuration synchronization requires that both FortiWeb
appliances be of the same model. You cannot, for example, synchronize a FortiWeb-VM and FortiWeb 1000D.
You can configure which port number the appliance uses to synchronize its configuration. For details, see Config-Sync
on page 60.
Synchronize each time you change the configuration, and are ready to propagate the changes. Unlike
FortiWeb HA, configuration synchronization is not automatic and continuous. Changes will only be pushed when you
manually initiate it.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 121

To replicate the configuration from another FortiWeb

Back up your system before changing the operation mode (see Backups on page
322). Synchronizing the configuration overwrites the existing configuration, and
cannot be undone without restoring the configuration from a backup.

1. Go to System > Config > Config-Synchronization.

To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the Network Configuration category. For details, see Permissions on page 56.
2. For Peer FortiWeb IP, enter the IP address of the target FortiWeb appliance that you want to receive
configuration items from your local FortiWeb appliance.
3. For Peer FortiWeb Port, enter the port number that the target FortiWeb appliance uses to listen for configuration
synchronization. The default port is 995.
4. For Peer FortiWeb 'admin' user password, enter the password of the administrator account named admin on
the other FortiWeb appliance.
5. For Synchronization Type, select one of the following options:

Full For all compatible operation modes except WCCP, synchronizes all
configuration except:
lSystem > Admin > Administrator (config system admin)
l System > Admin > Profiles (config system admin
accprofile)
l System > Config > Config Synchronization (config system
conf-sync)
l System > Config > HA (config system ha)
l System > Config > SNMP (config system snmp
sysinfo/community/user)
l System > Maintenance > Backup & Restore > FTP Backup
(config system backup)
When the operation mode is WCCP, synchronizes all configuration except:
l System > Admin > Administrator (config system admin)
l System > Admin > Profiles (config system admin
accprofile)
l System > Config > Config Synchronization (config system
conf-sync)
l System > Config > HA (config system ha)
l System > Network > Interface (config system interface)
l System > Config > WCCP Client (config system wccp)
l System > Config > SNMP (config system snmp
sysinfo/community/user)
l System > Maintenance > Backup & Restore > FTP backup
(config system backup)
l System > Network > Route > Static Route (config router
static)
l System > Network > Route > Policy Route (config router
policy)

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 122

Note: This option is not available if the FortiWeb appliance is operating in

Reverse Proxy mode. For details, see Supported features in each operation
mode on page 71.

Partial Synchronizes all configurations except:

l System > Network > Interface (config system interface)
l System > Network > Fail-open (config system fail-open)
l System > Network > DNS (config system dns)
l System > Network > V-zone (config system v-zone)
l System > Config > Config Synchronization (config system
conf-sync)
l System > Admin (config system
admin/accprofile/settings/admin-certificate
local/ca)
l System > Config > FDS Proxy (config system fds proxy
override/schedule)
l System > Config > HA (config system ha)
l System > Config > HSM (config system hsm)
l System > Config > SNMP (config system snmp
sysinfo/community/user)
l System > Config > RAID (config system raid)
l System > Firewall (config system firwall
address/service/firewall-policy/snat-policy)
l System > Config > FortiSandbox > FortiSandbox-Statistics
(config system fortisandbox-statistics)
l System > Config > WCCP Client (config system wccp)
l System > Network > Route > Policy Route (config router
policy)
l System > Network > Route > Static Route (config router
static )
l System > Maintenance > Backup & Restore > FTP Backup
(config system backup)
l User > PKI User (config user pki user)
l User > User Group > Admin Group (config user admin-
usergrp)
l Server Objects > Service (config server-policy service
custom/predefined)
l Server Objects > Server > Virtual Server (config server-
policy vserver)
l Server Objects > Server > Server Pool (config server-policy
server-pool)
l Server Objects > Server > Health Check (config server-
policy helth)
l Policy > Server Policy (config server-policy policy)
l System > Certificate (config system certificate)
l config system global
l config system console
l config system ip-detection

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 123

l config system network-option

l config system fips-cc
l config system tcpdump
l config router setting
l config system antivirus
For a detailed list of settings that are excluded from a partial synchronization,
including CLI-only settings, see the FortiWeb CLI
Reference: https://docs.fortinet.com/document/fortiweb/

To test the connection settings, click Test. Results appear in a pop-up window. If the test connection to the target
FortiWeb succeeds, this message should appear:
Service is available...
If the following message appears:
Service isn't available...
verify that:
l the other FortiWeb is the same model
l the other FortiWeb is configured to listen on your indicated configuration sync port number (see Config-Sync
on page 60)
l the other FortiWeb’s admin account password matches
l firewalls and routers between the two FortiWebs allow the connection
6. Optionally, enable Auto-Sync. This feature allows you to automatically synchronize the configurations hourly,
daily, or weekly. Select one of the following:
Every—Use the hour and minute drop-down menus to select the interval at which the configurations are
synchronized. For example, selecting 5 for hour and 0 for minute will synchronize the configurations every five
hours.
Daily—Use the hour and minute drop-down menus to select the time (24-hour clock) at which the configurations
are synchronized. For example, Selecting 10 for hour and 30 for minute will synchronize the configurations every
day at 10:30.
Weekly—Use the day, hour, and minute drop-down menus to select the day and time of day at which the
configurations are synchronized. For example, selecting Sunday for day, 5 for hour, and 15 for minute will
synchronize the configurations every Sunday at 5:15.
7. Click Push config.
A dialog appears, warning you that all policies and profiles with identical names will be overwritten on the other
FortiWeb, and asking if you want to continue.
8. Click Yes.
The FortiWeb appliance sends its configuration to the other, which synchronizes any identically-named policies and
settings. Time required varies by the size of the configuration and the speed of the network connection. When
complete, this message should appear:
Config. synchronized successfully.

See also

l Topologies for high availability (HA) clustering on page 80

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 124

Configuring the network settings

When shipped, each of the FortiWeb appliance’s physical network adapter ports (or, for FortiWeb-VM, vNICs) has a
default IP address and netmask. If these IP addresses and netmasks are not compatible with the design of your unique
network, you must configure them.

Network Interface* IPv4 Address/Netmask IPv6 Address/Netmask

port1 192.168.1.99/24 ::/0

port2 0.0.0.0/0 ::/0

port3 0.0.0.0/0 ::/0

port4 0.0.0.0/0 ::/0

* The number of network interfaces varies by model.

You also must configure FortiWeb with the IP address of your DNS servers and gateway router.
You can use either the web UI or the CLI to configure these basic network settings.

If you are installing a FortiWeb-VM virtual appliance, and you followed the
instructions in the FortiWeb-VM Install Guide
(http://docs.fortinet.com/fortiweb/hardware), you have already configured some of
the settings for port1. To fully configure all of the network interfaces, you must
complete this chapter.

To configure a network interface or bridge

To connect to the CLI and web UI, you must assign at least one FortiWeb network interface (usually port1) with an IP
address and netmask so that it can receive your connections. Depending on your network, you usually must configure
others so that FortiWeb can connect to the Internet and to the web servers it protects.
How should you configure the other network interfaces? Should you add more? Should each have an IP address? That
varies. In some cases, you may not want to assign IP addresses to the other network interfaces.
Initially, each physical network port (or, on FortiWeb-VM, a vNIC) has only one network interface that directly
corresponds to it — that is, a “physical network interface.” Multiple network interfaces (“subinterfaces” or “virtual
interfaces”) can be associated with a single physical port, and vice versa (“redundant interfaces”/”NIC teaming”/”NIC
bonding” or “aggregated links”). These can provide features such as link failure resilience or multi-network links.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 125

VLAN Subnetwork
Releationships of Interfaces
Physical vlanA Bandwidth
Network Interface Network Divided
Interface
Logical Types =1 Port/n

to Physical Network Ports port1 port2

vlanB

port1 port2

Link
Bridging Aggregation
Network Bandwidth
bridge3 Interface agg4 Multiplied
Bandwidth = 1 Port x n
= 1 Port

port3 port4 port5 port6

FortiWeb does not currently support IPSec VPN, so the virtual interfaces for IPSec
VPN are not supported. If you require these features, implement them separately on
your FortiGate, VPN appliance, or firewall.

Usually, each network interface has at least one IP address and netmask. However, this is not true for bridges.
Bridges (V-zones) allow packets to travel between the FortiWeb appliance’s physical network ports over a physical layer
link, without an IP layer connection with those ports.
Use bridges when:
l The FortiWeb appliance operates in True Transparent Proxy or Transparent Inspection mode, and
l You want to deploy FortiWeb between incoming connections and the web server it is protecting, without changing
your IP address scheme or performing routing or network address translation (NAT)
For bridges, do not assign IP addresses to the ports that you will connect to either the web server or to the overall
network. Instead, group the two physical network ports by adding their associated network interfaces to a bridge.
Configure each network interface that will connect to your network or computer (see Configuring the network interfaces
on page 126 or Configuring a bridge (V-zone) on page 133). If you want multiple networks to use the same wire while
minimizing the scope of broadcasts, configure VLANs (see Adding VLAN subinterfaces on page 129).

See also

l Configuring the network interfaces on page 126

l Adding VLAN subinterfaces on page 129

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 126

l Link aggregation on page 136

l Configuring a bridge (V-zone) on page 133

Configuring the network interfaces

You can configure network interfaces either via the web UI or the CLI. If your network uses VLANs, you can also
configure VLAN subinterfaces. For details, see Adding VLAN subinterfaces on page 129.
If the FortiWeb appliance is operating in True Transparent Proxy or Transparent Inspection mode and you will configure
a V-zone (bridge), do not configure any physical network interfaces other than port1. Configured NICs cannot be added
to a bridge. For details, see Configuring a bridge (V-zone) on page 133.
If this FortiWeb will belong to a FortiWeb HA cluster, do not configure any network interface that will be used as an HA
heartbeat and synchronization link. If you are re-cabling your network and must configure it, connect and switch to the
new HA link first. Failure to do so could cause unintentional downtime, failover, and ignored IP address configuration.
To switch the HA link, see FortiWeb high availability (HA) on page 48.
To customize the network interface information that FortiWeb displays when you go to System > Network
> Interface, right-click the heading row. Select and clear the columns you want to display or hide, and then click Apply.

To configure a network interface’s IP address via the web UI

1. Go to System > Network > Interface.

To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the Network Configuration category. For details, see Permissions on page 56.
If the network interface’s Status column is Bring Up, its administrative status is currently “down” and it will not
receive or emit packets, even if you otherwise configure it. To bring up the network interface, click the Bring Up
link.

This Status column is not the detected physical link status; it is the
administrative status that indicates whether you permit network interface to
receive and/or transmit packets.
For example, if the cable is physically unplugged, diagnose hardware nic
list port1 or Operation widget on page 695 may indicate that the link is
down, even though you have administratively enabled it by clicking Bring Up.
By definition, HA heartbeat and synchronization links should always be “up.”
Therefore, if you have configured FortiWeb to use a network interface for HA, its
Status column will always display HA Member.

2. Double-click the row of the network interface that you want to modify.
The Edit Interface dialog appears. Name displays the name and media access control (MAC) address of this
network interface. The network interface is directly associated with one physical link as indicated by its name, such
as port2.
In HA, it may use a virtual MAC instead. For details, see HA heartbeat on page 114 and FortiWeb high availability
(HA) on page 48.
3. Configure these settings:

Addressing Mode Specify whether FortiWeb acquires an IPv4/IPv6 address for this
network interface manually or using DHCP.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 127

IP/Netmask Type the IP address and subnet mask, separated by a forward slash
( / ), such as 192.0.2.2/24 for an IPv4 address or
2001:0db8:85a3:::8a2e:0370:7334/64 for an IPv6 address.

The IP address must be on the same subnet as the network to which

the interface connects. Two network interfaces cannot have IP
addresses on the same subnet.
In Active-Passive and Standard Active-Active HA modes, the IPv6
DAD feature is by default disabled, which means FortiWeb won't
know whether the IPv6 address of its network interface is conflicted
with other devices connected with it. You can run the following
command on the master node to enable this feature:
config system global
set ipv6-dad-ha enable
end
The IP address conflict detection is a one-time action executed only
when you configure the IPv6 address of the network interface. It will
not be performed again upon reboot or failover even if there are
conflicted IP addresses.

Administrative Access Enable the types of administrative access that you want to permit to
this interface.

These options do not disable outgoing administrative connections,

such as update polling connections to the FDN or outgoing ICMP
resulting from a CLI command such as execute ping. Neither do
they govern traffic destined for a web server or virtual server, which
are governed by policies. These options only govern incoming
connections destined for the appliance itself.

Caution: Enable only on network interfaces connected to trusted

private networks (defined in Trusted Host #1 on page 330, Trusted
Host #2 on page 330, Trusted Host #3 on page 330) or directly to your
management computer. If possible, enable only secure
administrative access protocols such as HTTPS or SSH. Failure to
restrict administrative access could compromise the security of your
FortiWeb appliance.

HTTPS Enable to allow secure HTTPS connections to the web UI through this
network interface. To configure the listening port number, see Global
web UI & CLI settings on page 59.

PING Enable to allow:

l ICMP type 8 (ECHO_REQUEST)
l UDP ports 33434 to 33534

for ping and traceroute to be received on this network interface.

When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with
ICMP type 0 (ECHO_RESPONSE or “ping”).

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 128

Note: Disabling PING only prevents FortiWeb from receiving ICMP

type 8 (ECHO_REQUEST) and traceroute-related UDP.

It does not disable FortiWeb CLI commands such as execute

ping or execute traceroute that send such traffic.

For the management port, when PING is enabled, to allow execute

ping for the management port, you need to configure the Firewall
rule.

HTTP Enable to allow HTTP connections to the web UI through this network
interface. To configure the listening port number, see Global web UI
& CLI settings on page 59.

The HTTP access to FortiWeb's GUI will be automatically redirected

to HTTPS, so you can't enable HTTP alone, it should be enabled
along with HTTPS.

SSH Enable to allow SSH connections to the CLI through this network
interface.

SNMP Enable to allow SNMP queries to this network interface, if queries

have been configured and the sender is a configured SNMP manager.
To configure the listening port number and configure queries and
traps, see SNMP traps & queries on page 727.

FortiWeb Enable to allow FortiWeb Manager to connect to this appliance using

Manager this network interface.

WCCP Protocol Select if the interface is used to communicate with a FortiGate unit
configured as a WCCP server.

Available only when the operation mode is WCCP.

For details, see Setting the operation mode on page 105 and
Configuring FortiWeb to receive traffic via WCCP on page 201.

Description Type a comment. The maximum length is 63 characters.

Optional.

4. Click OK.
If you were connected to the web UI through this network interface, you are now disconnected from it.
5. To access the web UI again, in your web browser, modify the URL t to match the new IP address of the network
interface. For example, if you configured the network interface with the IP address 10.10.10.5, you would browse
to: https://10.10.10.5

If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to
the FortiWeb appliance, you may also need to modify the IP address and subnet of your computer to match the
FortiWeb appliance’s new IP address.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 129

To configure a network interface’s IPv4 address via the CLI

Enter the following commands:

config system interface
edit <interface_name>
set mode {manual|dhcp}
set ip <address_ipv4mask> <netmask_ipv4mask>
set allowaccess {http https ping snmp ssh telnet}
end

where:
l <interface_name> is the name of a network interface
l {manual|dhcp} specifies how the network interface is addressed.
l <address_ipv4> is the IP address assigned to the network interface
l <netmask_ipv4mask> is its netmask in dotted decimal format
l {http https ping snmp ssh telnet} is a space-delimited list of zero or more administrative protocols
that you want to allow to access the FortiWeb appliance through the network interface

HTTP and Telnet connections are not secure, and can be intercepted by a third
party. If possible, enable this option only for network interfaces connected to a
trusted private network, or directly to your management computer. Failure to restrict
administrative access through this protocol could compromise the security of your
FortiWeb appliance.

If you were connected to the CLI through this network interface, you are now disconnected from it.
To access the CLI again, in your terminal client, modify the address to match the new IP address of the network
interface. For example, if you configured the network interface with the IP address 172.16.1.20, you would connect to
that IP address.
If the new IP address is on a different subnet than the previous IP address, and your computer is directly connected to
the FortiWeb appliance, you may also need to modify the IP address and subnet of your computer to match the
FortiWeb appliance’s new IP address.

Adding VLAN subinterfaces

You can add a virtual local area network (VLAN) subinterface to a network interface or bridge on the FortiWeb appliance,
up to a maximum of 512 VLAN in total.
Similar to a local area network (LAN), use a IEEE 802.1q (http://www.ieee802.org/1/pages/802.1Q.html) VLAN to
reduce the size of a broadcast domain and thereby reduce the amount of broadcast traffic received by network hosts,
improving network performance.
In True Transparent Proxy mode, to expand the VLAN space, Q-in-Q is introduced for FortiWeb to stack 802.1Q and
802.1ad (http://www.ieee802.org/1/pages/802.1Q.html) headers in the Ethernet frame, so that multiple VLANs are
reused in a core VLAN. The 802.1Q VLAN (Ethernet Type = 0x8100) can be packed into the 802.1ad VLAN (Ethernet
Type = 0x88A8). If you create a 802.1ad VLAN per a physical interface, then you can create a 802.1Q VLAN per 802.1ad
VLAN. Packets will be tagged by two VLANs.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 130

VLANs are not designed to be a security measure, and should not be used where
untrusted devices and/or individuals outside of your organization have access to the
equipment. VLAN tags are not authenticated, and can be ignored or modified by
attackers. VLAN tags rely on the voluntary compliance of the receiving host or
switch.

Unlike physical LANs, VLANs do not require you to install separate hardware switches and routers to achieve this effect.
Instead, VLAN-compliant switches, such as FortiWeb appliances, restrict broadcast traffic based upon whether its VLAN
ID matches that of the destination network. As such, VLAN trunks can be used to join physically distant broadcast
domains as if they were close.
The VLAN ID is part of the tag that is inserted into each Ethernet frame in order to identify traffic for a specific VLAN.
VLAN header addition is handled automatically by FortiWeb appliances, and does not require that you adjust the
maximum transmission unit (MTU). Depending on whether the device receiving a packet operates at Layer 2 or Layer 3
of the network, this tag may be added, removed, or rewritten before forwarding to other nodes on the network.
Cisco Discovery Protocol (CDP) is supported for VLANs, including when FortiWeb is operating in either of the
transparent modes.
If your FortiWeb model uses Data Plane Development Kit (DPDK) for packet processing (for example, models 3000E,
3010E and 4000E), you cannot use VLAN subinterfaces as a data capture port for Offline Protection mode. For these
models, remove any VLAN configuration on an interface before you use it for data capture. These models fully support
the capture and transmission of VLAN traffic.

To configure a VLAN subinterface

1. Go to System > Network > Interface.

Name Type the name (for example, vlan100) of this VLAN subinterface
that can be referenced by other parts of the configuration. The
maximum length is 15 characters.

Tip: The name cannot be changed once you save the entry. For a
workaround, see Renaming entries on page 64.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 131

Type Select VLAN .

Interface Select the name of the physical network port with which the VLAN
subinterface will be associated.

VLAN ID Type the VLAN ID , such as 100, of packets that belong to this
VLAN subinterface.
l If one physical network port (that is, a VLAN trunk) will handle
multiple VLANs, create multiple VLAN subinterfaces on that
port, one for each VLAN ID that will be received.
l If multiple different physical network ports will handle the same
VLANs, on each of the ports, create VLAN subinterfaces that
have the same VLAN IDs.
The valid range is between 1 and 4094 and must match the VLAN
ID added by the IEEE 802.1q-compliant router or switch connected
to the VLAN subinterface.
For the maximum number of interfaces for your FortiWeb model,
including VLAN subinterfaces, see Appendix B: Maximum
configuration values on page 865.

VLAN Protocol Select a VLAN type 802.1Q or 802.1ad.

Addressing Mode Specify whether FortiWeb acquires an IPv4/IPv6 address for this
VLAN using DHCP.

IP/Netmask Type the IP address/subnet mask associated with the VLAN, if any.
The IP address must be on the same subnet as the network to which
the interface connects. Two network interfaces cannot have IP
addresses on the same subnet.

Administrative Access Enable the types of administrative access that you want to permit to
this interface.

These options do not disable outgoing administrative connections,

Caution: Enable only on network interfaces connected to trusted

HTTPS Enable to allow secure HTTPS connections to the web UI through this
network interface. To configure the listening port number, see Global
web UI & CLI settings on page 59.

PING Enable to allow:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 132

l ICMP type 8 (ECHO_REQUEST)

l UDP ports 33434 to 33534
for ping and traceroute to be received on this network interface.
When it receives an ECHO_REQUEST (“ping”), FortiWeb will reply with
ICMP type 0 (ECHO_RESPONSE or “pong”).
Note: Disabling PING only prevents FortiWeb from receiving ICMP
type 8 (ECHO_REQUEST) and traceroute-related UDP.
It does not disable FortiWeb CLI commands such as execute
ping or execute traceroute that send such traffic.
HTTP Enable to allow HTTP connections to the web UI through this network
interface. To configure the listening port number, see Global web UI
& CLI settings on page 59.
The HTTP access to FortiWeb's GUI will be automatically redirected
to HTTPS, so you can't enable HTTP alone, it should be enabled
along with HTTPS.

SSH Enable to allow SSH connections to the CLI through this network
interface.

SNMP Enable to allow SNMP queries to this network interface, if queries

have been configured and the sender is a configured SNMP manager.
To configure the listening port number and configure queries and
traps, see SNMP traps & queries on page 727.

FortiWeb Enable to allow FortiWeb Manager to connect to this appliance using

Manager this network interface.

WCCP Protocol Select if the interface is used to communicate with a FortiGate unit
configured as a WCCP server.

Available only when the operation mode is WCCP.

For details, see Setting the operation mode on page 105 and
Configuring FortiWeb to receive traffic via WCCP on page 201.

4. Click OK.
Your new VLAN is initially hidden in the list of network interfaces.
To expand the network interface listing in order to view all of a port’s associated VLANs, click the + (plus sign)
beside the name of the port.

See also

l IPv6 support on page 33

l To configure a network interface or bridge on page 124
l Configuring a bridge (V-zone) on page 133
l Link aggregation on page 136
l Configuring DNS settings on page 150
l Adding a gateway on page 142

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 133

l Fail-to-wire for power loss/reboots on page 667

l Global web UI & CLI settings on page 59

Configuring a bridge (V-zone)

You can configure a bridge either via the web UI or the CLI.
Bridges allow network connections to travel through the FortiWeb appliance’s physical network ports without explicitly
connecting to one of its IP addresses. Due to this nature, bridges are configured only when FortiWeb is operating in
either True Transparent Proxy or Transparent Inspection mode.
Bridges on the FortiWeb appliance support IEEE 802.1d (https://1.ieee802.org) spanning tree protocol (STP) by
forwarding bridge protocol data unit (BPDU) packets, but do not generate BPDU packets of their own. Therefore, in
some cases, you might need to manually test the bridged network for Layer 2 loops. Also, you may prefer to manually
design a tree that uses the minimum cost path to the root switch for design and performance reasons.
True bridges typically have no IP address of their own. They use only media access control (MAC) addresses to describe
the location of physical ports within the scope of their network and do network switching at Layer 2 of the OSI model.
You can configure FortiWeb to monitor the members of bridge. When monitoring is enabled, if a network interface that
belongs to the bridge goes down, FortiWeb automatically brings down the other members.

Using network interface MAC addresses in True Transparent Proxy mode

When the operation mode is True Transparent Proxy, by default, traffic that travels through a bridge to the back-end
servers preserves the MAC address of the source.
If you are using FortiWeb with front-end load balancers that are in a high availability cluster that connects via multiple
bridges, this mechanism can cause switching problems on failover.
To avoid this problem, the config system v-zone command allows you to configure FortiWeb to use the MAC
address of the FortiWeb network interface instead. The option is not available in the web UI. For details, see the
FortiWeb CLI Reference:
http://docs.fortinet.com/fortiweb/reference

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 134

To configure a bridge via the web UI

1. If you have installed a physical FortiWeb appliance, plug in network cables to connect one of the physical ports in
the bridge to your protected web servers, and the other port to the Internet or your internal network.
Because port1 is reserved for connections with your management computer, for physical appliances, this means
that you must plug cables into at least 3 physical ports:
l port1 to your management computer
l one port to your web servers
l one port to the Internet or your internal network
2. If you have installed a virtual FortiWeb appliance (FortiWeb-VM), the number and topology of connections of your
physical ports depend on your vNIC mappings. For details, see the FortiWeb-VM Install Guide:
http://docs.fortinet.com/fortiweb/hardware

To use fail-to-wire, the bridge must be comprised of the ports that have
hardware support for fail-to-wire. For example, on FortiWeb 1000C, this is port3
and port4. See Fail-to-wire for power loss/reboots on page 667 and the
QuickStart Guide for your model.

If you have installed FortiWeb-VM, configure the virtual switch (vSwitch). For details, see the FortiWeb-VM Install
Guide:
http://docs.fortinet.com/fortiweb/hardware
3. Go to System > Network > V-zone.
This option is not displayed if the current operating mode does not support bridges.
To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the Network Configuration category. For details, see Permissions on page 56.
4. Click Create New.
5. Configure these settings:

Name Type a unique name that can be referenced in other parts of the configuration.
The maximum length is 15 characters. The name cannot be changed once
you save the entry. For details, see Renaming entries on page 64.

Interface name Display a list of network interfaces that you can add to a bridge.
Only interfaces that currently have no IP address and are not members of
another bridge are displayed.
To add one or more network interfaces to the bridge, select their names, then
click the right arrow.
Since FortiWeb 6.1 release, vlan subinterfaces including 802.1Q, 802.1ad
and physical interfaces can be configured in one V-zone.
Note: Only network interfaces with no IP address can belong to a bridge.
port1 is reserved for your management computer, and cannot be bridged.
To remove any other network interface’s IP address so that it can be included
in the bridge, set its IP/Netmask on page 127 to 0.0.0.0/0.0.0.0.

Member Displays a list of network interfaces that belong to this bridge.

To remove a network interface from the bridge, select its name, then click the

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 135

left arrow.

Tip: If you will be configuring bypass/fail-to-wire, the pair of bridge ports that
you select should be ones that are wired together to support it. For details,
see Fail-to-wire for power loss/reboots on page 667.

6. Click OK.
The bridge appears in System > Network > V-zone.
7. To configure FortiWeb to automatically bring down all members of this v-zone when one member goes down,
select Member Monitor.
8. To use the bridge, select it in a policy (see Configuring an HTTP server policy on page 242).

To configure a bridge in the CLI

1. If you have installed a physical FortiWeb appliance, connect one of the physical ports in the bridge to your
protected web servers, and the other port to the Internet or your internal network.
Because port1 is reserved for connections with your management computer, for physical appliances, this means
that you must connect at least 3 ports:
l port1 to your management computer
l one port to your web servers
l one port to the Internet or your internal network
2. If you have installed a virtual FortiWeb appliance, the number and topology of connections of your physical ports
depend on your vNIC mappings. For details, see the FortiWeb-VM Install Guide:
http://docs.fortinet.com/fortiweb/hardware
If you have installed FortiWeb as a virtual appliance (FortiWeb-VM), configure the virtual switch. For details, see
the FortiWeb-VM Install Guide:
http://docs.fortinet.com/fortiweb/hardware
3. Enter the following commands:
config system v-zone
edit <v-zone_name>
set interfaces {<port_name> ...}
set monitor {enable | disable}
end
where:
l <v-zone_name> is the name of the bridge
l {<port_name> ...} is a space-delimited list of one or more network ports that will be members of this
bridge. Eligible network ports must not yet belong to a bridge, and have no assigned IP address. For a list of
eligible ports, enter:

set interfaces ?

l set monitor {enable | disable} is an optional setting that specifies whether FortiWeb
automatically brings down all members of this v-zone when one member goes down.
4. To use the bridge, select it in a policy. For details, see Configuring an HTTP server policy on page 242.

See also

l To configure a network interface or bridge on page 124

l Configuring the network interfaces on page 126

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 136

l Link aggregation on page 136

l Adding a gateway on page 142

Configuring virtual IP

The virtual IP addresses are the IP addresses that paired with the domain name of your application. When users visit
your application, the destination of their requests are these IP addresses.
You can later attach one or more virtual IP addresses to a virtual server, and then reference the virtual server in a server
policy. The web protection profile in the server policy will be applied to all the virtual IPs attached to this virtual server.

To configure a virtual IP

1. Go to System > Network > Virtual IP.

Name Enter a unique name that can be referenced by other parts of the
configuration. The maximum length is 63 characters.

IPv4 Address Enter the IP address and subnet of the virtual IP.
IPv6 Address If the FortiWeb appliance is operating in Offline Protection mode or either of
the transparent modes, because FortiWeb ignores this IP address when it
determines whether or not to apply a server policy to the connection, you can
specify any IP address except the address of the web server.
The virtual IP address cannot be the same with the IP address of any one of
the interfaces.

Interface Select the network interface or bridge the virtual IP is bound to and where
traffic destined for the virtual IP arrives.
To configure an interface or bridge, see To configure a network interface or
4. bridge on page 124.

Link aggregation

You can configure a network interface that is the bundle of several physical links via either the web UI or the CLI.

The Link Aggregation Control Protocol (LACP) is currently supported only when
FortiWeb is deployed in Reverse Proxy or True Transparent Proxy mode. It can be
applied to VLAN subinterfaces. It cannot be applied to ports that are used for the HA
heartbeat, but it can be applied to monitor ports in an HA cluster. It is not supported
in FortiWeb-VM.

Link aggregation (also called NIC teaming/bonding or link bundling) forms a network interface that queues and
transmits over multiple wires (also called a port channel), instead of only a single wire (as FortiWeb would normally do
with a single network interface for each physical port). This multiplies the bandwidth that is available to the network
interface, and therefore is useful if FortiWeb will be inline with your network backbone.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 137

Link aggregation on FortiWeb complies with IEEE 802.3ad (http://grouper.ieee.org/groups/802/3/ad/index.html) and

distributes Ethernet frames using a modified round-robin behavior. If a port in the aggregate fails, traffic is redistributed
automatically to the remaining ports with the only noticeable effect being a reduced bandwidth. When broadcast or
multicast traffic is received on a port in the aggregate interface, reverse traffic will return on the same port.
When link aggregation uses a round-robin that considers only Layer 2, Ethernet frames that comprise an HTTP request
can sometimes arrive out of order. Because network protocols at higher layers often do not gracefully handle this
(especially TCP, which may decrease network performance by requesting retransmission when the expected segment
does not arrive), FortiWeb’s frame distribution algorithm is configurable.
For example, if you notice that performance with link aggregation is not as high as you expect, you could try configuring
FortiWeb to queue related frames consistently to the same port by considering the IP session (Layer 3) and TCP
connection (Layer 4), not simply the MAC address (Layer 2).
You must also configure the router, switch, or other link aggregation control protocol (LACP)-compatible device at the
other end of FortiWeb’s network cables to match, with identical:
l Link speed
l duplex/simplex setting
l ports that can be aggregated
This will allow the two devices to use the cables between those ports to form a trunk, not an accidental Layer 2 (link)
network loop. FortiWeb will use LACP to:
l detect suitable links between itself and the other device, and form a single logical link
l detect individual port failure so that the aggregate can redistribute queuing to avoid a failed port

To configure a link aggregate interface

1. Go to System > Network > Interface.

Name Type the name (such as agg) of this logical interface that can be referenced by
other parts of the configuration. The maximum length is 15 characters.

Tip: The name cannot be changed once you save the entry. For a workaround,
see Renaming entries on page 64.

Type Select 802.3ad Aggregate.

Lacp-rate Select the rate of transmission for the LACP frames (LACPUs) between
FortiWeb and the peer device at the other end of the trunking cables, either:

l SLOW —Every 30 seconds.

l FAST—Every 1 second.

Note: This must match the setting on the other device. If the rates do not
match, FortiWeb or the other device could mistakenly believe that the other’s
ports have failed, effectively disabling ports in the trunk.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 138

Algorithm Select the connectivity layers that will be considered when distributing frames
among the aggregated physical ports.

l layer2—Consider only the MAC address. This results in the most even
distribution of frames, but may be disruptive to TCP if packets frequently
arrive out of order.
l layer2_3—Consider both the MAC address and IP session. Queue frames
involving the same session to the same port. This results in slightly less
even distribution, and still does not guarantee perfectly ordered TCP
sessions, but does result in less jitter within the session.
l layer3_4—Consider both the IP session and TCP connection. Queue
frames involving the same session and connection to the same port.
Distribution is not even, but this does prevent TCP retransmissions
associated with link aggregation.

Addressing Mode Specify whether FortiWeb acquires an IPv4/IPv6 address for this aggregate
using DHCP.

IP/Netmask Type the IP address/subnet mask associated with the aggregate. The IP
address must be on the same subnet as the network to which the interface
connects. Two network interfaces cannot have IP addresses on the same
subnet.

Administrative Access Enable the types of administrative access that you want to permit to the
selected interfaces.

These options do not disable outgoing administrative connections, such as

update polling connections to the FDN or outgoing ICMP resulting from a CLI
command such as execute ping. Neither do they govern traffic destined for
a web server or virtual server, which are governed by policies. These options
only govern incoming connections destined for the appliance itself.

Caution: Enable only on network interfaces connected to trusted private

networks (defined in Trusted Host #1 on page 330, Trusted Host #2 on page
330, Trusted Host #3 on page 330) or directly to your management computer.
If possible, enable only secure administrative access protocols such as HTTPS
or SSH. Failure to restrict administrative access could compromise the security
of your FortiWeb appliance.

HTTPS Enable to allow secure HTTPS connections to the web UI through this network
interface. To configure the listening port number, see Global web UI & CLI
settings on page 59.

PING Enable to allow:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 139

It does not disable FortiWeb CLI commands such as execute ping or

execute traceroute that send such traffic.
HTTP Enable to allow HTTP connections to the web UI through this network
interface. To configure the listening port number, see Global web UI & CLI
settings on page 59.
The HTTP access to FortiWeb's GUI will be automatically redirected to
HTTPS, so you can't enable HTTP alone, it should be enabled along with
HTTPS.

SSH Enable to allow SSH connections to the CLI through this network interface.

SNMP Enable to allow SNMP queries to this network interface, if queries have been
configured and the sender is a configured SNMP manager. To configure the
listening port number and configure queries and traps, see SNMP traps &
queries on page 727.

FortiWeb Enable to allow FortiWeb Manager to connect to this appliance using this
Manager network interface.

4. Click OK.
Your new aggregate appears in the list of network interfaces.

To configure an IPv4link aggregate via the CLI

Enter the following commands:

config system interface
edit "aggregate"
set type agg
set status up
set intf <port_name> <port_name>
set algorithm {layer2 | layer2_3 | layer3_4}
set lacp-speed {fast | slow}
set mode {manual | dhcp}
set ip <address_ipv4> <netmask_ipv4mask>
next
end

where:
l <port_name> is the name of a physical network interface, such as port3
l <address_ipv4> is the IP address assigned to the network interface
l <netmask_ipv4mask> is its netmask in dotted decimal format
l {manual | dhcp} specifies how the network interface is addressed.
l {layer2 | layer2_3 | layer3_4} is a choice between the connectivity layers that will be considered when
distributing frames among the aggregated physical ports.
l {fast | slow} is a choice of the rate of transmission for the LACP frames (LACPUs) between FortiWeb and the
peer device at the other end of the trunking cables; this must match the LACP peer

See also

l To configure a network interface or bridge on page 124

l Configuring the network interfaces on page 126

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 140

l Configuring a bridge (V-zone) on page 133

l Adding a gateway on page 142

Configuring redundant interfaces

You can combine two or more interfaces in a redundant configuration to ensure connectivity in the event that one
physical interface or the equipment connected to that interface fails. Network traffic goes through only one interface at
any time, and the other interfaces act as backups in the event an interface fails. Redundant interfaces create redundant
connections between a FortiWeb configuration and the network, removing a potential single point of failure and further
increasing network reliability and connectivity.
When used in certain network configurations, such as a High Availability (HA) Active-Passive (AP) configuration, you can
create a fully meshed HA configuration that eliminates potential single points of failure. By default, HA configurations
connect to the network using a single switch, and this single piece of equipment remains a potential single point of
failure. When you configure redundant interfaces in an HA configuration, you eliminate the remaining potential single
point of failure between your FortiWeb configuration and the network.
An interface can be used in a redundant interface configuration if it:
l Is a physical interface and not a VLAN interface
l Does not have any VLAN subinterfaces
l Is not referenced in any V-zone interfaces
l Is not already part of an aggregated or redundant interface configuration
l Has no defined IP address (Manual or DHCP)
l Is not used in a server policy or virtual server configuration
l Is not used by a static route or policy route
l Is not monitored by an HA configuration
l Is not referenced in an HA Reserved Management Interface
l Is not referenced in an HA Heartbeat Interface
Interfaces in a redundant interface configuration are not listed in System > Network > Interface. You cannot further
configure or select redundant interfaces in other parts of the configuration.

To configure redundant interfaces via the web UI

1. Go to System > Network > Interface.

To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the Network Configuration category. For details, see Permissions on page 56.
2. Click Create New.
3. Enter a Name for the interface.
4. For Type, select Redundant Interface.
5. Select ports that you want to use in the configuration from the list of Available Interfaces and use the (arrow)
icon to move them to the Selected Interfaces list.
6. For Addressing mode:
Select Manual to enter an IPv4 address. If you select Manual, also configure the IPv4/Netmask option. Type the
IP address and subnet mask, separated by a forward slash ( / ), such as 192.0.2.2/24.
Select DHCP so that FortiWeb will acquire an IPv4 address using DHCP.
7. Optionally, for IPv6 Addressing mode:
Select Manual to enter an IPv6 address. If you select Manual, also configure the IPv6/Netmask option.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 141

Select DHCP so that FortiWeb will acquire an IPv6 address using DHCP.
8. For Administrative Access, select the types of administrative access that you want to permit to the selected
interfaces.

These options do not disable outgoing administrative connections, such as update polling connections to the FDN
or outgoing ICMP resulting from a CLI command such as execute ping. Neither do they govern traffic destined
for a web server or virtual server, which are governed by policies. These options only govern incoming
connections destined for the appliance itself.

Caution: Enable only on network interfaces connected to trusted private networks (defined in Trusted Host #1 on
page 330, Trusted Host #2 on page 330, Trusted Host #3 on page 330) or directly to your management computer.
If possible, enable only secure administrative access protocols such as HTTPS or SSH. Failure to restrict
administrative access could compromise the security of your FortiWeb appliance.

HTTPS Enable to allow secure HTTPS connections to the web UI through this network
interface. To configure the listening port number, see Global web UI & CLI settings on
page 59.

PING Enable to allow:

l ICMP type 8 (ECHO_REQUEST)
l UDP ports 33434 to 33534
for ping and traceroute to be received on this network interface. When it receives
an ECHO_REQUEST (“ping”), FortiWeb will reply with ICMP type 0 (ECHO_RESPONSE
or “pong”).
Note: Disabling PING only prevents FortiWeb from receiving ICMP type 8 (ECHO_
REQUEST) and traceroute-related UDP.
It does not disable FortiWeb CLI commands such as execute ping or execute
traceroute that send such traffic.
HTTP Enable to allow HTTP connections to the web UI through this network interface. To
configure the listening port number, see Global web UI & CLI settings on page 59. The
HTTP access to FortiWeb's GUI will be automatically redirected to HTTPS, so you can't
enable HTTP alone, it should be enabled along with HTTPS.

SSH Enable to allow SSH connections to the CLI through this network interface.

SNMP Enable to allow SNMP queries to this network interface, if queries have been configured
and the sender is a configured SNMP manager. To configure the listening port number
and configure queries and traps, see SNMP traps & queries on page 727.

FortiWeb Manager Enable to allow FortiWeb Manager to connect to this appliance using this network
interface.

9. Click OK.

To configure redundant interfaces via the CLI

Enter the following commands:

config system interface
edit <interface_name>
set type redundant
set intf {<port_name> ...}
set mode {static | dhcp}
set ip {interface_ipv4mask}

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 142

set ip6-mode {static | dhcp}

set ip6 {interface_ipv6mask}
next
end

where:
l <interface_name> is the name of the redundant interface configuration that you want to create
l intf {<port_name> ...} is each port that you want to include in the configuration
l mode {static | dhcp} specifies whether the interface obtains its IPv4 address and netmask using DHCP
l ip {interface_ipv4mask} is the IPv4 address assigned to the network interface if you use a static IP
l ip6-mode {static | dhcp} specifies whether the interface contains its IPv6 address using DHCP
l ip6 {interface_ipv6mask} is the IPv6 address assigned to the network interface if you use a static IP

Adding a gateway

Static routes direct traffic exiting the FortiWeb appliance based upon the packet’s destination—you can specify through
which network interface a packet leaves and the IP address of a next-hop router that is reachable from that network
interface. Routers are aware of which IP addresses are reachable through various network pathways and can forward
those packets along pathways capable of reaching the packets’ ultimate destinations. Your FortiWeb itself does not
need to know the full route, as long as the routers can pass along the packet.

True transparent and Transparent Inspection operation modes require that you
specify the gateway when configuring the operation mode. In that case, you have
already configured a static route. You do not need to repeat this step.

You must configure FortiWeb with at least one static route that points to a router, often a router that is the gateway to
the Internet. You may need to configure multiple static routes if you have multiple gateway routers (e.g. each of which
should receive packets destined for a different subset of IP addresses), redundant routers (e.g. redundant Internet/ISP
links), or other special routing cases.
However, often you will only need to configure one route: a default route.
For example, if a web server is directly attached to one physical port on the FortiWeb, but all other destinations, such as
connecting clients, are located on distant networks, such as the Internet, you might need to add only one route: a
default route that indicates the gateway router through which FortiWeb sends traffic towards the Internet.

If your management computer is not directly attached to one of the physical ports of
the FortiWeb appliance, you may also require a static route so that your
management computer is able to connect with the web UI and CLI.

When you add a static route through the web UI, the FortiWeb appliance evaluates the route to determine if it
represents a different route compared to any other route already present in the list of static routes. If no route having the
same destination exists in the list of static routes, the FortiWeb appliance adds the static route, using the next
unassigned route index number. The index number of the route in the list of static routes is not necessarily the same as
its position in the routing table (diagnose network route list).

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 143

You can also configure FortiWeb to route traffic to a specific network interface/gateway combination based on a
packet’s source and destination IP address, instead of the static route configuration. For details, see Creating a policy
route on page 146.

To add a static route via the web UI

1. Go to System > Network > Route and select the Static Route tab.

To access this part of the web UI, your administrator account’s access profile must have Read and Write
permission to items in the Router Configuration category. For details, see Permissions on page 56.
2. Click Create New.
3. Configure these settings:

Destination IP/Mask Type the destination IP address and network mask of packets that will
be subject to this static route, separated by a slash ( / ).

The value 0.0.0.0/0.0.0.0 or ::/0 results in a default route,

which matches the DST field in the IP header of all packets.

Gateway Type the IP address of the next-hop router where the FortiWeb
forwards packets subject to this static route. This router must know
how to route packets to the destination IP addresses that you have
specified in Destination IP/Mask on page 143, or forward packets to
another router with this information.

For a direct Internet connection, this is the router that forwards traffic
towards the Internet, and could belong to your ISP.

Caution: The gateway IP address must be in the same subnet as the

interface’s IP address. Failure to do so will cause FortiWeb to delete
all static routes, including the default gateway.

Interface Select the name of the network interface through which the packets
subject to the static route will egress towards the next-hop router.

Making a default route for your FortiWeb is a typical best practice: if there is no
other, more specific static route defined for a packet’s destination IP address, a
default route will match the packet, and pass it to a gateway router so that any
packet can reach its destination.

If you do not define a default route, and if there is a gap in your routes where no
route matches a packet’s destination IP address, packets passing through the
FortiWeb towards those IP addresses will, in effect, be null routed. While this
can help to ensure that unintentional traffic cannot leave your FortiWeb and
therefore can be a type of security measure, the result is that you must modify
your routes every time that a new valid destination is added to your network.
Otherwise, it will be unreachable. A default route ensures that this kind of locally-
caused “destination unreachable” problem does not occur.

4. Click OK.
The FortiWeb appliance should now be reachable to connections with networks indicated by the mask.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 144

5. To verify connectivity, from a host on the route’s destination network, attempt to connect to the FortiWeb
appliance’s web UI via HTTP and/or HTTPS. (At this point in the installation, you have not yet configured a policy,
and therefore, if in Reverse Proxy mode, cannot test connectivity through the FortiWeb.)

By default, in Reverse Proxy mode, FortiWeb’s virtual servers will not forward non-
HTTP/HTTPS traffic to your protected web servers. (Only traffic picked up and
allowed by the HTTP Reverse Proxy will be forwarded.) You may be able to provide
connectivity by either deploying in a one-arm topology where other protocols bypass
FortiWeb, or by enabling FortiWeb to route other protocols. See also Topology for
Reverse Proxy mode on page 74 and the config router setting command
in the FortiWeb CLI Reference.

If the connectivity test fails, you can use the CLI commands:
execute ping <destination_ip4>

to determine if a complete route exists from the FortiWeb to the host, and
execute traceroute <destination_ipv4>

to determine the point of connectivity failure.

Also enable PING on page 127 on the FortiWeb’s network interface, or configure an IP address on the bridge, then use
the equivalent tracert or traceroute command on the host (depending on its operating system) to test routability
for traffic traveling in the opposite direction: from the host to the FortiWeb.
l If these tests fail, or if you do not want to enable PING on page 127, first examine the static route configuration on
both the host and FortiWeb.

To display the routing table, enter the CLI command:

diagnose network route list

You may also need to verify that the physical cabling is reliable and not loose or broken, that there are no IP
address or MAC address conflicts or blacklisting, and otherwise rule out problems at the physical, network, and
transport layer.
l If these tests succeed, a route exists, but you cannot connect using HTTP or HTTPS, an application-layer problem
is preventing connectivity.

Verify that you have enabled HTTPS on page 127 and/or HTTP on page 128 on the network interface. Also
examine routers and firewalls between the host and the FortiWeb appliance to verify that they permit HTTP and/or
HTTPS connectivity between them. Finally, you can also use the CLI command:

diagnose system top 5 30

to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpsd are running and not
overburdened. For details, see the FortiWeb CLI Reference:

http://docs.fortinet.com/fortiweb/reference

To add a default route via the CLI

1. Enter the following commands:

config router static
edit <route_index>

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 145

set gateway <gateway_ipv4>

set device <interface_name>
end
where:
l <route_index> is the index number of the route in the list of static routes
l <gateway_ipv4> is the IP address of the gateway router
l<interface_name> is the name of the network interface through which packets will egress, such as port1
The FortiWeb appliance should now be reachable to connections with networks indicated by the mask.
2. To verify connectivity, from a host on the network applicable to the route, attempt to connect to the FortiWeb
appliance’s web UI via HTTP and/or HTTPS. (At this point in the installation, you have not yet configured a policy,
and therefore, if in Reverse Proxy mode, cannot test connectivity through the FortiWeb.)

If the connectivity test fails, you can use the CLI commands:
execute ping

to determine if a complete route exists from the FortiWeb to the host, and
execute traceroute

to determine the point of connectivity failure. For details, see the FortiWeb CLI Reference
(http://docs.fortinet.com/fortiweb/reference). Also enable ping on the FortiWeb (see To configure a network
interface’s IPv4 address via the CLI on page 129), then use the equivalent tracert or traceroute command on the
host (depending on its operating system) to test routability for traffic traveling in the opposite direction: from the host to
the FortiWeb.
l If these tests fail, or if you do not want to enable PING on page 127, first examine the static route configuration on
both the host and FortiWeb.

To display all routes with their priorities, enter the CLI command:

diagnose network route list

Verify that you have enabled http and/or http on the network interface (To configure a network interface’s IPv4
address via the CLI on page 129). Also examine routers and firewalls between the host and the FortiWeb appliance
to verify that they permit HTTP and/or HTTPS connectivity between them. Finally, you can also use the CLI
command:

diagnose system top 5 30

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 146

to verify that the daemons for the web UI and CLI, such as sshd, newcli, and httpsd are running and not
overburdened. For details, see the FortiWeb CLI Reference (http://docs.fortinet.com/fortiweb/reference).

See also

l Creating a policy route on page 146

l Routing based on HTTP content on page 180
l Configuring the network interfaces on page 126
l Configuring a bridge (V-zone) on page 133
l Configuring DNS settings on page 150
l IPv6 support on page 33

Creating a policy route

In most cases, you use policy routes in Reverse Proxy mode. In this mode, requests are destined for a virtual server’s
network interface and IP address on FortiWeb, not a web server directly. When FortiWeb sends response package to
the client who initiated the request, the souce IP in the response package is the virtual server's IP address, not the web
server's IP address. In the following paragraphs, we will introduce how to use policy route to direct the traffic to different
next-hop gateways based on the souce IP in the response package.

The difference between static route and policy route

As introduced in the previous section, static route forwards the outgoing traffic based on the destination IP, and it is
usually used when there is only one gateway connected with FortiWeb to forward FortiWeb's outgoing traffic to any
destination. But, what if there are multiple gateways, and FortiWeb's outgoing traffic to any destionation should be
forwarded to different gateways?
The most common case is that multiple gateways are installed to forward clients' requests from networks operated by
different ISPs, let's say ISP1 and ISP2. When FortiWeb sends back the response package, there must be a rule telling
FortiWeb to send it to the right gateway so that the package destined to ISP1's network will not be sent to the gateway
connecting with ISP2. For this case, using static route is not the right choice, because static route distinguishes the
next-hop gateways based on the package's destination IP, but the destionation IP inside each ISP could be any.
Policy route is pecfectly suitable to solve this issue (usually called the Asymmetric Routing Issue). The best practice is to
create two virtual servers on FortiWeb to receive and send packages, and then create policy routes to forward the
response packages to the right next-hop router based on source IPs (the virtual servers' IP addresses).

Using policy route to divert traffic based on source IPs

We will use the following network topology as an example to illutrate how to use policy routes to divert traffic based on
the source IP in the response package.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 147

Client
Gateway2
2.2.2.254

vserver2 on port2
2.2.2.1/24
Web
Server
vserver1
default gateway
Client on port1 FortiWeb
1.1.1.254
1.1.1.1/24

To direct FortiWeb's outgoing traffic to the default gateway (1.1.1.254) and gateway2 (2.2.2.254):
l Configure the following policy route so that the package with source IP 2.2.2.1/24 will exit FortiWeb through port2
to the next-hop gateway whose IP address is 2.2.2.254.
Make sure not to select the incoming interface, because in Reverse Proxy mode FortiWeb does not carry the
incoming interface information in the outgoing package.

l Configure the following static route so that all the other traffic which doesn't match the conditions specified in the
policy route will be forwarded to the default gateway whose IP address is 1.1.1.254.

Policy route has higher priority than the static route. In this example, the package exiting FortiWeb with source IP
2.2.2.1 matches both the static route and policy route, but the system only applies policy route to the package because
policy route has higher priority.

In this case, the source IPs in the outgoing package are either 2.2.2.1 or 1.1.1.1, so,
instead of configuring a static route, you can alternatively configure another policy
route specifying the Source address as 1.1.1.1/24, the Outgoing Interface as
port1, and Gateway Address as 1.1.1.254.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 148

Using policy route and the ip-forward command to configure FortiWeb as a router

In Reverse Proxy mode, policy route can also be used together with the ip-forward command to configure FortiWeb as a
router to forward the non-HTTP/HTTPS traffic to back-end servers. The non-HTTP/HTTPS traffic is handled in the
following ways:
l Any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.
l For any non-HTTP/HTTPS traffic destined for another destination (for example, a back-end server), FortiWeb acts
as a router and forwards it to its destination address. The incoming and outgoing interfaces configured in the policy
routes are used to forward the non-HTTP/HTTPS traffic.
For example, you can create a policy route with the following settings so that all the traffic from the incoming interface
port4 will exit FortiWeb through the outgoing interface port1.

Then, connect to FortiWeb's CLI and run the following command to enable ip-forward:
config router setting
set ip-forward enable
set ip6-forward enable
end

To create a policy route

1. Go to System > Network > Route and select Policy Route tab.

2. Complete the following settings:

If traffic matches:

Incoming Interface Select the interface on which FortiWeb receives packets it applies this routing
policy to.

Source address/mask Enter the source IP address and network mask to match.
(IPv4/IPv6)
When a packet matches the specified address, FortiWeb routes it according to
this policy.

Destination address/mask Enter the destination IP address and network mask to match.
(IPv4/IPv6)
When a packet matches the specified address, FortiWeb routes it according to
this policy.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 149

Fwmark Enter the Fwmark value specified in Firewall Fwmark Policy. If you don't
need to match traffic against the Fwmark value, enter value 0.
The valid range is 0-255.

Force traffic to:

Action Forward Traffic: FortiWeb filters traffic against the specified conditions and
forwards the traffic to this policy route.
Stop Policy Routing: FortiWeb filters traffic against the specified conditions
and forwards the traffic according to the matched static route.

Outgoing Interface Select the interface through which FortiWeb routes packets that match the
specified IP address information.

Gateway Address (IPv4/IPv6) Enter the IP address of the next-hop router where FortiWeb forwards packets
that match the specified IP address information.

Ensure this router knows how to route packets to the destination IP address or
forwards packets to another router with this information.

A gateway address is not required for the particular routing policies used as
static routes in an one-arm topology. Please leave this blank for one-arm
topology.

Priority Enter a value between 1 and 200 that specifies the priority of the route. When
packets match more than one policy route, FortiWeb directs traffic to the route
with the lowest value.

3. Click OK.

Notice for using policy route in an one-arm topology

Since FortiWeb's policy route has higher priority than static route (any packet will be evaluated against policy routes first,
then static routes), when a FortiWeb is deployed in a one-arm topology (see Planning the network topology on page 66)
and any policy route is configured for the FortiWeb to access to other networks, you are strongly recommended to add
particular policy routes with higher priority for the static routing within the connected network subnets.
A policy route might be set for updating the signature and virus databases through the Internet. In this example, packets
that FortiWeb forwards for Reverse Proxy mode within subnet 192.0.2.0/24 might match the policy route first rather
than the static route, and so that the packets might be directed to incorrect path (which result in a failed Reverse Proxy).
Therefore, no matter what the configurations you have for the policy routes, we strongly suggest an extra policy route
being set (for this example) like
Destination address/mask = 192.0.2.0/24
Outgoing Interface = port3
Priority = 10

Configuration of the particular policy route is a static route for choosing port 3 as the path to forward packets destined to
subnet 192.0.2.0/24. To make sure all the packets are evaluated against the particular policy routes before other normal
policy routes, those particular policy routes must be assigned a higher (or the highest) priority than other policy routes'.
This particular policy route, with a higher (or the highest) priority and no gateway being specified, essentially reverses
the fact that policy routes have higher priority than static routes.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 150

See also

l Adding a gateway on page 142

Configuring DNS settings

Like many other types of network devices, FortiWeb appliances require connectivity to DNS servers for DNS lookups.
Your Internet service provider (ISP) may supply IP addresses of DNS servers, or you may want to use the IP addresses
of your own DNS servers. You must provide unicast, non-local addresses for your DNS servers. Local host and broadcast
addresses will not be accepted.
You can choose to manually enter IP addresses for the DNS or enable DHCP mode in Network > Interface >
Addressing mode to allow automatically obtaining DNS IP addresses from DHCP server. See Configuring the network
settings for the addressing mode setting.

Incorrect DNS settings or unreliable DNS connectivity can cause issues with other
features, including FortiGuard services and NTP system time.

To manually configure DNS settings via the web UI

1. Go to System > Network > DNS.

To change settings in this part of the web UI, your administrator's account access profile must have Write
permission to items in the Network Configuration category. For details, see Permissions on page 56.
2. In Primary DNS Server, type the IP address of the primary DNS server.
3. In Secondary DNS Server, type the IP address of the secondary DNS server.
4. In Local Domain Name, type the name of the local domain to which the FortiWeb appliance belongs, if any.
This field is optional. It will not appear in the Host: field of HTTP headers for client connections to your protected
web servers.
5. Click Apply.
The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address, such as
for NTP system time, FortiGuard services, or web servers defined by their domain names (“domain servers”).
6. To verify your DNS settings, in the CLI, enter the following commands:
execute traceroute <server_fqdn>
where <server_fqdn> is a domain name such as www.example.com.

DNS tests may not succeed until you have completed Adding a gateway on page
142.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 151

...
16 43-10.any.icann.org (192.0.43.10) 57.243 ms 57.146 ms 57.001 ms
If the DNS query fails, you will see an error message such as:
traceroute: unknown host www.example.com
CFG_CLI_INTERNAL_ERR
Verify your DNS server IPs, routing, and that your firewalls or routers do not block or proxy UDP port 53.

To configure DNS settings via the CLI

1. Enter the following commands:

config system dns
set primary <address_ipv4>
set secondary <address_ipv4>
set domain <local-domain_str>
end
where:
<address_ipv4> is the IP address of a DNS server
<local-domain_str> is the name of the local domain to which the FortiWeb appliance belongs, if any
The local domain name is optional. It will not appear in the Host: field of HTTP headers for connections to
protected web servers.
The appliance will query the DNS servers whenever it needs to resolve a domain name into an IP address, such as
for NTP or web servers defined by their domain names (“domain servers”).
2. To verify your DNS settings, in the CLI, enter the following commands:
execute traceroute <server_fqdn>
where <server_fqdn> is a domain name such as www.example.com.

DNS tests may not succeed until you have completed Adding a gateway on page
142.

If the DNS query for the domain name succeeds, you should see results that indicate that the host name resolved
into an IP address, and the route from FortiWeb to that IP address:
traceroute to www.example.com (192.0.43.10), 30 hops max, 60 byte packets
1 172.20.130.2 (172.20.130.2) 0.426 ms 0.238 ms 0.374 ms
2 static-209-87-254-221.storm.ca (209.87.254.221) 2.223 ms 2.491 ms 2.552 ms
3 core-g0-0-1105.storm.ca (209.87.239.161) 3.079 ms 3.334 ms 3.357 ms
...
16 43-10.any.icann.org (192.0.43.10) 57.243 ms 57.146 ms 57.001 ms
If the DNS query fails, you will see an error message such as:
traceroute: unknown host www.example.com
CFG_CLI_INTERNAL_ERR
Verify your DNS server IPs, routing, and that your firewalls or routers do not block or proxy UDP port 53.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 152

See also

l Configuring the network interfaces on page 126

l Configuring a bridge (V-zone) on page 133
l Adding a gateway on page 142

Configuring HA settings specifically for active-passive and standard

active-active modes

In addition to the basic settings, you can set the following configurations as desired for active-passive HA group and
standard active-active HA group. For Load-balancing algorithm and HA Health Check, you only need to configure them
on the master node because they can be synchronized to all the members in the HA group.

Settings active-passive HA standard active-active HA

HA Static Route Yes Yes

HA Policy Route Yes Yes

load-balancing algorithm No Yes

HA Health Check No Yes

HA Static Route and Policy Route

Unlike the Static Route and Policy Route in System > Network > Route which are synchronized to all the HA
members, the configurations in HA Static Route or HA Policy route are applied only to this specific member.
This is useful when you want to set a next-hop gateway that is used only for this member and not shared by the HA
group. The Reserved Management Interface on page 110 is typically used together with this feature.
The parameters in this feature are the same with the ones in Static Route and Policy Route in System > Network >
Route, so we will not elaborate on the parameter descriptions here. For detailed information on the parameters, refer to
Adding a gateway and Creating a policy route

Only one default route (the static route with destination as 0.0.0.0/0) is allowed on FortiWeb
appliance. For example, if you have configured a default route in System > Network >
Route, then it's not allowed to configure another default route in HA route settings.

Load-balancing algorithm

you might want to change the load-balancing algorithm for a standard active-active HA group. You can change the
algorithm by configuring set schedule {ip | leastconnection | round-robin} in CLI command
config system ha. For details, see the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 153

Note:FortiWeb's Configuring a protection profile for inline topologies on page 223 is not supported in a standard Active-
Active HA deployment when the algorithm By connections or Round-robin is used for the load-balancing.

HA Health Check

Server policy health check is only available if the operation mode is Reverse Proxy, and the HA mode is Standard
Active-Active.
To check whether the server policies are running properly on the HA group, you can configure server policy heath check.
The configurations are synchronized to all members in the group. The system sends an HTTP or HTTPS request, and
waits for a response that matches the values required by the health check rule. A timeout indicates that the connection
between the HA group member and the back-end server is not available. The system then generates event logs.
You should first enable the HA Health Check option on the HA tab in System > High Availability > Settings, then
configure a health check on the HA Health Check tab.
FortiWeb only supports checking the health of server policies in the root administrative domain.

To configure an HA Health Check

1. Go to System > High Availability > Settings > HA Health Check.

To access this part of the web UI, your administrator’s account access profile must have Read and Write
permission to items in the System Configuration category. For details, see Permissions on page 56.
2. Click Create New to create a health check.
3. Configure these settings:

Server policy Select the server policy for which you want to run health check.

HTTPS Enable to use the HTTPS protocol for the health check connections with the
back-end server. The systems uses HTTP protocol if this option is disabled.

Client Certificate If HTTPS is enabled, you can select a Client Certificate for the connection.
This is optional.
The Client Certificate is imported in System > Certificates > Local.

Relationship l And—FortiWeb considers the server policy to be responsive when it

passes all the tests in the list.
l Or—FortiWeb considers the server policy to be responsive when it
passes at least one of the tests in the list.

4. Click OK.
5. In the rule list, do one of the following:
l To add a rule, click Create New.
l To modify a rule, select it and click Edit.
6. Configure these settings:

URL Path Type the URL that the HTTP or HTTPS request uses to verify the
responsiveness of the server (for example, /index.html).
If the web server successfully returns this URL, and its content matches your
expression in Matched Content on page 154, it is considered to be responsive.
The maximum length is 127 characters.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 154

Interval Type the number of seconds between each server health check.
Valid values are 1 to 300. Default value is 10.

Timeout Type the maximum number of seconds that can pass after the server health
check. If the web server exceeds this limit, it will indicate a failed health check.
Valid values are 1 to 30. Default value is 3.

Retry Times Type the number of times, if any, that FortiWeb retries a server health check
after failure. If the web server fails the server health check this number of
times consecutively, it is considered to be unresponsive.
Valid values are 1 to 10. Default value is 3.

Method Specify whether the health check uses the HEAD, GET, or POST method.

Match Type l Response Code—If the web server successfully returns the URL
specified by URL Path on page 153 and the code specified by Response
Code on page 154, FortiWeb considers the server to be responsive.
l Matched Content—If the web server successfully returns the URL
specified by URL Path on page 153 and its content matches the Matched
Content on page 154 value, FortiWeb considers the server to be
responsive.
l All — If the web server successfully returns the URL specified by URL
Path on page 153 and its content matches the Matched Content on page
154 value, and the code specified by Response Code on page 154,
FortiWeb considers the server to be responsive.
Available only if Configuring HA settings specifically for active-passive and
standard active-active modes on page 152 is HTTP or HTTPS.

Matched Content Enter one of the following values:

l The exact reply that indicates that the server is available.
l A regular expression that matches the required reply.
This value prevents the test from falsely indicating that the server is available
when it has actually replied with an error page, such as the one produced by
Tomcat when a JSP application is not available.
To create and test a regular expression, click the >> (test) icon. This opens a
Regular Expression Validator window where you can fine-tune the
expression. For details, see Regular expression syntax on page 880
Available only if Match Type on page 154 is All or Matched Content.

Response Code Enter the response code that you require the server to return in order to
confirm its availability.
Available only if Match Type on page 154 is All or Response Code.

7. Click OK to save the settings and close the rule.

8. Add any additional tests you want to include in the health check by adding additional rules.
9. Click OK to save and close the health check.
10. The HA Health Check starts running.
11. In Log&Report > Log Access > Event, use the Action: check-reource filter to check all the event logs of HA
Health Check.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 155

Configuring HA settings specifically for high volume active-active

mode

In addition to the basic settings, you need to specify the HA members and set traffic distributions for the high volume
active-active mode. You only need to set the following configurations on the master node. They can be automatically
synchronized to all the HA members. For how to find the master node, see this topic.

Allocating nodes

After the basic settings are done, all the members with the same group ID should join in the HA group. In the Available
Nodes list on the Node Allocation page, all the HA members are listed.
Perform the following steps to allocate nodes to the HA group.
1. Go to System > High Availability > Settings.
To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the System Configurationcategory. For details, see Permissions on page 56.
2. Select the Node Allocation tab.
3. In the Available Nodes list, select one or more members which you want to add in the cluster, then click the right
arrow to move them to the Cluster Members list.
4. Click Apply.
The selected nodes are allocated to the HA group.

Creating traffic distribution

The domain name of your application is paired with one or more IP addresses. These IP addresses are called Virtual IPs
in FortiWeb. When your users visit your application, the destination of these requests are these virtual IP addresses. If
you have deployed a FortiWeb HA cluster in your network, these requests will arrive first at FortiWeb cluster for threat
detection, then be forwarded to the back-end servers. The traffic distribution controls which FortiWeb appliances in the
cluster process the traffic destined to certain virtual IPs.
To configure the traffic distribution, you must have already created virtual IPs in System > Network > Virtual IP. See
Configuring virtual IP on page 136.
Perform the following steps to map the virtual IPs to the FortiWeb appliances in a HA cluster:
1. Go to System > High Availability > Settings.
To access this part of the web UI, your administrator's account access profile must have Read and Write
permission to items in the System Configurationcategory. For details, see Permissions on page 56.
2. Select the Traffic Distribution tab.
3. Enter a name for the traffic distribution.
4. Click the VIP list field. The Select Entries pane will appear at the right side of the window.
5. Click one or more VIPs that you want to assign to a cluster member. The selected VIPs will appear in the VIP list
field.
6. In the Add HA member field, drag the cluster members from the right to the left. Only the appliance ranks the first
will be the active node to receive traffic destined to the selected VIP(s). When the active node is down, the
appliance lists the next will take over the traffic. You can select the appliance and drag it to change its rank.

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 156

The cluster mode is much more flexible than the active-active and active-passive mode. With different combinations of
the VIP and the appliance, you can form more complicated HA topologies.

Example 1

If there are four VIPs and four appliances, you can set two appliances as active nodes, each of them receiving traffic
destined to two VIPs, while the other appliances acting as backups.
The configures can be as follows. In this example, node ID 1 and node ID 3 are the active nodes to process traffic, while
Node ID 2 and Node ID 4 are their back-ups.
Traffic distribution 1:

Traffic distribution 2:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 157

Example 2

If there are four VIPs and four appliances, you can set all the four nodes as active one, each receiving traffic destined to
one VIP.
The configures can be as follows. In this example, each appliance acts as active node to process traffic to an unique
VIP. If one node fails, other nodes will take over the traffic by order or the traffic distribution list.
Traffic distribution 1:

Traffic distribution 2:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 158

Traffic distribution 3:

Traffic distribution 4:

FortiWeb Administration Guide Fortinet Technologies Inc.

How to set up your FortiWeb 159

FortiWeb Administration Guide Fortinet Technologies Inc.

160

Defining your web servers & load balancers

To apply policies correctly and log events accurately, it's important that FortiWeb is aware of certain other points on your
network.
To scan traffic for your web servers, FortiWeb must know which IP addresses and HTTP Host: names to protect. If
there are proxies and load balancers in the network stream between your client and your FortiWeb, you will also want to
define them. Likewise, if your web servers have features that operate using the source IP address of a client, you may
also need to configure FortiWeb to pass that information to your web servers.
Without these definitions, FortiWeb will not know many things, such as requests are for invalid host names, which
source IP addresses are external load balancers instead of clients, and which headers it should use to transmit the
client’s original source IP address to your web servers. This can cause problems with logging, reports, other FortiWeb
features, and server-side features that require the client’s IP address.

Protected web servers vs. allowed/protected host names

If you have virtual hosts on your web server, multiple websites with different domain names (for example,
example.com, example.co.uk, example.ru, example.edu) can coexist on the same physical computer with a single web
server daemon. The computer can have a single IP address, with multiple DNS names resolving to its IP address, or the
computer can have multiple IP addresses and multiple NICs, with different sets of domain names resolving to separate
NICs.
Just as there can be multiple host names per web server, there can also be the inverse: multiple web servers per host
name. (For example, for distributed computing clusters and server farms.)
When configuring FortiWeb, a web server is a single IP at the network layer, but a protected host group should contain
all network IPs, virtual IPs, and domain names that clients use to access the web server at the HTTP layer.
For example, clients often access a web server via a public network such as the Internet. Therefore, the protected host
group contains public domain names, IP addresses and virtual IPs on a network edge router or firewall, such as:
l www.example.com and
l www.example.co.uk and
l example.de
But the physical or domain server is only the IP address or domain name that the FortiWeb appliance uses to forward
traffic to the server and, therefore, is often a private network address (unless the FortiWeb appliance is operating in
Offline Protection or either of the transparent modes):
l 192.168.1.10 or
l example.local

Defining your protected/allowed HTTP “Host:” header names

A protected host group (also called “allowed hosts” or “protected host names”, depending on how the host name is used
in each context) defines one or more IP addresses or fully qualified domain names (FQDNs). Each entry in the group

FortiWeb Administration Guide Fortinet Technologies Inc.

161

defines a virtual or real web host, according to the Host: field in the HTTP header of requests. You can use these
entries to determine which host names:
l FortiWeb allows in requests, and/or
l FortiWeb applies scans or other features to
For example, if your FortiWeb receives requests with HTTP headers, such as:
GET /index.php HTTP/1.1
Host: www.example.com
you might define a protected host group with an entry of www.example.com and select it in Protected Hostnames on
page 246 in the policy. This would block requests that are not for that host.

A protected host names group is usually not the same as a back-end web server.
For details, see Protected web servers vs. allowed/protected host names on page
160.

You use protected host names in a server policy to restrict requests to specific
hostnames. If you want to specify specific hosts to apply a policy to, use the HTTP
content routing feature. For details, see Routing based on HTTP content on page
180.

Used differently, you might select the www.example.com entry in Host when defining requests where the parameters
should be validated. This would apply protection only for that host.
Unlike a web server, which is a single IP at the network layer, a protected host group should contain all network IPs,
virtual IPs (VIP), and domain names that clients use to access the web server at the HTTP layer.
For example, clients often access a web server via a public network such as the Internet. Therefore, the protected host
group contains public domain names, IP addresses and virtual IPs on a network edge router or firewall, such as:
l www.example.com and
l www.example.co.uk and
l example.de
But in Reverse Proxy mode, the physical or domain server is the IP address or domain name that the FortiWeb
appliance uses to forward traffic to the back-end web server behind the NAT and, therefore, is often a private network
address:
l 192.168.1.10 or
l example.local
As another example, for entry level or virtualized web hosting, many Apache virtual hosts:
l business.example.cn
l university.example.cn
l province.example.cn
may exist on one or more back-end web servers which each have one or more network adapters, each with one or more
private network IP addresses that are hidden behind a Reverse Proxy FortiWeb:
l 172.16.1.5
l 172.16.1.6
l 172.16.1.7

FortiWeb Administration Guide Fortinet Technologies Inc.

162

The virtual hosts would be added to the list of FortiWeb’s protected host names, while the network adapters’ IP
addresses would be added to the list of physical servers.

To configure a protected host group

1. Go to Server Objects > Protected Hostnames.

To access this part of the web UI, your administrator’s account access profile must have Read and Write
permission to items in the Server Policy Configuration category. For details, see Permissions on page 56.
2. Click Create New.
3. In Name, type a name that can be referenced by other parts of the configuration. The maximum length is 63
characters.
4. From the Default Action drop-down menu, select whether to Accept, Deny, or Deny (no log) HTTP requests
that do not match any of the host definitions in this protected host group. In For Action, select whether to Accept,
Deny, or Deny (no log) HTTP requests whose Host: field matches this Host entry. on page 162, you can override
this default for specific hosts.
For example, let’s say that you have 10 web hosts protected by FortiWeb. You want to allow 8 and block 2. To do
this, first set Default Action to Accept. Then in For Action, select whether to Accept, Deny, or Deny (no log)
HTTP requests whose Host: field matches this Host entry. on page 162, you will create 2 entries for the host names
that you want to block, and in their Action, select Deny.
5. Click OK.
6. To treat one or more hosts differently than indicated in Default Action, click Create New.
7. For , enter the IP address or FQDN of a real or virtual host, according to the Host: field in HTTP requests.
If clients connect to your web servers through the IP address of a virtual server on the FortiWeb appliance, this
should be the IP address of that virtual server or any domain name to which it resolves, not the IP address of the
protected web server.
For example, if a virtual server 10.0.2.1/24 forwards traffic to the physical server 192.0.2.1, for protected host
names, you would enter:
l 10.0.2.1, the address of the virtual server
l www.example.com, the domain name that resolves to the virtual server
Your entry must match the whole host name exactly. Wild cards such as *.example.com are not supported. If
you require wild card host name matches, use HTTP Host: header access control rules instead. For details, see
Combination access control & rate limiting on page 437.
8. For Action, select whether to Accept, Deny, or Deny (no log) HTTP requests whose Host: field matches this
Host entry.
9. Click OK.
10. Repeat the previous steps for each host that you want to add to the protected host group.
11. To apply a protected host group, select it in a server policy (see Configuring an HTTP server policy on page 242).
Policies use protected host definitions to block connections that are not destined for a protected host. If you do not
select a protected host group in a server policy, and you do not configure a combination access control rule with an
HTTP Host: condition either, FortiWeb accepts or blocks connections regardless of the Host: field.

See also

l IPv6 support on page 33

l HTTP pipelining on page 254

FortiWeb Administration Guide Fortinet Technologies Inc.

163

Defining your web servers

To specify your back-end web servers, you must define a server pool. Pools contain one or more members that you
specify using either their IP addresses or DNS domain names. FortiWeb protects these web servers and they are the
recipients of traffic that is forwarded or allowed to pass through to by FortiWeb.

You can also define web servers to be FortiWeb’s virtual servers. This chains
multiple policies together, which may be useful in more complex traffic routing or
rewriting situations.

See also

l Enabling or disabling traffic forwarding to your servers on page 200

l HTTP pipelining on page 254
l Predefined services on page 198
l Defining your network services on page 198
l Configuring an HTTP server policy on page 242

Configuring server up/down checks

Tests for server availability (called “server health checks” in the web UI) poll web servers that are members of a server
pool to determine their responsiveness before forwarding traffic. FortiWeb can check server health using the following
methods:
l TCP
l ICMP ECHO_REQUEST (ping)
l TCP Half Open
l TCP SSL
l HTTP/2
l HTTPS
l HTTP
FortiWeb polls the server at the frequency set in the Interval on page 165 option. If the appliance does not receive a
reply within the timeout period, and you have configured the health check to retry, it attempts a health check again;
otherwise, the server is deemed unresponsive. The FortiWeb appliance reacts to unresponsive servers by disabling
traffic to that server until it becomes responsive.
If all members of the pool are unresponsive and you have configured one or more members to be backup servers,
FortiWeb sends traffic to a backup server.

If a web server will be unavailable for a long period, such as when a server is
undergoing hardware repair, it is experiencing extended down time, or when you
have removed a server from the server pool, you may improve the performance of
your FortiWeb appliance by disabling connectivity to the web server, rather than
allowing the server health check to continue to check for responsiveness. For
details, see Enabling or disabling traffic forwarding to your servers on page 200.

FortiWeb Administration Guide Fortinet Technologies Inc.

164

You can create a health check, use one of the predefined health checks, or clone one of the predefined health checks to
use as a starting point for a custom health check. You cannot modify the predefined health checks.
To simplify health check creation, FortiWeb provides predefined health checks for each of the available protocols. Each
predefined health check contains a single rule that specifies one of the available protocols. For example, instead of
creating a health check that uses ICMP, you can apply HLTHCK_IMCP.
HLTHCK_HTTP and HLTHCK_HTTPS health checks test server responsiveness using the HEAD method and listening
for the response code 200.
Your health check can use more than protocol to check server responsiveness. You can specify that a server is available
if it passes a single test in the list of tests or only if it passes all the tests.
To view the status currently detected by server health checks, use the Policy Status dashboard. For details, see Policy
Status dashboard on page 696.

To configure a server health check

1. Before configuring a server health check, if it requires a trigger, configure the trigger. For details, see Viewing log
messages on page 718.
2. Go to Server Objects > Server > Health Check.
To access this part of the web UI, your administrator’s account access profile must have Read and Write
permission to items in the Server Policy Configuration category. For details, see Permissions on page 56.
3. Do one of the following:
l To create a health check, click Create New.
lTo create a health check based on a predefined health check, select a predefined health check, click Clone,
and then enter a name for the new health check.
4. Configure these settings:

Name Type a unique name that can be referenced in other parts of the configuration.
The maximum length is 63 characters.
Note: The name cannot be changed after this part of the configuration is
saved. To rename a part of the configuration, clone it, select it in all parts of
the configuration that reference the old name, then delete the item with the
old name.

Relationship l And—FortiWeb considers the server to be responsive when it passes all

the tests in the list.
l Or—FortiWeb considers the server to be responsive when it passes at
least one of the tests in the list.

Trigger Policy Select the name of a trigger, if any, that will be used to log or notify an
administrator if a server becomes unresponsive.

5. Click OK.
6. In the rule list, do one of the following:
l To add a rule, click Create New.
l To modify a rule, select it and click Edit.
7. Configure these settings:

Type Select the protocol that the server health check uses to contact the server.

FortiWeb Administration Guide Fortinet Technologies Inc.

165

l ICMP—Send ICMP type 8 (ECHO_REQUEST or “ping”) and listen for

either ICMP type 0 (ECHO_RESPONSE or “pong”) indicating
responsiveness, or timeout indicating that the host is not responsive.
l TCP—Send TCP SYN and listen for either TCP SYN ACK indicating
responsiveness, or timeout indicating that the host is not responsive. If
the response is SYN ACK, send TCP ACK to complete the three-way
handshake.
l TCP Half Open—Send TCP SYN and listen for either TCP SYN ACK
indicating responsiveness, or timeout indicating that the host is not
responsive. If the response is SYN ACK, send TCP RST to terminate
the connection. This type of health check requires fewer resources from
the pool member than TCP.
l TCP SSL—Send an HTTPS request. FortiWeb considers the host to be
responsive if the SSL handshake is successful, and closes the connection
once the handshake is complete. This type of health check requires fewer
resources than HTTP/HTTPS.
l HTTP—Send an HTTP or HTTPS request, depending on the real server
type, and listen for a response that matches the values required by the
specified Matched Content or a timeout that indicates that the host is
not responsive.
The protocol to use depends on whether you enable SSL for that server in
the server pool. Contact occurs on the protocol and port number specified
for that web server in the server pool.

URL Path Type the URL that the HTTP or HTTPS request uses to verify the
responsiveness of the server (for example, /index.html).
If the web server successfully returns this URL, and its content matches your
expression in Matched Content on page 166, it is considered to be responsive.
Available only if Type on page 164 is HTTP or HTTPS. The maximum length
is 127 characters.

Interval Type the number of seconds between each server health check.
Valid values are 1 to 300. Default value is 10.

Method Specify whether the health check uses the HEAD, GET, or POST method.
Available only if Type on page 164 is HTTP or HTTPS.

Match Type l Matched Content—If the web server successfully returns the URL
specified by URL Path on page 165 and its content matches the Matched
Content on page 166 value, FortiWeb considers the server to be
responsive.

FortiWeb Administration Guide Fortinet Technologies Inc.

166

l Response Code—If the web server successfully returns the URL

specified by URL Path on page 165 and the code specified by Response
Code on page 166, FortiWeb considers the server to be responsive.
l All — If the web server successfully returns the URL specified by URL
Path on page 165 and its content matches the Matched Content on page
166 value, and the code specified by Response Code on page 166,
FortiWeb considers the server to be responsive.
Available only if Type on page 164 is HTTP or HTTPS.

Matched Content Enter one of the following values:

Response Code Enter the response code that you require the server to return to confirm that it
is available.
Available only if Type on page 164 is HTTP or HTTPS and Match Type on
page 165 is All or Matched Content.

8. Click OK to save the settings and close the rule.

9. Add any additional tests you want to include in the health check by adding additional rules.
10. Click OK to save and close the health check.
11. To use the server health check, select it in a server pool or server pool member configuration. For details, see
Creating a server pool on page 169.

See also

l IPv6 support on page 33

l Configuring an HTTP server policy on page 242
l Creating a server pool on page 169

Configuring session persistence

After FortiWeb has forwarded the first packet from a client to a pool member, some protocols require that subsequent
packets also be forwarded to the same back-end server until a period of time passes or the client indicates that it has
finished transmission.
A session persistence configuration specifies a persistence method and timeout. You apply the configuration to Server
Balance server pools to apply the persistence setting to all members of the pool.

FortiWeb Administration Guide Fortinet Technologies Inc.

167

To create a persistence configuration

1. Go to Server Objects > Server > Persistence and click Create New.

2. Configure these settings:

Name Type a unique name that can be referenced in other parts of the configuration.
The maximum length is 63 characters.

Type Specifies how FortiWeb determines the pool member to forward subsequent
requests from a client to after its initial request. For the initial request,
FortiWeb selects a pool member using the load balancing method specified in
the server pool configuration.
l Source IP—Forwards subsequent requests with the same client IP
address and subnet as the initial request to the same pool member. To
define how FortiWeb derives the appropriate subnet from the IP address,
configure IPv4 Netmask on page 168 and IPv6 Mask Length on page
168.
l HTTP Header—Forwards subsequent requests with the same value for
an HTTP header as the initial request to the same pool member. Also
configure Header Name on page 168.
l URL parameter—Forwards subsequent requests with the same value
for a URL parameter as the initial request to the same pool member. Also
configure Parameter Name on page 168.
l Insert Cookie—FortiWeb adds a cookie with the name specified by
Cookie Name on page 168 to the initial request and forwards all
subsequent requests with this cookie to the same pool member.
FortiWeb uses this cookie for persistence only and does not forward it to
the pool member. Also configure Cookie Path on page 168 and Cookie
Domain on page 168.
l Rewrite Cookie—If the HTTP response has a Set-Cookie: value
that matches the value specified by Cookie Name on page 168, FortiWeb
replaces the value specified by the keyword with a randomly generated
cookie value. FortiWeb forwards all subsequent requests with this
generated cookie value to the same pool member.
l Persistent Cookie—If an initial request contains a cookie with a name
that matches the Cookie Name on page 168 value, FortiWeb forwards
subsequent requests that contain the same cookie value to the same
pool member as the initial request.
l Embedded Cookie—If the HTTP response contains a cookie with a
name that matches the Cookie Name on page 168 value, FortiWeb
preserves the original cookie value and adds a randomly generated
cookie value and a ~ (tilde) as a prefix. FortiWeb forwards all subsequent
requests with this cookie and prefix to the same pool member.
l ASP Session ID—If a cookie in the initial request contains an ASP
.NET session ID value, FortiWeb forwards subsequent requests with the
same session ID value to the same pool member as the initial request.
FortiWeb preserves the original cookie name.
l PHP Session ID—If a cookie in the initial request contains a PHP
session ID value, FortiWeb forwards subsequent requests with the same

FortiWeb Administration Guide Fortinet Technologies Inc.

168

session ID value to the same pool member as the initial request.

FortiWeb preserves the original cookie name.
l JSP Session ID—FortiWeb forwards subsequent requests with the
same JSP session ID as the initial request to the same pool member.
FortiWeb preserves the original cookie name.
l SSL Session ID—If a cookie in the initial request contains an SSL
session ID value, FortiWeb forwards subsequent requests with the same
session ID value to the same pool member as the initial request.
FortiWeb preserves the original cookie name.

IPv4 Netmask Specifies the IPv4 subnet used for session persistence.

For example, if IPv4 Netmask is 256.256.256.256, FortiWeb can

forward requests from IP addresses 192.168.1.1 and 192.168.1.2 to different
server pool members.

If IPv4 Netmask is 256.256.256.0, FortiWeb forwards requests from IP

addresses 192.168.1.1 and 192.168.1.2 to the same pool member.

Available only when Type on page 167 is Source IP.

IPv6 Mask Length Specifies the IPv6 network prefix used for session persistence.

Available only when Type on page 167 is Source IP.

Header Name Specifies the name of the HTTP header that the persistence feature uses to
route requests.

Available only when Type on page 167 is HTTP Header.

Parameter Name Specifies the name of the URL parameter that the persistence feature uses to
route requests.

Available only when Type on page 167 is URL Parameter.

Cookie Name Specifies a value to match or the name of the cookie that FortiWeb inserts.

Available only when Type on page 167 uses a cookie.

Cookie Path Specifies a path attribute for the cookie that FortiWeb inserts, if Type on page
167 is Insert Cookie.

Cookie Domain Specifies a domain attribute for the cookie that FortiWeb inserts, if Type on
page 167 is Insert Cookie

Timeout Specifies the maximum amount of time between requests that FortiWeb
maintains persistence, in seconds.
FortiWeb stops forwarding requests according to the established persistence
after this amount of time has elapsed since it last received a request from the
client with the associated property (for example, an IP address or cookie).
Instead, it again selects a pool member using the load balancing method
specified in the server pool configuration.

3. Click OK.

FortiWeb Administration Guide Fortinet Technologies Inc.

169

For details about applying the configuration to a pool, see Creating a server pool on page 169.
https://docs.fortinet.com/document/fortiweb/

Configuring server-side SNI support

FortiWeb supports server-side SNI (Server Name Indication). You use this feature when you have the following
configuration requirements:
l The operating mode is Reverse Proxy or True Transparent Proxy.
l You offload SSL/TLS processing to FortiWeb and use SSL/TLS for connections between FortiWeb and the pool
member (end-to-end encryption).
l One or more server pool members require SNI support.
In True Transparent Proxy mode, use the following CLI command to enable server-side SNI for the appropriate pool
member:
config server-policy server-pool
edit <server-pool_name>
config pserver-list
edit <entry_index>
set server-side-sni {enable | disable}

In Reverse Proxy mode, use the following CLI command to enable server-side SNI in the appropriate server policy:
config server-policy policy
edit <policy_name>
set server-side-sni {enable | disable}

You cannot use the web UI to enable this option. For details, see the FortiWeb CLI Reference.

Creating a server pool

Server pools define a group of one or more physical or domain servers (web servers) that FortiWeb distributes
connections among, or where the connections pass through to, depending on the operating mode. Reverse Proxy mode
actively distributes connections; Offline Protection mode, both transparent modes, and WCCP mode do not.
l Reverse Proxy mode—When the FortiWeb appliance receives traffic destined for a virtual server, it forwards the
traffic to a server pool. If the pool has more than one member, the physical or domain server that receives the
connection depends on your configuration of load-balancing algorithm, weight, and server health checking.
For pools with multiple members, to prevent traffic from being forwarded to unavailable web servers, you can use a
health check to verify the availability of members. The availability of other members and the Deployment Mode on
page 244 option in the policy determine whether the FortiWeb appliance redistributes or drops the connection when
a physical or domain server in a server pool is unavailable.
l Offline Protection, True Transparent Proxy, Transparent Inspection, and WCCP mode—The FortiWeb
appliance allows traffic to pass through to the server pool when it receives traffic that is:
l passing through a bridge
l directed to the FortiWeb (configured as a WCCP client) by a FortiGate acting as a WCCP server
A server can belong to more than one server pool.

FortiWeb Administration Guide Fortinet Technologies Inc.

170

To configure a server pool

1. Before you configure a server pool, do the following:

l If clients connect via HTTPS and FortiWeb is operating in a mode that performs SSL inspection instead of SSL
offloading, upload the website’s server certificate. For details, see Uploading a server certificate on page 402.
l If you want to use the pool for load balancing and want to monitor its members for responsiveness, configure
one or more server health checks to use with it. For details, see Configuring server up/down checks on page
163.
l If client connections require persistent sessions, create a persistence configuration. For details, see
Configuring session persistence on page 166.
2. Go to Server Objects > Server > Server Pool.
To access this part of the web UI, your administrator’s account access profile must have Read and Write
permission to items in the Server Policy Configuration category. For details, see Permissions on page 56.
3. Click Create New.
4. According to the protocol used, select Create HTTP Server Pool.
5. Configure these settings:

Name Type a name that can be referenced by other parts of the configuration. The
maximum length is 63 characters.

Type Select the current operation mode of the appliance to display the
corresponding pool options.
For full information on the operating modes, see How to choose the operation
mode on page 70.

Single Server/Server l Single Server—Specifies a pool that contains a single member.

Balance l Server Balance—Specifies a pool that contains multiple members.
FortiWeb uses the specified load-balancing algorithm to distribute TCP
connections among the members. If a member is unresponsive to the
specified server health check, FortiWeb forwards subsequent
connections to another member of the pool.
Available only when Type on page 170 is Reverse Proxy.

Server Health Check Specifies a test for server availability. By default, this health check is used for
all pool members, but you can use the pool member configuration to assign a
different health check to a member.
For details, see Configuring server up/down checks on page 163.
Available only when Type on page 170 is Reverse Proxy and Single
Server/Server Balance on page 170 is Server Balance.

Load Balancing Algorithm l Round Robin—Distributes new TCP connections to the next pool
member, regardless of weight, response time, traffic load, or number of
existing connections. FortiWeb avoids unresponsive servers.
l Weighted Round Robin—Distributes new TCP connections using the
round-robin method, except that members with a higher weight value
receive a larger percentage of connections.
l Least Connection—Distributes new TCP connections to the member
with the fewest number of existing, fully-formed TCP connections. If
there are multiple servers with the same least number of connections,
FortiWeb will take turns and avoid always selecting the same member to

FortiWeb Administration Guide Fortinet Technologies Inc.

171

distribute new connections.

l URI Hash—Distributes new TCP connections using a hash algorithm
based on the URI found in the HTTP header, excluding hostname.
l Full URI Hash—Distributes new TCP connections using a hash
algorithm based on the full URI string found in the HTTP header. The full
URI string includes the hostname and path.
l Host Hash—Distributes new TCP connections using a hash algorithm
based on the hostname in the HTTP Request header Host field.
l Host Domain Hash—Distributes new TCP connections using a hash
algorithm based on the domain name in the HTTP Request header Host
field.
l Source IP Hash—Distributes new TCP connections using a hash
algorithm based on the source IP address of the request.
When the status of a physical server in a server pool is disabled, a health
check indicates it is down, or it is removed from the server pool, FortiWeb will
transfer any remaining HTTP transactions in the TCP stream to an active
physical server in the server pool according to the Load Balancing Algorithm.
For hash-based methods, if you specify a persistence method for the server
pool, after an initial client request, FortiWeb routes any subsequent requests
according to the persistence method. Otherwise, it routes subsequent
requests according to the hash-based algorithm.
Available only when Type on page 170 is Reverse Proxy and Single
Server/Server Balance on page 170 is Server Balance.

Persistence Select a configuration that specifies a session persistence method and

timeout to apply to the pool members.
For details, see Configuring session persistence on page 166.
Available only when Type on page 170 is Reverse Proxy and Single
Server/Server Balance on page 170 is Server Balance.

Comments Type a description of the server pool. The maximum length is 199 characters.

Note: you can also configure to enable HTTP reuse function to determine how to reuse the existing connection
without creating one. See FortiWeb 6.1.1 CLI Reference for details.
6. Click OK.
7. Click Create New.
8. Configure these settings:

ID The index number of the member entry within the server pool.
FortiWeb automatically assigns the next available index number.
For round robin-style load-balancing, the index number indicates the order in
which FortiWeb distributes connections.
The valid range is from 0 to 9223372036854775807 (the maximum possible
value for a long integer).
You can use the server-policy server-pool CLI command to change
the index number value. For details, see the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/
Status l Enable—Specifies that this pool member can receive new sessions from

FortiWeb Administration Guide Fortinet Technologies Inc.

172

FortiWeb.
l Disable—Specifies that this pool member does not receive new sessions
from FortiWeb and FortiWeb closes any current sessions as soon as
possible.
l Maintenance—Specifies that this pool member does not receive new
sessions from FortiWeb but FortiWeb maintains any current connections.

Server Type Select either IP or Domain to indicate how you want to define the pool
member.

IP Specify the IP address or fully-qualified domain name of the web server to

or include in the pool.
Domain For domain servers, FortiWeb queries a DNS server to query and resolve each
web server’s domain name to an IP address. For improved performance, do
one of the following:
l Use physical servers instead
l Ensure highly reliable, low-latency service to a DNS server on your local
network
Tip: The IP or domain server is usually not the same as a protected host
names group. See Protected web servers vs. allowed/protected host names
on page 160.
Warning: Server policies do not apply features that do not yet support IPv6 to
servers specified using IPv6 addresses or domain servers whose DNS names
resolve to IPv6 addresses.
The Server Type on page 172 value determines the name of this option.
Note: FortiWeb continuously verifies the IP address paired with the domain
name and if the IP address changes, FortiWeb automatically updates the
origin server IP in its configuration. The frequency that FortiWeb updates the
IP depends on the TTL of the DNS record, which is usually 60 seconds in AWS
ALB/ELB.

Port Type the TCP port number where the pool member listens for connections.
The valid range is from 1 to 65,535.

Connection Limit Specifies the maximum number of TCP connections that FortiWeb forwards
to this pool member.

The default is 0 (disabled).

The valid range is from 0 to 1,048,576.

Available only if the Type on page 170 is Reverse Proxy.

Weight If the pool member is part of a pool that uses the weighted round-robin load-
balancing algorithm, type the weight of the member when FortiWeb
distributes TCP connections.
Members with a greater weight receive a greater proportion of connections.
Weighting members can be useful when, for example, some servers in the
pool are more powerful or if a member is already receiving fewer or more
connections due to its role in multiple websites.

FortiWeb Administration Guide Fortinet Technologies Inc.

173

Available only if the Type on page 170 is Reverse Proxy and Single
Server/Server Balance on page 170 is Server Balance.

Inherit Health Check Clear to use the health check specified by Server Health Check in this server
pool rule instead of the one specified in the server pool configuration.
Available only if the Type on page 170 is Reverse Proxy and Single
Server/Server Balance on page 170 is Server Balance.

Server Health Check Specifies an availability test for this pool member.
For details, see Configuring server up/down checks on page 163.
Available only if the Type on page 170 is Reverse Proxy and Single
Server/Server Balance on page 170 is Server Balance.

Health Check Domain Name Enter an HTTP host header name to test the availability of a specific host.
This is useful if the pool member hosts multiple websites (virtual hosting
environment).
Available only if Type on page 164 is HTTP.

Backup Server When this option is selected and all the members of the server pool fail their
server health check, FortiWeb routes any connections for the pool to this
server.

The backup server mechanism does not work if you do not specify server
health checks for the pool members.

If you select this option for more than one pool member, FortiWeb uses the
load balancing algorithm to determine which member to use.
Available only if the Type on page 170 is Reverse Proxy and Single
Server/Server Balance on page 170 is Server Balance.

Proxy Protocol If the back-end server enables proxy protocol, you need to enable the Proxy
Protocol option on FortiWeb so that the TCP SSL and HTTP traffic can
successfully go through. The real IP address of the client will be included in
the proxy protocol header.
Available only if the Type on page 170 is Reverse Proxy, True Transparent
Proxy, Offline Protection, or Transparent Inspection.
Proxy Protocol Version Select the proxy protocol version for the back-end server.
Available only if the Type on page 170 is Reverse Proxy or True
Transparent Proxy.
HTTP/2 Enable to allow HTTP/2 communication between the FortiWeb and this back-
end web server.
When FortiWeb's security services are applied to the HTTP/2 traffic between
clients and this web server in Reverse Proxy mode:
l Enabling this option makes sure the traffic is transferred in HTTP/2
between FortiWeb and this web server, if this web server supports
HTTP/2.

Note: Make sure that this back web server really supports HTTP/2 before
you enable this, or connections will go failed.

FortiWeb Administration Guide Fortinet Technologies Inc.

174

l Disabling this option makes FortiWeb to converse HTTP/2 to HTTP/1.x

for this web server, or converse HTTP/1.x to HTTP/2 for the clients, if this
web server does not support HTTP/2.
In True Transparent Proxy mode, it requires this option be enabled and the
SSL on page 174 be well-configured to enable FortiWeb's HTTP/2 inspection.
When HTTP/2 inspection is enabled in True Transparent Proxy mode,
FortiWeb performs no protocol conversions between HTTP/1.x and HTTP/2,
which means HTTP/2 connections will not be established between clients and
back-end web servers if the web servers do not support HTTP/2. For details,
see HTTP/2 support on page 40.
Note: Please confirm the operation mode and HTTP versions your back-end
web servers are running so that HTTP/2 inspection can work correctly with
your web servers. If the Deployment Mode on page 244 in the server policy
configuration is HTTP Content Routing and HTTP/2 on page 247 is enabled,
keep HTTP/2 on page 173 disabled in the server pool configuration.
This option is available only when the Type on page 170 is Reverse Proxy.

SSL For Reverse Proxy, Offline Protection, and Transparent Inspection modes,
specifies whether connections between FortiWeb and the pool member use
SSL/TLS.
For True Transparent Proxy and WCCP modes, specifies whether SSL/TLS
processing is offloaded to FortiWeb and SSL/TLS is used for connections
between FortiWeb and the pool member:
For True Transparent Proxy mode, if the pool member requires SNI support,
see Configuring server-side SNI support on page 169.
For Offline Protection and Transparent Inspection mode, also configure
Certificate File on page 175. FortiWeb uses the certificate to decrypt and scan
connections before passing the encrypted traffic through to the pool members
(SSL inspection).
Note: Ephemeral (temporary key) Diffie-Hellman exchanges are not
supported if the FortiWeb appliance is operating in Transparent Inspection or
Offline Protection mode.
For True Transparent Proxy and WCCP mode, also configure Certificate File
on page 175, Client Certificate on page 175, and the settings described in
Defining your web servers on page 163. FortiWeb handles SSL negotiations
and encryption and decryption instead of the pool member (SSL offloading).
For Reverse Proxy mode:
l You can configure SSL offloading for all members of a pool using a server
policy. For details, see Configuring an HTTP server policy on page 242.
l If the pool member requires SNI support, see Configuring server-side
SNI support on page 169.
Note: When this option is enabled, the pool member must be configured to
apply SSL.
Note: This option and related settings are required to be well-configured for
enabling FortiWeb's HTTP/2 support in True Transparent Proxy mode.

Enable Multi-certificate Enable this option to allow FortiWeb to use multiple local certificates.
Available when:

FortiWeb Administration Guide Fortinet Technologies Inc.

175

l SSL on page 174 is enabled, and

l FortiWeb is operating in True Transparent Proxy mode that performs
SSL inspection.Offloading vs. inspection on page 386

Multi-certificate Select the local server certificate created in System > Certificates > Multi-
certificate that FortiWeb uses to encrypt or decrypt SSL-secured connections
for the website specified by Defining your web servers. For details, see
Defining your web servers on page 163.

Certificate File Select the server certificate that FortiWeb uses to decrypt SSL-secured
connections.
For True Transparent Proxy and WCCP modes, also complete the settings
described in described in Defining your web servers on page 163.
Available when:
l SSL on page 174 is enabled, and
l FortiWeb is operating in a mode other than Reverse Proxy that performs
SSL inspection. See Offloading vs. inspection on page 386.

Certificate Intermediate Select the name of a group of intermediate certificate authority (CA)
Group certificates, if any, that FortiWeb presents to clients. An intermediate CA can
complete the signing chain and validate the server certificate’s CA signature.
Configure this option when clients receive certificate warnings that an
intermediary CA has signed the server certificate specified by Certificate File
on page 175, not a root CA or other CA currently trusted by the client directly.
Alternatively, you can include the entire signing chain in the server certificate
itself before you upload it to FortiWeb. For details, see Uploading a server
certificate on page 402 and Supplementing a server certificate with its signing
chain on page 404.
. Available only if the Type on page 170 is True Transparent Proxy or
WCCP and SSL on page 174 is enabled.
Client Certificate If connections to this pool member require a valid client certificate, select the
client certificate that FortiWeb uses.
Available when:
l SSL on page 174 is enabled, and
l FortiWeb is operating in Reverse Proxy, True Transparent Proxy, or
WCCP mode.
Upload a client certificate for FortiWeb using the steps you use to upload a
server certificate. For details, see Uploading a server certificate on page 402.

Client Certificate Proxy Enable to configure seamless PKI integration. When this option is configured,
FortiWeb attempts to verify client certificates when users make requests and
resigns new certificates that it sends to the server.
Also configure Client Certificate Proxy Sign CA on page 175.
For details, see Seamless PKI integration on page 427.

Enable Server Name Enable so that FortiWeb forwards the client's server name in the
Indication (SNI) Forwarding SSL handshake to the server so that the server handles SNI instead of
FortiWeb.

Client Certificate Proxy Sign Select a Sign CA FortiWeb will use to verify and resign new client certificates.

FortiWeb Administration Guide Fortinet Technologies Inc.

176

CA For details, see Seamless PKI integration on page 427.

Add HSTS Header Enable to combat MITM attacks on HTTP by injecting the RFC 6797
(http://tools.ietf.org/html/rfc6797) strict transport security header into the
reply, such as:
Strict-Transport-Security: max-age=31536000

This header forces clients to use HTTPS for subsequent visits to this domain.
If the certificate is invalid, the client’s web browser receives a fatal connection
error and does not display a dialog that allows the user to override the
certificate mismatch error and continue.
Available only when the Type on page 170 is True Transparent Proxy or
WCCP and SSL is enabled.
Add HPKP Header Select an HPKP profile, if any, to use to verify certificates when clients
attempt to access a server.
HPKP prevents attackers from carrying out Man in the Middle (MITM) attacks
with forged certificates. For details, see HTTP Public Key Pinning on page
410.
Available only if SSL on page 174 is enabled.

Certificate Verification Select the name of a certificate verifier, if any, that FortiWeb uses to validate
an HTTP client’s personal certificate.
However, if you select Enable Server Name Indication (SNI) on page 177 and
the domain in the client request matches an entry in the specified SNI policy,
FortiWeb uses the SNI configuration to determine which certificate verifier to
use.
If you do not select a verifier, clients are not required to present a personal
certificate. For details, see How to apply PKI client authentication (personal
certificates) on page 411.
Personal certificates, sometimes also called user certificates, establish the
identity of the person connecting to the website (PKI authentication).
You can require that clients present a certificate instead of, or in addition to,
HTTP authentication. For details, see Offloading HTTP authentication &
authorization on page 340.
Note: The client must support TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3.
Available only when the Type on page 170 is Reverse Proxy.

Enable URL Based Client Specifies whether FortiWeb uses a URL-based client certificate group to
Certificate determine whether a client is required to present a personal certificate.
Note: This function is not supported for HTTP/2 communication between the
Client and this back-end web server.

URL Based Client Certificate Specifies the URL-based client certificate group that determines whether a
Group client is required to present a personal certificate.
If the URL the client requests does not match an entry in the group, the client
is not required to present a personal certificate.
For details about creating a group, see Use URLs to determine whether a
client is required to present a certificate on page 424.

FortiWeb Administration Guide Fortinet Technologies Inc.

177

Max HTTP Request Length Specifies the maximum allowed length for an HTTP request with a URL that
matches an entry in the URL-based client certificate group.
FortiWeb blocks any matching requests that exceed the specified size.
This setting prevents a request from exceeding the maximum buffer size.

Client Certificate Forwarding Enable to configure FortiWeb to include the X.509 personal certificate
presented by the client during the SSL/TLS handshake, if any, in an X-
Client-Cert: HTTP header when it forwards the traffic to the protected
web server.
FortiWeb still validates the client certificate itself, but this forwarding action
can be useful if the web server requires the client certificate for the purpose of
server-side identity-based functionality.

Custom Header of Enter a custom subject header that will include the subject of the X.509
CCF Subject personal certificate presented by the client during the SSL/TLS handshake
when it forwards the traffic to the protected web server.
Available only when Client Certificate Forwarding on page 177 is enabled.

Custom Header of Enter a custom certificate header that will include the Base64 certificate of the
CCF Certificate X.509 personal certificate presented by the client during the SSL/TLS
handshake when it forwards the traffic to the protected web server.
Available only when Client Certificate Forwarding on page 177 is enabled.

Enable Server Name Select to use a Server Name Indication (SNI) configuration instead of or in
Indication (SNI) addition to the server certificate specified by Certificate File on page 175.
The SNI configuration enables FortiWeb to determine which certificate to
present on behalf of the pool member based on the domain in the client
request. For details, see Allowing FortiWeb to support multiple server
certificates on page 406.
If you specify both an SNI configuration and Certificate File on page 175,
FortiWeb uses the certificate specified by the Certificate File on page 175
when the domain in the client request does not match a value in the SNI
configuration.
If you select Enable Strict SNI on page 177, FortiWeb always ignores the
value of the Certificate File on page 175.

Enable Strict SNI Select to configure FortiWeb to ignore the value of Certificate File on page
175 when it determines which certificate to present on behalf of the pool
member, even if the domain in a client request does not match a value in the
SNI configuration.
Available only if Enable Server Name Indication (SNI) on page 177 is selected.

SNI Policy Select the Server Name Indication (SNI) configuration that FortiWeb uses to
determine which certificate it presents on behalf of this pool member.
Available only if Enable Server Name Indication (SNI) on page 177 is selected.

Supported SSL Protocols Specify which versions of the SSL or TLS cryptographic protocols FortiWeb
can use to connect securely to this pool member.
TLS protocol changes a lot since version 1.3, including the handshake
algorithm, the supported ciphers and certificates. Make sure you understand
how it works before enabling TLS 1.3.

FortiWeb Administration Guide Fortinet Technologies Inc.

178

Note: O-RTT in TLS 1.3 is disabled by default. You can use the following
command to enable it:
config server-policy setting
set tls13-early-data-mode enable
end
For the supported ciphers of each TLS version, see Supported cipher suites &
protocol versions on page 388.
This option is available when:
l SSL on page 174 is enabled, and
l The Type on page 170 is Reverse Proxy, True Transparent Proxy, or
WCCP.

SSL/TLS Encryption Level Specify whether the set of cipher suites that FortiWeb allows creates a
medium-security, high-security, or custom configuration.
For details, see Supported cipher suites & protocol versions on page 388.
Available when:
l SSL on page 174 is enabled, and
l The Type on page 170 is Reverse Proxy, True Transparent Proxy, or
WCCP.

Session Ticket Reuse Enable so that FortiWeb reuses the session ticket when establishing an SSL
connection to a pserver. If the SSL connection has a server name, FortiWeb
can only reuse a session ticket for the specified pserver.
Note: This option is available only when SSL on page 174 is enabled.
Session ID Reuse Enable so that FortiWeb reuses the session ID when establishing an SSL
connection to a pserver. If the SSL connection has a server name, FortiWeb
can only reuse a session ID for the specified pserver. If both a session ticket
and ID exist for a pserver, FortiWeb will reuse the ticket.
Note: This option is available only when SSL on page 174 is enabled.
Disable Client-Initiated SSL Select to ignore requests from clients to renegotiate TLS or SSL.
Renegotiation This setting protects against denial-of-service (DoS) attacks that use TLS/SSL
renegotiation to overburden the server.
Available only when the Type on page 170 is Reverse Proxy or True
Transparent Proxy.

Recover Specifies the number of seconds that FortiWeb waits before it forwards traffic
to this pool member after a health check indicates that this server is available
again.
The default is 0 (disabled). The valid range is 0 to 86,400 seconds.
After the recovery period elapses, FortiWeb assigns connections at the rate
specified by Warm Rate on page 179.
Examples of when the server experiences a recovery and warm-up period:
l A server is coming back online after the health check monitor detected it
was down.
l A network service is brought up before other daemons have finished
initializing and therefore the server is using more CPU and memory
resources than when startup is complete.

FortiWeb Administration Guide Fortinet Technologies Inc.

179

To avoid connection problems, specify the separate warm-up rate, recovery

rate, or both.
Tip: During scheduled maintenance, you can also manually apply these limits
by setting Status on page 171 to Maintenance.

Warm Up Specifies for how long FortiWeb forwards traffic at a reduced rate after a
health check indicates that this pool member is available again but it cannot
yet handle a full connection load.
For example, when the pool member begins to respond but startup is not fully
complete.
The default is 0 (disabled). The valid range is 1 to 86,400 seconds.

Warm Rate Specifies the maximum connection rate while the pool member is starting up.
The default is 10 connections per second. The valid range is 0 to 86,400
connections per second.
The warm up calibration is useful with servers that bring up the network
service before other daemons are initialized. As these types of servers come
online, CPU and memory are more utilized than they are during normal
operation. For these servers, you define separate rates based on warm-up
and recovery behavior.
For example, if Warm Up on page 179 is 5 and Warm Rate is 2, the
maximum number of new connections increases at the following rate:
l 1st second—Total of 2 new connections allowed (0+2).
l 2nd second—2 new connections added for a total of 4 new connections
allowed (2+2).
l 3rd second—2 new connections added for a total of 6 new connections
allowed (4+2).
l 4th second—2 new connections added for a total of 8 new connections
allowed (6+2).
l 5th second—2 new connections added for a total of 10 new connections
allowed (8+2).

9. Repeat the previous steps for each IP address or domain that you want to add to the server pool.
10. Click OK.
11. To apply the server pool configuration, do one of the following:
l Select it in a server policy directly.
l Select it in an HTTP content writing policy that you can, in turn, select in a server policy.
For details, see Configuring an HTTP server policy on page 242 and Routing based on HTTP content on page 180.

See also

l IPv6 support on page 33

l HTTP pipelining on page 254
l Routing based on HTTP content on page 180
l Configuring an HTTP server policy on page 242
l Configuring server up/down checks on page 163
l Sequence of scans on page 25

FortiWeb Administration Guide Fortinet Technologies Inc.

180

l How to offload or inspect HTTPS on page 396

l Forcing clients to use HTTPS on page 409

Routing based on HTTP content

Instead of dynamically routing requests to a server pool simply based upon load or connection distribution at the TCP/IP
layers, as basic load balancing does, you can forward them based on the host, headers or other content in the HTTP
layer.
HTTP content routing policies define how FortiWeb routes requests to server pools. They are based on one or more of
the following HTTP elements:
l Host
l URL
l HTTP parameter
l Referer
l Source IP
l Header
l Cookie
l X509 certificate field value
l HTTPS SNI
l Geo IP
This type of routing can be useful if, for example, a specific web server or group of servers on the back end support
specific web applications, functions, or host names. That is, your web servers or server pools are not identical, but
specialized. For example:
l 192.168.0.1—Hosts the website and blog
l 192.168.0.2 and 192.168.0.3—Host movie clips and multimedia
l 192.168.0.4 and 192.168.0.5—Host the shopping cart
Another example is a topology where back-end servers or a traffic controller (TC) server externally manage how
FortiWeb routes and balances the traffic load. The TC embeds a cookie that indicates how to route the client’s next
request. In the diagram, if a request has no cookie (that is, it initializes a session), FortiWeb’s HTTP content routing is
configured to forward that request to the TC, Web Server 1. For subsequent requests, as long as the cookie exists,
FortiWeb routes those requests to Web Server 2.

FortiWeb Administration Guide Fortinet Technologies Inc.

181

Set-Cookie: name=cookiesession1...
192.168.1.2/24

Switch
10.0.0.1 port3
Cook
ie: port2
name
192.168.1.1
=coo
kies
essi
192.168.1.3/24
on1.
..
View
Web
Server 2

When FortiWeb operates in Reverse Proxy mode, HTTP Content Routing is partially
supported if HTTP/2 security inspection is enabled. In such cases, FortiWeb can
handle HTTP/2 for client requests, but traffic between FortiWeb and the server(s)
must use HTTP, so the HTTP/2setting in a server pool configuration would have to
remain disabled. For details, see HTTP/2 support on page 40.

To configure HTTP content routing

1. Go to Server Objects > Server > HTTP Content Routing.

FortiWeb Administration Guide Fortinet Technologies Inc.

182

If you've configured request rewriting, configure HTTP content-based routing

based on the original request, as it appears before FortiWeb has rewritten it.
For more information on rewriting, see Rewriting & redirecting on page 628.

Match Object Select the object that FortiWeb examines for matching values.

HTTP Host

HTTP Host
Specify one of the following values to match:
l Match prefix—The host to match begins with the specified
string.
l Match suffix—The host to match ends with the specified string.
l Match contains—The host to match contains the specified
string.
l Match domain—The host to match contains the specified string
between the periods in a domain name.

For example, if the value is abc, the condition matches the

following hostnames:

dname1.abc.com
dname1.dname2.abc.com

However, the same value does not match the following

hostnames:

abc.com
dname.abc

l Is equal to—The host to match is the specified string.

l Regular expression—The host to match has a value that
matches the specified regular expression.

(value) Specifies a host value to match.

If Regular Expression is selected, the value is an expression that
matches the object.
To create and test a regular expression, click the >> (test) icon. For
details, see Regular expression syntax on page 880.

Reverse Enable so that the condition is met when the value you specify to
match is not matched.

Relationship l And—Matching requests match this entry in addition to other

with previous entries in the HTTP content routing list.
rule l Or—Matching requests match either this entry or other entries in
the list.
Later, you can use the HTTP content routing list options to adjust the
matching sequence for entries.

FortiWeb Administration Guide Fortinet Technologies Inc.

183

HTTP URL

HTTP URL Specify one of the following values to match:

l Match prefix—The URL to match begins with the specified
string.
l Match suffix—The URL to match ends with the specified string.
l Match contains—The URL to match contains the specified
string.
l Match directory—The URL to match contains the specified
string between delimiting characters (slash).

For example, if the value is abc, the condition matches the

following URLs:

test.com/abc/
test.com/dir1/abc/

However, the same value does not match the following URLs:

test.com/abc
test.abc.com

l Is equal to—The URL to match is the specified string.

l Regular expression—The URL to match matches the specified
regular expression.

(value) Specifies a URL to match.

For example, a literal URL, such as /index.php, that a matching
HTTP request contains.
For example, when Is equal to is selected, the value
/dir1/abc/index.html matches the following URL:
http://test.abc.com/dir1/abc/index.html
If Regular Expression is selected, the value is an expression that
matches the object. For example, ^/*.php.
To create and test a regular expression, click the >> (test) icon. For
details, see Regular expression syntax on page 880.

Reverse Enable so that the condition is met when the value you specify to
match is not matched.

Relationship l And—Matching requests match this entry in addition to other

HTTP Parameter

Parameter Name Specify one of the following values to match:

l Match prefix—The parameter name to match begins with the

FortiWeb Administration Guide Fortinet Technologies Inc.

184

specified string.
l Match suffix—The parameter name to match ends with the
specified string.
l Match contains—The parameter name to match contains the
specified string.
l Is equal to—The parameter name to match is the specified
string.
l Regular expression—The parameter name to match matches
the specified regular expression.

(value) Specifies a parameter name to match.

Parameter Value Specify one of the following values to match:

l Match prefix—The parameter value to match begins with the
specified string.
l Match suffix—The parameter value to match ends with the
specified string.
l Match contains—The parameter value to match contains the
specified string.
l Is equal to—The parameter value to match is the specified
string.
l Regular expression—The parameter value to match matches
the specified regular expression.

(value) Specifies a parameter value to match.

Reverse Enable so that the condition is met when the value you specify to
match is not matched.

Relationship l And—Matching requests match this entry in addition to other

with previous entries in the HTTP content routing list.
rule l Or—Matching requests match this entry or other entries in the
list.
Later, you can use the HTTP content routing list options to adjust the
matching sequence for entries.

HTTP Referer

HTTP Referer Specify one of the following values to match:

l Match prefix—The HTTP referer value to match begins with the
specified string.
l Match suffix—The HTTP referer value to match ends with the
specified string.

FortiWeb Administration Guide Fortinet Technologies Inc.

185

l Match contains—The HTTP referer value to match contains the

specified string.
l Is equal to—The HTTP referer value to match is the specified
string.
l Regular expression—The HTTP referer value to match
matches the specified regular expression.

(value) Specifies an HTTP referer value to match.

If Regular Expression is selected, the value is an expression that
matches the HTTP referer value.
To create and test a regular expression, click the >> (test) icon. For
details, see Regular expression syntax on page 880.

Reverse Enable so that the condition is met when the value you specify to
match is not matched.

Relationship l And—Matching requests match this entry in addition to other

HTTP Cookie

HTTP Cookie Specify one of the following values to match:

l Match prefix—The cookie name to match begins with the
specified string.
l Match suffix—The cookie name to match ends with the
specified string.
l Match contains—The cookie name to match contains the
specified string.
l Is equal to—The cookie name to match is the specified string.
l Regular expression—The cookie name to match matches the
specified regular expression.

(value) Specifies a cookie name to match.

If Regular Expression is selected, the value is an expression that
matches the name.
To create and test a regular expression, click the >> (test) icon. For
details, see Regular expression syntax on page 880.

Cookie Value Specify one of the following values to match:

l Match prefix—The cookie value to match begins with the
specified string.
l Match suffix—The cookie value to match ends with the
specified string.
l Match contains—The cookie value to match contains the
specified string.
l Is equal to—The cookie value to match is the specified string.
l Regular expression—The cookie value to match matches the

FortiWeb Administration Guide Fortinet Technologies Inc.

186

specified regular expression.

For example, hash[a-fA-F0-7]*.

(value) Specifies a cookie value to match.

If Regular Expression is selected, the value is an expression that
matches the cookie value.
To create and test a regular expression, click the >> (test) icon. For
details, see Regular expression syntax on page 880.

Reverse Enable so that the condition is met when the value you specify to
match is not matched.

Relationship l And—Matching requests match this entry in addition to other

HTTP Header

Header Name Specify one of the following values to match:

l Match prefix—The header name to match begins with the
specified string.
l Match suffix—The header name to match ends with the
specified string.
l Match contains—The header name to match contains the
specified string.
l Is equal to—The header name to match is the specified string.
l Regular expression—The header name to match matches the
specified regular expression.

(value) Specifies a header name to match.

Header Value Specify one of the following values to match:

l Match prefix—The header value to match begins with the
specified string.
l Match suffix—The header value to match ends with the
specified string.
l Match contains—The header value to match contains the
specified string.
l Is equal to—The header value to match is the specified string.
l Regular expression—The header value to match matches the
specified regular expression.

(value) Specifies a header value to match.

FortiWeb Administration Guide Fortinet Technologies Inc.

187

If Regular Expression is selected, the value is an expression that

matches the header value.
To create and test a regular expression, click the >> (test) icon. For
details, see Regular expression syntax on page 880.

Reverse Enable so that the condition is met when the value you specify to
match is not matched.

Relationship l And—Matching requests match this entry in addition to other

Source IP

Source IP Specify one of the following values to match:

l IPv4 Address/Range—The source IP to match is an IPv4 IP
address or within a range of IPv4 IP addresses.
l IPv6 Address/Range—The source IP to match is an IPv6 IP
address or within a range of IPv6 IP addresses.
l Regular expression—The source IP to match matches the
specified regular expression.
l Import From CSV File—The source IPs to match are multiple
IP addresses or IP ranges included in the CSV file.

(value) Specifies a source IP address value to match.

If Regular Expression is selected, the value is an expression that
matches the source IP.
To create and test a regular expression, click the >> (test) icon. For
details, see Regular expression syntax on page 880.

Reverse Enable so that the condition is met when the value you specify to
match is not matched.

Relationship l And—Matching requests match this entry in addition to other

X509 Certificate Subject Matches against a specified Relative Distinguished Name (RDN) in
the X509 certificate Subject field. Use an attribute-value pair to
specify the RDN.
For example, an X509 certificate has the following Subject field
content:
C=CN, ST=Beijing, L=Haidian, O=fortinet, OU=fortiweb, CN=pc110

FortiWeb Administration Guide Fortinet Technologies Inc.

188

The following settings match a certificate with this Subject field

by matching the RDN O=fortinet:
l X509 Field Name—O
l Value =—fortinet
X509 Field Select the attribute type to match: E, CN, OU, O, L, ST, C.
Name

Value Enter an RDN attribute value in the X509 Subject field to match.

Reverse Enable so that the condition is met when the value you specify to
match is not matched.

Relationship l And—Matching requests match this entry in addition to other

X509 Certificate Matches against additional fields that the extensions field adds to the
Extension X509 certificate.
For example, an X509 certificate has the following extensions:
Extensions:
X509v3 Basic Constraints: CA:TRUE
X509v3 Subject Alternative Name: URI:aaaa
X509v3 Issuer Alternative Name: URI:bbbb
Full Name: URI:cccc

The following settings match the extension X509v3 Basic Constraints

by matching its value:
l Match Object—X509 Certificate Extension
l X509 Field Value—Is equal to
l (value)—CA:TRUE

X509 Field Specify one of the following values in the X509 extension to match:
Value l Match prefix—The X509 extension value to match begins with
the specified string.
l Match suffix—The X509 extension value to match ends with the
specified string.
l Match contains—The X509 extension value to match contains
the specified string.
l Is equal to—The X509 extension value to match is the specified
string.
l Regular expression—The X509 extension value matches the
specified regular expression.

(value) Specifies an X509 extension value to match.

If Regular Expression is selected, the value is an expression that
matches the X509 extension value.
To create and test a regular expression, click the >> (test) icon. For
details, see Regular expression syntax on page 880.

FortiWeb Administration Guide Fortinet Technologies Inc.

189

Reverse Enable so that the condition is met when the value you specify to
match is not matched.

Relationship l And—Matching requests match this entry in addition to other

HTTPS SNI

HTTPS SNI Specify one of the following values in the HTTPS SNI to match:

l Match prefix—The HTTPS SNI value to match begins with the
specified string.
l Match suffix—The HTTPS SNI value to match ends with the
specified string.
l Match contains—The HTTPS SNI value to match contains the
specified string.
l Is equal to—The HTTPS SNI value to match is the specified
string.
l Regular expression—The HTTPS SNI value matches the
specified regular expression.

(value) Specifies an HTTPS SNI value to match.

If Regular Expression is selected, the value is an expression that
matches the HTTPS SNI value.
To create and test a regular expression, click the >> (test) icon. For
details, see Regular expression syntax on page 880.

Reverse Enable so that the condition is met when the value you specify to
match is not matched.

Relationship l And—Matching requests match this entry in addition to other

Geo IP Matches against the IP addresses from specified countries.

Country Select one or more countries at left, then click the icon to move

the selected countries to the right.

Reverse Enable to match against the IP addresses from the countries not in
the Selected Country list.

7. Click OK.
8. Repeat the rule creation steps for each HTTP host, HTTP request, or other objects that you want to route to this
server pool.
9. If required, select an entry, and then click Move to adjust the rule sequence.
For an example of how to add logic for the rules, see Example: Concatenating exceptions on page 498.

FortiWeb Administration Guide Fortinet Technologies Inc.

190

10. Click OK.

11. Repeat the policy creation procedure for each server pool, as required. You can also create additional policies that
select the same server pool.
12. To apply a HTTP content routing policy, select it in a server policy. When you add HTTP content routing polices to a
policy, you also select a default policy. The default policy routes traffic that does not match any conditions found in
the specified routing policies.
For details, see Configuring an HTTP server policy on page 242.

See also

l Adding a gateway on page 142

l Creating a server pool on page 169
l Enabling or disabling traffic forwarding to your servers on page 200
l Configuring an HTTP server policy on page 242
l Configuring server up/down checks on page 163

Example: Routing according to URL/path

Your FortiWeb appliance might have one virtual server (the front end) protecting three physical web servers (the back
end).
From the perspective of clients connecting to the front end, there is one domain name: www.example.com. At this host
name, there are three top-level URLs:
l /games—Game application
l /school—School application
l /work—Work application
In a client’s web browser, therefore, they might go to the location:
http://www.example.com/games
Behind the FortiWeb, however, each of those 3 web applications actually resides on separate back-end web servers with
different IP addresses, and each has its own server pool:
l 10.0.0.11/games—Game application
l 10.0.0.12/school—School application
l 10.0.0.13/work—Work application
In this case, you configure HTTP content routing so FortiWeb routes HTTP requests to http://www.example.com/school
to the server pool that contains 10.0.0.12. Similarly, requests for the URL /games go to a pool that contains 10.0.0.11,
and requests for the URL /work go to a pool that contains 10.0.0.13.

See also

l Routing based on HTTP content on page 180

l Creating a server pool on page 169
l Configuring server up/down checks on page 163

FortiWeb Administration Guide Fortinet Technologies Inc.

191

Example: Routing according to the HTTP “Host:” field

Your FortiWeb appliance might have one virtual server (the front end) protecting three physical web servers (the back
end).
From the perspective of clients connecting to the front end, Example Company’s website has a few domain names:
l http://www.example.com
l http://www.example.cn
l http://www.example.de
l http://www.example.co.jp
Public DNS resolves all of these domain names to one IP address: the virtual server on FortiWeb.
At the data center, behind the FortiWeb, separate physical web servers host some region-specific websites. Other
websites have lighter traffic and are maintained by the same person, and therefore a shared server hosts them. Each
back-end web server has a DNS alias. When you configure the server pools, you define each pool member using its DNS
alias, rather than its IP address:
l www1.example.com—Hosts www.example.com, plus all other host names’ content, in case the other web servers
fail or have scheduled down time
l www2.example.com—Hosts www.example.de
l www3.example.com—Hosts www.example.cn & www.example.co.jp
While public DNS servers all resolve these aliases to the same IP address—FortiWeb’s virtual server—your private
DNS server resolves these DNS names to separate IPs on your private network: the back-end web servers.
l www1.example.com—Resolves to 192.168.0.1
l www2.example.com—Resolves to 192.168.0.2
l www3.example.com—Resolves to 192.168.0.3
In this case, you configure HTTP content routing to route requests from clients based on the original Host: field in the
HTTP header to a server pool that contains the appropriate DNS aliases. The destination back-end web server is
determined at request time using server health check statuses, as well as private network DNS that resolves the DNS
alias into its current private network IP address:
l http://www.example.com/—Routes to a pool that contains www1.example.com
l http://www.example.de/—Routes to a pool that contains members www2.example.com and www1.example.com.
The www2.example.com pool member is first in the list and receives requests unless that web server is down, in
which case FortiWeb routes requests to www1.example.com
l http://www.example.cn/ & http://www.example.co.jp/—Routes to a pool that contains members
www3.example.com and www1.example.com. The www3.example.com pool member is first in the list and
receives requests unless that web server is down, in which case FortiWeb routes requests to www1.example.com
If you need to maintain HTTP session continuity for web applications, ensure the pool have a persistence policy that
forwards subsequent requests from a client to the same back-end web server as the initial request.

See also

l Routing based on HTTP content on page 180

l Rewriting & redirecting on page 628
l Creating a server pool on page 169
l Configuring server up/down checks on page 163

FortiWeb Administration Guide Fortinet Technologies Inc.

192

Example: HTTP routing with full URL & host name rewriting

In some cases, HTTP header-based routing is not enough. It must be, or should be, combined with request or response
rewriting.
Example.com hosts calendar, inventory, and customer relations management web applications separately: one app per
specialized server. Each web application resides in its web server’s root folder ( / ). Each back-end web server is named
after the only web application that it hosts:
l calendar.example.com/
l inventory.example.com/
l crm.example.com/
Therefore each request must be routed to a specific back-end web server. Requests for the calendar application
forwarded to crm.example.com, for example, would result in an HTTP 404 error code.

These back-end DNS names are publicly resolvable. However, for legacy reasons, clients may request pages as if all
apps were hosted on a single domain, www.example.com:
l www.example.com/calendar
l www.example.com/inventory
l www.example.com/crm
Because the URLs requested by clients (prefixed by /calendar etc.) do not actually exist on the back-end servers,
HTTP header-based routing is not enough. Alone, HTTP header-based routing with these older location structures
would also result in HTTP 404 error codes, as if the clients’ requests were effectively for:
l calendar.example.com/calendar
l inventory.example.com/inventory
l crm.example.com/crm
To compensate for the new structure on the back end, request URLs must be rewritten: FortiWeb removes the
application name prefix in the URL.

URL and host name transformation to match HTTP routing

For performance reasons, FortiWeb also rewrites the Host: field. All subsequent requests from the client use the
correct host and URL and do not require any modification or HTTP-based routing. Otherwise, FortiWeb would need to
rewrite every subsequent request in the session, and analyze the HTTP headers for routing every subsequent request
in the session.

See also

l Routing based on HTTP content on page 180

l Rewriting & redirecting on page 628
l Creating a server pool on page 169

FortiWeb Administration Guide Fortinet Technologies Inc.

193

Defining your proxies, clients, & X-headers

In some topologies, you must configure FortiWeb’s use of X-headers such as X-Forwarded-For:, X-Real-IP:, or
True-Client-IP:, including when:
l FortiWeb has been deployed behind a proxy/load balancer which applies NAT. Connection-wise, this
causes all requests appear to come from the IP address of the proxy or load balancer, not the original client.
FortiWeb requires the true client’s source IP so that when blocking attacks, it does not block the
proxy/load balancer’s IP, affecting innocent requests. FortiWeb also requires some way to derive the original
client’s IP so that attack logs and reports to show the IP of the actual attacker, rather than misleadingly blaming the
load balancer.
l The web server needs the client’s source IP address for purposes such as analytics, but FortiWeb is
operating in Reverse Proxy mode, which applies NAT, and therefore all requests appear to come from FortiWeb’s
IP address.
Due to source NAT (SNAT), a packet’s source address in its IP layer may have been changed, and therefore the original
address of the client may not be directly visible to FortiWeb and/or its protected web servers. During a packet’s transit
from the client to the web server, it could be changed several times: web proxies, load balancers, routers, and firewalls
can all apply NAT.
Depending on whether the NAT devices are HTTP-aware, the NAT device can record the packet’s original source IP
address in the HTTP headers. HTTP X-headers such as X-Real-IP: can be used by FortiWeb instead to trace the
original source IP (and each source IP address along the path) in request packets. They may also be used by back-end
web servers for client analysis.

Affects of source NAT at the IP and HTTP layers of request packets when in-between devices are HTTP-
aware

SRC 10.0.0.1 Source NAT

X-Forwarded-For:
192.168.1.20 SRC 172.16.1.1
X-Forwarded-For:
192.168.1.20,
Web 10.0.0.1
Proxy FortiWeb
(NAT) (Reverse
Proxy)
SRC 192.168.1.20

Client Server

FortiWeb Administration Guide Fortinet Technologies Inc.

194

Indicating the original client’s IP to back-end web servers

Some web applications need to know the IP address of the client where the request originated in order to log or analyze
it.
For example, if your web applications need to display different available products for clients in Canada instead of the
United States, your web applications may need to analyze the original client’s IP for a corresponding geographic
location.
In that case, you would enable FortiWeb to add or append to an X-Forwarded-For: or X-Real-IP: header.
Otherwise, from the web server’s perspective, all IP sessions appear to be coming from FortiWeb—not from the
original requester. The back-end web server would not be able to guess what the original client’s public IP was, and
therefore would not be able to analyze it. When these options are enabled, the web server can instead use this HTTP-
layer header to find the public source IP and path of the IP-layer session from the original client.

To configure FortiWeb to add the packet’s source IP to X-Forwarded-For: and/or X-Real-IP:

1. Go to Server Objects > X-Forwarded-For.
2. Configure these settings:

Add X-Forwarded-For: Enable to include the X-Forwarded-For: HTTP header in requests

forwarded to your web servers.
If the HTTP client or web proxy does not provide the header, FortiWeb adds it,
using the source IP address of the connection.
If the HTTP client or web proxy already provides the header, it appends the
source IP address to the header's list of IP addresses.
This option can be useful if your web servers log or analyze clients’ public IP
addresses, if they support the X-Forwarded-For: header. If they do not,
disable this option to improve performance.
This option applies only when FortiWeb is operating in Reverse Proxy mode or
True Transparent Proxy mode, which applies source network address
translation (NAT) and therefore rewrites the source address in the IP layer.

Add Source Port: Enable to add an X-Forwarded-For: header with the connection's
source IP. If this field is enabled, the source port of the request will be added
as well.
Available only when FortiWeb operates in Reverse Proxy, True Transparent
Proxy, or WCCP mode.

Add X-Forwarded-Port: Enable to add an X-Forwarded-Port: header with the connection's

destination port.
Available only when FortiWeb operates in Reverse Proxy, True Transparent
Proxy, or WCCP mode.

FortiWeb Administration Guide Fortinet Technologies Inc.

195

Add X-Real-IP: Enable to include the X-Real-IP: HTTP header on requests forwarded to
your web servers. Behavior varies by the header already provided by the HTTP
client or web proxy, if any (see Add X-Forwarded-For: on page 194).
Like X-Forwarded-For:, this header is also used by some proxies and
web servers to trace the path, log, or analyze based upon the packet’s original
source IP address.
This option applies only when FortiWeb is operating in Reverse Proxy mode or
True Transparent Proxy mode, which applies source network address
translation (NAT) and therefore rewrites the source address in the IP layer.
Note: This does not support IPv6.

3. Click OK.
4. To apply the X-header rule, select it when configuring an inline protection profile. For details, see Configuring a
protection profile for inline topologies on page 223.

See also

l External load balancers: before or after? on page 67

Indicating to back-end web servers that the client’s request was HTTPS

Usually if your FortiWeb is receiving HTTPS requests from clients, and it is operating in Reverse Proxy mode, SSL/TLS
is being offloaded. FortiWeb has terminated the SSL/TLS connection and the second segment of the request, where it
forwards to the back-end servers, is clear text HTTP. In some cases, your back-end server may need to know that the
original request was, in fact, encrypted HTTPS, not HTTP.
To add an HTTP header that indicates the service used in the client’s original request, go to Server Objects > X-
Forwarded-For and enable X-Forwarded-Proto:.

See also

l Forcing clients to use HTTPS on page 409

Blocking the attacker’s IP, not your load balancer

When you configure Use X-Header to Identify Original Client’s IP on page 196, FortiWeb compensates for NAT in your
data center by using an HTTP header to derive the client’s IP address. In this way, even if the connection is not
established directly between the web browser and FortiWeb, but instead is relayed, with the last segment established
between your proxy/load balancer’s IP and FortiWeb, FortiWeb will still be able to report and block the actual attacker,
rather than your own infrastructure.
Only public IPs will be used. If the original client’s IP is a private network IP (e.g. 192.168.*, 172.16.*, 10.*),
FortiWeb will instead use the first public IP before or after the original client’s IP in the HTTP header line. Whether this
is counted from the left or right end of the header line depends on IP Location in X-Header on page 196. In most cases,
this public IP will be the client’s Internet gateway, and therefore blocking based on this IP may affect innocent clients
that share the attacker’s Internet connection. For details, seeShared IP on page 678.
To limit the performance impact, FortiWeb will analyze the HTTP header for the client’s IP only for the first request in
the TCP/IP connection. As a result, it is not suitable for use behind load balancers that multiplex—that is,
attempt to reduce total simultaneous TCP/IP connections by sending multiple, unrelated HTTP requests from different

FortiWeb Administration Guide Fortinet Technologies Inc.

196

clients within the same TCP/IP connection. Symptoms of this misconfiguration include FortiWeb mistakenly attributing
subsequent requests within the same TCP/IP connection to the IP found in the first request’s HTTP header, even
though the X-header indicates that the request originated from a different client.
After FortiWeb has traced the original source IP of the client, FortiWeb will use it in attack logs and reports so that they
reflect the true origin of the attack, not your load balancer or proxy. FortiWeb will also use the original source IP as the
basis for blocking when using some features that operate on the source IP:
l DoS prevention
l brute force login prevention
l period block

Like addresses at the IP layer, attackers can spoof and alter addresses in the HTTP
layer. Do not assume that they are 100% accurate, unless there are anti-spoofing
measures in place such as defining trusted providers of X-headers.

For example, on FortiWeb, if you provide the IP address of the proxy or load balancer, when blocking requests and
writing attack log messages or building reports, instead of using the SRC field in the IP layer of traffic as the client’s IP
address (which would cause all attacks to appear to originate from the load balancer), FortiWeb can instead find the
client’s real IP address in the X-Forwarded-For: HTTP header. FortiWeb could also add its own IP address to the
chain in X-Forwarded-For:, helping back-end web servers that require the original client’s source IP for purposes
such as server-side analytics—providing news in the client’s first language or ads relevant to their city, for example.
Like IP-layer NAT, some networks also translate addresses at the HTTP layer. In those cases, enabling Use X-Header to
Identify Original Client’s IP may have no effect. To determine the name of your network’s X-headers, if any, and to see
whether or not they are translated, use diagnose network sniffer in the CLI or external packet capture software
such as Wireshark.

To configure FortiWeb to obtain the packet’s original source IP address from an HTTP header

1. Go to Server Objects > X-Forwarded-For.
2. Configure these settings:

Use X-Header to Identify If FortiWeb is deployed behind a device that applies NAT, enable this option
Original Client’s IP to derive the original client’s source IP address from an HTTP X-header,
instead of the SRC field in the IP layer. Then type the key such as X-
Forwarded-For or X-Real-IP, without the colon ( : ), of the X-header
that contains the original source IP address of the client.
This HTTP header is often X-Forwarded-For: when traveling through a
web proxy, but can vary. For example, the Akamai service uses True-
Client-IP:.
For deployment guidelines and mechanism details, see Blocking the
attacker’s IP, not your load balancer on page 195.
Caution: To combat forgery, configure the IP addresses of load balancers
and proxies that are trusted providers of this header. Also configure those
proxies/load balancers to reject fraudulent headers, rather than passing them
to FortiWeb.

IP Location in X-Header Select whether to extract the original client’s IP from either the left or right end
of the HTTP X-header line.

FortiWeb Administration Guide Fortinet Technologies Inc.

197

Most proxies put the request’s origin at the left end, which is the default
setting. Some proxies, however, place it on the right end.

Block Using Original Enable to be able to block requests that violate your policies by using the
Client’s IP original client’s IP derived from this HTTP X-header.
When disabled, attack logs and reports will not use the original client’s IP.

3. Click OK to save the configuration.

To apply anti-spoofing measures and improve security, FortiWeb will only trust the HTTP header contents of the
IPs that you specified in Trusted X-Header Sources table.

The following configuration is optional. If you do not specify IPs in Trusted X-

Header Sources table, X-headers of all IPs will be trusted by FortiWeb.

4. Click Create New.

A sub-dialog appears.

5. In New X-Forwarded-For IP, type the IP address of the external proxy or load balancer according to packets’ SRC
field in the IP layer when received by FortiWeb.
6. Click OK.
7. To apply the X-header rule, select it when configuring an inline protection profile. For details, see Configuring a
protection profile for inline topologies on page 223.

See also

l External load balancers: before or after? on page 67

l IPv6 support on page 33
l Logging on page 698
l Alert email on page 724
l SNMP traps & queries on page 727
l Reports on page 732
l DoS prevention on page 612

FortiWeb Administration Guide Fortinet Technologies Inc.

198

Defining your network services

Network services define the application layer protocols and port number on which your FortiWeb will listen for web
traffic.
Policies must specify either a predefined or custom network service to define which traffic the policy will match.
Exceptions include server policies whose Deployment Mode on page 244 is Offline Protection.

See also

l Defining custom services on page 198

l Predefined services on page 198

Defining custom services

Server Objects > Service > Custom enables you to configure custom services.

Predefined services are available for standard IANA port numbers (https://www.iana.org/assignments/service-names-
port-numbers/service-names-port-numbers.xml) for HTTP and HTTPS. For details, see Predefined services on page
198. If your virtual server will receive traffic on non-standard port numbers, however, you must define your custom
service.

To configure a custom service

1. Go to Server Objects > Service and select the Custom tab.

See also

l Predefined services on page 198

l Configuring an HTTP server policy on page 242

Predefined services

Go to Server Objects > Service. The Predefined tab displays the list of predefined services.
Predefined services are according to standard IANA port numbers (https://www.iana.org/assignments/service-names-
port-numbers/service-names-port-numbers.xml): TCP port 80 for HTTP and TCP port 443 for HTTPS.

FortiWeb Administration Guide Fortinet Technologies Inc.

199

To use the predefined service definition to define the listening port of a virtual server on the FortiWeb, select it as the
HTTP Service on page 246 or HTTPS Service on page 247 when configuring a policy. For details, see Configuring an
HTTP server policy on page 242.
To access this part of the web UI, your administrator’s account access profile must have Read permission to items in
the Server Policy Configuration category. For details, see Permissions on page 56.

See also

l Defining your network services on page 198

l Configuring an HTTP server policy on page 242

Configuring virtual servers on your FortiWeb

Before you can create a server policy, you must first configure a virtual server that defines the network interface or
bridge and IP address where traffic destined for a server pool arrives. When the FortiWeb appliance receives traffic
destined for a virtual server, it can then forward the traffic to a single web server (for Single Server server pools) or
distribute sessions/connections among servers in a server pool.

A virtual server on your FortiWeb is not the same as a virtual host on your web
server. A virtual server is more similar to a virtual IP on a FortiGate. It is not an
actual server, but simply defines the listening network interface. Unlike a FortiGate
VIP, it includes a specialized proxy that only picks up HTTP and HTTPS.
By default, in Reverse Proxy mode, FortiWeb’s virtual servers do not forward non-
HTTP/HTTPS traffic from virtual servers to your protected web servers. (It only
forwards traffic picked up and allowed by the HTTP Reverse Proxy.) You may be
able to provide connectivity by either deploying in a one-arm topology where other
protocols bypass FortiWeb, or by enabling FortiWeb to route other protocols. For
details, see Topology for Reverse Proxy mode on page 74 and the config
router setting command in the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/

The FortiWeb appliance identifies traffic as being destined for a specific virtual server if:
l the traffic arrives on the network interface or bridge associated with the virtual server
l for Reverse Proxy mode, the destination address is the IP address of a virtual server (the destination IP address is
ignored in other operation modes, except that it must not be identical to the web server’s IP address)

Virtual servers can be on the same subnet as real web servers. This configuration
creates a one-arm HTTP proxy. For example, the virtual server 10.0.0.1/24 could
forward to the web server 10.0.0.2.
However, this is not usually recommended. Unless your network’s routing
configuration prevents it, it would allow clients that are aware of the web server’s IP
address to bypass the FortiWeb appliance by accessing the back-end web server
directly. The topology may be required in some cases, however, such as IP-based
forwarding, mentioned above.

FortiWeb Administration Guide Fortinet Technologies Inc.

200

To configure a virtual server

1. Go to Server Objects > Server > Virtual Server.

To access this part of the web UI, your administrator’s account access profile must have Read and Write
permission to items in the Server Policy Configuration category. For details, see Permissions on page 56.
2. Click Create New.
3. Enter a name for the virtual server.
4. Click OK.
5. Click Create New.
6. Configure these settings:

Name Enter a unique name that can be referenced by other parts of the
configuration. The maximum length is 63 characters.

Use Interface IP Select to use the IP address of the specified network interface as the address
of the virtual server.

Interface Available only if Use Interface IP is enabled.

Select the network interface or bridge the virtual server is bound to and where
traffic destined for the virtual server arrives.
To configure an interface or bridge, see To configure a network interface or
bridge on page 124.

Virtual IP Available only if Use Interface IP is disabled.

Select the virtual IP which you wan to attach to this virtual server.

Status If enabled, FortiWeb will accept traffic destined for this virtual IP or interface.

7. Click OK.
8. Repeat step 5 to 7 if you want to attach more virtual IPs or bind more interfaces to this virtual server. When you
create server policy and then reference this virtual server in it, the web protection profile will be applied to all the
virtual IPs and interfaces in this virtual server.
9. To define the listening port of the virtual server, create a custom service. For details, see Defining your network
services on page 198.
10. To use the virtual server, select both it and the custom service in a server policy. For details, see Configuring an
HTTP server policy on page 242.

See also

l IPv6 support on page 33

l Configuring a bridge (V-zone) on page 133

Enabling or disabling traffic forwarding to your servers

The server pool configuration allows you to individually enable and disable FortiWeb’s forwarding of HTTP/HTTPS
traffic to your web servers, or place them in maintenance mode.

FortiWeb Administration Guide Fortinet Technologies Inc.

201

Disabling servers only affects HTTP/HTTPS traffic. To enable or disable forwarding

of FTP, SSH, or other traffic, use the CLI command config router setting.
For details, see the FortiWeb CLI Reference:
https://docs.fortinet.com/document/fortiweb/

You can select server pools with disabled virtual servers in a server policy even though the policy cannot forward traffic
to the disabled servers.
Disabled physical and domain servers can belong to a server pool, but FortiWeb does not forward traffic to them. If a
server in a pool is disabled, FortiWeb will transfer any remaining HTTP transactions in the TCP stream to an active
physical server in the server pool according to the pool's load balancing algorithm. For details, see Load Balancing
Algorithm on page 170.
By default, physical and domain servers that belong to a pool are enabled and the FortiWeb appliance can forward
traffic to them. To prevent traffic from being forwarded to a physical server, such as when the server is unavailable for a
long time due to repairs, you can disable it. If the disabled physical server is a member of a Server Balance server
pool, the FortiWeb appliance automatically forwards connections to other enabled pool members.
Alternatively, if the physical or domain server is a member of a Server Balance server pool and will be unavailable only
temporarily, you can configure a server health check to automatically prevent the FortiWeb appliance from forwarding
traffic to that physical server when it is unresponsive. For details, see Configuring server up/down checks on page 163.

Disabling a physical or domain server could block traffic matching policies in which
you have selected the server pool of which the physical server is a member.

See also

l Configuring virtual servers on your FortiWeb on page 199

l Creating a server pool on page 169
l Enabling or disabling a policy on page 256

Configuring FortiWeb to receive traffic via WCCP

You can configure FortiWeb as a Web Cache Communication Protocol (WCCP) client. This configuration allows a
FortiGate configured as a WCCP server to redirect HTTP and HTTPS traffic to FortiWeb for inspection.
If your WCCP configuration includes multiple WCCP clients, the WCCP server can balance the traffic load among the
clients. In addition, it detects when a client fails and redirects sessions to clients that are still available.
WCCP was originally designed to provide web caching with load balancing and fault tolerance and is described by the
Web Cache Communication Protocol Internet draft (http://tools.ietf.org/id/draft-wilson-wrec-wccp-v2-01.txt).
This feature requires the operation mode to be WCCP. For details, see Setting the operation mode on page 105.
For details about connecting and configuring your network devices for WCCP mode, see Topology for WCCP mode on
page 80.
For detailed information on configuring FortiGate and other Fortinet devices to act as a WCCP service group, see the
FortiGate WCCP topic in the FortiOS Handbook:

FortiWeb Administration Guide Fortinet Technologies Inc.

202

http://docs.fortinet.com/fortigate

Configuring the FortiWeb WCCP client settings

To configure FortiWeb as a WCCP client

1. Ensure the operation mode is WCCP. For details, see Setting the operation mode on page 105.
2. Configure the network interface that communicates with the FortiGate (the WCCP server) to use the WCCP
Protocol. For details, see Configuring the network settings on page 124.
3. Go to System > Config > WCCP Client.
4. Click Create New.
5. Configure these settings:

Service ID Specifies the service ID of the WCCP service group that this WCCP client
belongs to.

For HTTP traffic, the service ID is 0.

For other types of traffic (for example, HTTPS), the valid range is 51 to 256.
(Do not use 1 to 50, which are reserved by the WCCP standard.)

Cache ID Specifies the IP address of the FortiWeb interface that communicates with the
WCCP server.

Ensure that the WCCP protocol is enabled for the specified network interface.
See Configuring the network settings on page 124.

Group Address Specifies the IP addresses of the clients for multicast WCCP configurations.
The multicast address allows you to configure a WCCP service group with
more than 8 WCCP clients.

The valid range of multicast addresses is 224.0.0.0 to 239.256.256.256.

Router List Specifies the IP addresses of the WCCP servers in the WCCP service group.
You can specify up to 8 servers.

Click + (plus sign) to add additional addresses.

To configure more than 8 WCCP servers, use Group Address on page 202
instead.

Port Specifies the port numbers of the sessions that this client inspects.

The valid range is 0 to 65535. Enter 0 to specify all ports.

Authentication Specifies whether communication between the WCCP server and client is
encrypted using the MD5 cryptographic hash function.

Password Specifies the password used by the WCCP server and clients. All servers and
clients in the group use the same password.

FortiWeb Administration Guide Fortinet Technologies Inc.

203

The maximum password length is 8 characters.

Available only when Authentication on page 202 is enabled.

Service Priority Specifies the priority that this service group has. If more than one service
group is available to scan the traffic specified by Port on page 202 and Service
Protocol on page 203, the WCCP server transmits all the traffic to the service
group with the highest Service Priority value.

Service Protocol Specifies the protocol of the network traffic the WCCP service group
transmits.

For TCP sessions the protocol is 6.

Cache Engine Method Specify how the WCCP server redirects traffic to FortiWeb.
l GRE—The WCCP server encapsulates redirected packets within a
generic routing encapsulation (GRE) header. The packets also have a
WCCP redirect header.
l L2—The WCCP server overwrites the original MAC header of the IP
packets and replaces it with the MAC header for the WCCP client.

Primary Hash Specifies that hashing scheme that the WCCP server uses in combination
with the Weight on page 203 value to direct traffic, when the WCCP service
group has more than one WCCP client.

The hashing scheme can be the source IP address, destination IP address,

source port, or destination port, or a combination of these values.

Weight Specifies a value that the WCCP server uses in combination with the Primary
Hash on page 203 value to direct traffic, when the WCCP service group has
more than one WCCP client.

The valid range is 0 to 256.

Bucket Format Specifies the hash table bucket format for the WCCP cache engine.

Although you can set different values for settings such as Service Priority and
Primary Hash for each WCCP client in a service group, the settings in the
WCCP client with the lowest Cache ID value have priority.

For example, if a WCCP service group has two WCCP clients with cache IDs
172.22.80.99 and 172.22.80.100, the group uses the WCCP client settings for
172.22.80.99.

6. Click OK.
7. Optionally, use the following CLI command to route traffic back to the client instead of the WCCP server. You
cannot enable this feature using the web UI.
config system wccp
edit <service-id>
set return-to-sender enable
next
end

FortiWeb Administration Guide Fortinet Technologies Inc.

204

8. Create a WCCP server pool. See Creating a server pool on page 169.
9. Create a server policy in which the Deployment Mode is WCCP Servers and the selected server pool is the
WCCP pool you created earlier.

Viewing WCCP protocol information

You can use a FortiGate CLI command to display WCCP information. For example:
diagnose debug enable
diagnose debug application wccp 2

In this example, the debug level is 2.

Example output:

--------------------WCCP Service ID 52-------------------------

WCCP_server_list: 1 WCCP server in total
0. 172.22.80.1
receive_id:13290 change_number:7
WCCP client seen by this WCCP Server:
0. 172.22.80.99 weight:0 (*Designated WCCP Client)
1. 172.22.80.100 weight:0
WCCP service options:
priority: 0
protocol: 6
port: 80, 443
primary-hash: src-ip, dst-ip

Example: Using WCCP with FortiOS 5.2.x

This configuration uses WCCP in a one-arm topology and WCCP to route HTTP and HTTP traffic to a FortiWeb for
scanning before forwarding permitted traffic to the back-end servers.

FortiWeb Administration Guide Fortinet Technologies Inc.

205

192.168.1.5/24
Web Web
Server 2 Server 1
Client 192.168.1.4/24
port2
192.168.1.1/24
port1
Switch
non-HTTP

port3 FortiGate
172.22.80.1/24
HTTP
and
HTTPS

Scanned
HTTP and
HTTPS
port3
172.22.80.100/24
FortiWeb

The following command sets the IP address and enables WCCP for port3 on the firewall running FortiOS 5.2.x:
config system interface
edit "port3"
set ip 172.22.80.1 256.256.256.0
set wccp enable
next
end

On the firewall, the following command specifies a WCCP service group using a service group ID (52), the firewall
interface that supports WCCP (172.22.80.1), and the interface the FortiWeb uses for WCCP communication
(172.22.80.100).
config system wccp
edit "52"
set router-id 172.22.80.1
set server-list 172.22.80.100 256.256.256.0
next
end

The following firewall policies specify the traffic that FortiGate routes to the FortiWeb for scanning:

FortiWeb Administration Guide Fortinet Technologies Inc.

206

l A port1 to port2 policy that accepts HTTP and HTTPS traffic and for which WCCP is enabled.
l A port1 to port2 policy that accepts HTTP and HTTPS traffic and for which WCCP is not enabled. This policy
maintains traffic flow when the WCCP client is not available (for example, if FortiWeb is rebooting).
l A port3 to port2 policy that accepts scanned HTTP and HTTPS traffic from the FortiWeb.
config firewall policy

edit 1
set srcintf "Port1"
set dstintf "Port2"
set srcaddr "all"
set dstaddr "192.168.1.4" "192.168.1.5"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set wccp enable
next

edit 2
set srcintf "Port1"
set dstintf "Port2"
set srcaddr "all"
set dstaddr "192.168.1.4" "192.168.1.5"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
next

edit 3
set srcintf "Port3"
set dstintf "Port2"
set srcaddr "all"
set dstaddr "192.168.1.4" "192.168.1.5"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
next
end

WCCP is enabled for the interface that connects FortiWeb to the firewall.
The WCCP client configuration on FortiWeb adds it to the WCCP service group 52, specifies the interface used for
WCCP client functionality (172.22.80.100) and the WCCP server (172.22.80.1).

The destination servers are members of a WCCP server pool. This pool is selected in the WCCP Servers server policy
that FortiWeb applies to the traffic it receives from the firewall via WCCP.

Example: Using WCCP with FortiOS 5.4

You can use the commands and settings described in Example: Using WCCP with FortiOS 5.2.x on page 204 to create
that same configuration with a firewall running FortiOS 5.4.
However, FortiOS 5.4 also allows you to configure WCCP communication with FortiWeb using its External Security
Devices settings. This example creates the same environment as Example: Using WCCP with FortiOS 5.2.x on page
204.

FortiWeb Administration Guide Fortinet Technologies Inc.

207

FortiGate configuration:
l WCCP is enabled for port3 on the firewall running FortiOS 5.4 (172.22.80.1).
l In System > External Security Devices, HTTP Service is enabled. For FortiWeb IPs, the FortiWeb acting as
a WCCP client is specified.
l The service ID is 51. This is the only service ID that the firewall can use for WCCP clients configured using the web
UI.
l In the Security Profiles > Web Application Firewall settings, for Inspection Device, select External.
l In the Policy & Objects > IPv4 Policy settings, configure a policy for which Web Application Firewall is enabled.
l A second policy for which Web Application Firewall is not enabled to maintain traffic flow when the WCCP client
is not available
l A third policy accepts scanned HTTP and HTTPS traffic from the FortiWeb.
FortiWeb configuration:
Configuration is the same as Example: Using WCCP with FortiOS 5.2.x on page 204, except the service ID value is 51.
This is the only service ID value you can use when you configure WCCP communication using the FortiOS 5.4 External
Security Devices settings.

Example: Using WCCP with multiple FortiWeb appliances

You can use WCCP to create a high availability cluster in which both appliances are active (active-active). You
synchronize the cluster members using FortiWeb's configuration synchronization feature so that each cluster member is
ready to act as backup if the other appliance is not available. The WCCP server provides load balancing between the HA
pair and redirects all traffic to one cluster member if the other member is unavailable.

FortiWeb Administration Guide Fortinet Technologies Inc.

208

192.168.1.5/24
Web Web
Server 2 Server 1
Clie
Cl
Client
ient
ie nt 192.168.1.4/24
port2
192.168.1.1/24
port1
Switch
non-HTTP
FortiGate
port3
172.22.80.1/24
HTTP
and
HTTPS

Scanned
HTTP and
HTTPS

FortiWeb A port3 FortiWeb B

172.22.80.100/24

port3
172.22.80.99/24

To create this configuration, you first configure FortiWeb A and use the configuration synchronization feature to "push"
the configuration to FortiWeb B. (See Replicating the configuration without FortiWeb HA (external HA) on page 119.)
You then complete the configuration for FortiWeb B. The Config-Synchronization feature does not synchronize the
following configuration when the operating mode is WCCP:
l System > Network > Interface
l System > Network > Static Route
l System > Network > Policy Route
l System > Config > WCCP Client
l Administrator accounts
l Access profiles
l HA settings
For detailed configuration settings for each FortiWeb, see Example: Using WCCP with FortiOS 5.2.x on page 204.
You can link the FortiGate and FortiWeb appliances in this topology without using a switch. Instead, you can link the
FortiWeb appliances to FortiGate directly and use the following commands to create a switch on the firewall:
config system interface
edit "port3"
set vdom "root"
set vlanforward enable
set type physical

FortiWeb Administration Guide Fortinet Technologies Inc.

209

set alias "FWB-A"

next
edit "port4"
set vdom "root"
set vlanforward enable
set type physical
set alias "FWB-B"
next
edit "WCCP_Server"
set vdom "root"
set ip 172.22.80.1 256.256.256.0
set allowaccess ping
set type switch
set wccp enable
next
end

Example: Using WCCP with a Cisco router

You can use FortiWeb's WCCP feature to integrate it with third-party devices that support the WCCP protocol.
In this example, a router running Cisco IOS routes HTTP and HTTPS traffic destined for the back-end servers to a
FortiWeb for scanning.

192.168.1.5/24
Web Web
Server 2 Server 1
Client 192.168.1.4/24

GigabitEthernet2
GigabitEthernet1 192.168.1.1/24
Switch
non-HTTP
Cisco Router
GigabitEthernet3
172.22.80.1/24
HTTP
and
HTTPS Scanned
HTTP and
HTTPS
port3
172.22.80.100/24

FortiWeb

You create the WCCP server configuration using a series of Cisco IOS commands.

FortiWeb Administration Guide Fortinet Technologies Inc.

210

Because the WCCP configuration is standardized, FortiWeb can work interchangeably with different WCCP servers s
long as they have the same WCCP configuration. Thus, theFortiWeb WCCP client configuration mostly the same as the
one described in Example: Using WCCP with FortiOS 5.2.x on page 204.

Ciso IOS command examples

Specify WCCP version 2:

Router# config terminal
Router(config)# ip wccp version 2

Add the FortiWeb to the list of WCCP clients:

Router(config)# ip access-list extended wccp_client
Router (config-ext-nacl) # permit ip host 172.22.80.100 any
Router (config-ext-nacl) # exit

Configure a WCCP access list that routes HTTP and HTTPS requests for the subnet used by the back-end servers to
FortiWeb:
Router(config)# ip access-list extended wccp_acl
Router (config-ext-nacl) # permit tcp any 192.168.1.0 0.0.0.256 eq www 443
Router (config-ext-nacl) # exit

Configure a service group that registers the router to the FortiWeb:

Router(config)# ip wccp source-interface GigabitEthernet3
Router(config)# ip wccp 52 redirect-list wccp_acl group-list wccp_client password 0 fortinet

Alternatively, you can register the router to a multicast address:

Router(config)# ip wccp source-interface GigabitEthernet3
Router(config)# ip wccp 52 group-address 239.0.0.0 redirect-list wccp_acl password 0 123456

Enable packet redirection on the inbound interface using WCCP:

Router(config)# interface GigabitEthernet1
Router(config)# ip wccp 52 redirect in

Enable packet redirection on the outbound interface using WCCP:

Router(config)# interface GigabitEthernet2
Router(config)# ip wccp 52 redirect out

If the service group uses a multicast address, register the router to the multicast address you specified earlier
(239.0.0.0):
Router(config)# ip multicast-routing distributed
Router(config)# interface GigabitEthernet3
Router(config)# ip wccp 52 group-listen
Router(config)# ip pim sparse-dense-mode

When the configuration is complete, check WCCP status:

Router#show ip wccp <service_id> detail
Router#debug ip wccp events

FortiWeb Administration Guide Fortinet Technologies Inc.

211

Router#debug ip wccp packets

FortiWeb WCCP configuration

The System > Config > WCCP Clientconfiguration for this example is different from the one described in Example:
Using WCCP with FortiOS 5.2.x on page 204 in the following two ways:
l If the service group uses a multicast address, you specify a value for Group Address instead of for Router List.
l You enable Authentication and specify a password.
Otherwise, network interface, WCCP client and server pool and policy configuration is the same as the one found in
Example: Using WCCP with FortiOS 5.2.x on page 204.

Configuring basic policies

As the last step in the setup sequence, you must configure at least one policy.
Until you configure a policy, by default, FortiWeb will:
l while in Reverse Proxy mode, deny all traffic (positive security model)
l while in other operation modes, allow all traffic (negative security model)
Once traffic matches a policy, protection profile rules are applied using a negative security model—that is, traffic that
matches a policy is allowed unless it is flagged as disallowed by any of the enabled scans.
Keep in mind:
l Change policy settings with care. Changes take effect immediately after you click OK.
l When you change any server policy, you should retest it.
l FortiWeb appliances apply policies, rules, and scans in a specific order. This decides each outcome. Review the
logic of your server policies to make sure they deliver the web protection and features you expect. For details, see
Sequence of scans on page 25.
This section contains examples to get you started:
l Example 1: Configuring a policy for HTTP on page 211
l Example 2: Configuring a policy for HTTPS on page 212
l Example 3: Configuring a policy for load balancing on page 212
Once completed, continue with Testing your installation on page 213.

Example 1: Configuring a policy for HTTP

In the simplest scenario, if you want to protect a single, and basic HTTP web server, and FortiWeb is operating as a
Reverse Proxy, configure the policy as follows:

To generate profiles and apply them in a policy

1. Create a virtual server on the FortiWeb appliance (Server Objects > Server > Virtual Server). When used by a
policy, it receives traffic from clients.

FortiWeb Administration Guide Fortinet Technologies Inc.

212

2. Define your web server within a Single Server server pool using its IP address or domain name
(Server Objects > Server > Server Pool). When used by a policy, a server pool defines the IP address of the
web server that FortiWeb forwards accepted client traffic to.
3. Create a new policy (Policy > Server Policy).
l In Name, type a unique name for the policy.
l In Virtual Server on page 244 or Data Capture Port on page 244, select your virtual server.
If a policy uses any virtual server with IPv6 addresses, FortiWeb does not apply features in the policy that do
not yet support IPv6, even if you include them in the policy.
l In HTTP Service on page 246, select the predefined HTTP service.
l In Server Pool on page 245, select your server pool.
Traffic should now pass through the FortiWeb appliance to your server. If it does not, see Troubleshooting on page
808.
4. From Web Protection Profile on page 252select one of the predefined inline protection profiles.

Example 2: Configuring a policy for HTTPS

If you want to protect a single HTTPS web server, and the FortiWeb appliance is operating in Reverse Proxy mode,
configuration is similar to Example 1: Configuring a policy for HTTP on page 211. Optionally, you can configure a server
policy that includes both an HTTP service and an HTTPS service.
To be able to scan secure traffic, however, you must also configure FortiWeb to decrypt it, and therefore must provide it
with the server’s certificate and private key.

To configure an HTTPS policy

1. Upload a copy of the web server’s certificate (System > Certificates > Local).

2. Configure a policy and profiles according to Example 1: Configuring a policy for HTTP on page 211.
3. Modify the server policy (Policy > Server Policy).
l In HTTPS Service on page 247, select the predefined HTTPS service.
l In Certificate on page 247, select your web server’s certificate. Also select, if applicable, Configuring an
HTTP server policy on page 242 and Certificate Intermediate Group on page 248.
Traffic should now pass through the FortiWeb appliance to your server. If it does not, see Troubleshooting on page 808.

Example 3: Configuring a policy for load balancing

If you want to protect multiple web servers, configuration is similar to Example 1: Configuring a policy for HTTP on page
211.
To distribute load among multiple servers, however, instead of specifying a single physical server in the server pool, you
specify a group of servers (server farm or server pool).

This example assumes a basic network topology. If there is another, external proxy
or load balancer between clients and your FortiWeb, you may need to define it. For
details, see Defining your web servers & load balancers on page 160.
Similarly, if there is a proxy or load balancer between FortiWeb and your web
servers, you may need to configure your server pool for a single web server (the
proxy or load balancer), not a Server Balance pool.

FortiWeb Administration Guide Fortinet Technologies Inc.

213

To configure a load-balancing policy

1. Define multiple web servers by either their IP address or domain name in a Server Balance server pool
(Server Objects > Server > Server Pool). When used by a policy, it tells the FortiWeb appliance how to
distribute incoming web connections to those destination IP addresses. In the server pool configuration, do the
following:
l For Type on page 170, select Round Robin or Weighted Round Robin.
l For Single Server/Server Balance on page 170, select Server Balance.
l Add your physical and/or domain servers.
l If you want to distribute connections proportionately to a server’s capabilities instead of evenly, in each Weight
on page 172, give the numerical weight of the new server when using the weighted round-robin load-balancing
algorithm.
2. Configure a policy and profiles according to Example 1: Configuring a policy for HTTP on page 211.
Traffic should now pass through the FortiWeb appliance and be distributed among your servers. If it does not, see
Troubleshooting on page 808.

Testing your installation

When the configuration is complete, test it by forming connections between legitimate clients and servers at various
points within your network topology.

In Offline Protection mode and Transparent Inspection mode, if your web server
applies SSL and you need to support Google Chrome browsers, you must disable
Diffie-Hellman key exchanges on the web server. These sessions cannot be
inspected.

Examine the HTTP Throughput widget on System > Status > Status. If there is no traffic, you have a problem. For
details, see Connectivity issues on page 839.

FortiWeb Administration Guide Fortinet Technologies Inc.

214

If a connection fails, you can use tools included in the firmware to determine whether the problem is local to the
appliance or elsewhere on the network. Also revisit troubleshooting recommendations included with each feature’s
instructions. For details, see Troubleshooting on page 808.

If you have another FortiWeb appliance, you can use its web vulnerability scanner to
verify that your policies are blocking attacks as you expect. For details, see
Vulnerability scans on page 656.

You may need to refine the configuration. For details, see Expanding the initial configuration on page 215.
Once testing is complete, finish your basic setup with either Switching out of Offline Protection mode on page 215 or
Backups on page 322. Your FortiWeb appliance has many additional protection and maintenance features you can use.
For details, see the other chapters in this guide.

Reducing false positives

If the dashboard indicates that you are getting dozens or hundreds of nearly identical attacks, they may actually be
legitimate requests that were mistakenly identified as attacks (i.e. false positives). Many of the signatures, rules, and
policies that make up protection profiles are based, at least in part, on regular expressions. If your websites’ inputs and
other values are hard for you to predict, the regular expression may match some values incorrectly. If the matches are
not exact, many of your initial alerts may not be real attacks or violations. They will be false positives.
Fix false positives that appear in your attack logs so that you can focus on genuine attacks.
Here are some tips:
l Examine your web protection profile (go to Policy > Web Protection Profile and view the settings in the
applicable offline or inline protection profile). Does it include a signature set that seems to be causing alerts for
valid URLs? If so, disable the signature to reduce false positives.
l If your web protection profile includes a signature set where the Extended Signature Set option is set to Full,
reduce it to Basic to see if that reduces false positives. For details, see "Specifying URLs allowed to initiate
sessions" on page 1.
l If your web protection profile includes HTTP protocol constraints that seem to be causing alerts for legitimate HTTP
requests, create and use exceptions to reduce false positives. For details, see Configuring HTTP protocol
constraint exceptions on page 540.
l Most dialog boxes that accept regular expressions include the >> (test) icon. This opens the Regular Expression
Validator window, where you can fine-tune the expression to eliminate false positives.
l If you use features on the DoS Protection menu to guard against denial-of-service attacks, you could have false
positives if you set the thresholds too low. Every client that accesses a web application generates many sessions as
part of the normal process. Try adjusting some thresholds higher.
l To learn more about the behavior of regular expressions that generate alerts, enable the Retain Packet Payload
options in the logging configuration. Packet payloads provide the actual data that triggered the alert, which may
help you to fine tune your regular expressions to reduce false positives. For details, see Enabling log types, packet
payload retention, & resource shortage alerts on page 701 and Viewing log messages on page 718.

Testing for vulnerabilities & exposure

Even if you are not a merchant, hospital, or other agency that is required by law to demonstrate compliance with basic
security diligence to a regulatory body, you still may want to verify your security.

FortiWeb Administration Guide Fortinet Technologies Inc.

215

l Denial of service attacks can tarnish your reputation and jeopardize service income.
l Hacked servers can behave erratically, decreasing uptime.
l Malicious traffic can decrease performance.
l Compromised web servers can be used as a stepping stone for attacks on sensitive database servers.
To verify your configuration, start by running a vulnerability scan. For details, see Vulnerability scans on page 656.
You may also want to schedule a penetration test on a lab environment. Based upon results, you may decide to expand
or harden your FortiWeb’s initial configuration. For details, see Hardening security on page 791.

Expanding the initial configuration

After your FortiWeb appliance has operated for several days without significant problems, it is a good time to adjust
profiles and policies to provide additional protection and to improve performance.
l Begin monitoring the third-party cookies FortiWeb observes in traffic to your web servers. When FortiWeb finds
cookies, an icon is displayed on Policy > Server Policy > Server Policy for each affected server. If cookies are
threats (for example, if they are used for state tracking or database input) consider adding a cookie security policy
to the inline protection profiles for those servers. For details, see Protecting against cookie poisoning and other
cookie-based attacks on page 450.
l Add any missing rules and policies to your protection profiles, such as:
l rewriting policies (see Rewriting & redirecting on page 628)
l denial-of-service protection (see DoS prevention on page 612)
If you began in Offline Protection mode and later transitioned to another operation mode such as Reverse Proxy, new
features may be available that were not supported in the previous operation mode.
l Examine the Attack Event History on System > Status > Status. If you have zero attacks, but you have
reasonable levels of traffic, it may mean the protection profile used by your server policy is incomplete and not
detecting some attack attempts.
l Examine the Attack Log widget under System > Status > Status. If the list includes many identical entries, it
likely indicates false positives. If there are many entries of a different nature, it likely indicates real attacks. If there
are no attack log entries but the Attack Event History shows attacks, it likely means you have not correctly
configured logging. For details, see Configuring logging on page 700.
You can create reports to track trends that may deserve further attention. For details, see Vulnerability scans on page
656, and Reports on page 732.

Switching out of Offline Protection mode

Switch only if you chose Offline Protection mode for evaluation or transition purposes when you first set up your
FortiWeb appliance, and now want to transition to a full deployment.

FortiWeb Administration Guide Fortinet Technologies Inc.

216

To switch the operation mode

1. Back up your configuration. For details, see Backups on page 322.

Back up your system before changing the operation mode. Changing

modes deletes policies not applicable to the new mode, static routes, and V-
zone IP addresses. You may also need to re-cable your network topology to suit
the operation mode.

2. Disconnect all cables from the physical ports except the cable to your management computer.
3. Reconfigure the network interfaces with the IP addresses and routes that they will need in their new topology.
4. Re-cable your network topology to match the new mode. For details, see Planning the network topology on page
66.
5. Change the operation mode. For details, see Setting the operation mode on page 105.
6. Go to System > Network > Route and select Static Route tab. If your static routes were erased, re-create them.
For details, see Adding a gateway on page 142.
7. Go to System > Network > Interface. If your VLAN configurations were removed, re-create them. If you chose
one of the transparent modes, consider creating a v-zone bridge instead of VLANs. For details, see Configuring a
bridge (V-zone) on page 133.
8. Go to Policy > Web Protection Policy and select Inline Protection Profile tab. Create new inline protection
profiles that reference the rules and policies in each of your previous Offline Protection profiles. For details, see
Configuring a protection profile for inline topologies on page 223 and How operation mode affects server policy
behavior on page 217.
9. Go to Policy > Server Policy. Edit your existing server policies to reference the new inline protection profiles
instead of the Offline Protection profiles. For details, see How operation mode affects server policy behavior on
page 217.
10. Watch the monitors on the dashboard to make sure traffic is flowing through your appliance in the new mode.
11. Since there are many possible configuration changes when switching modes, including additional available
protections, don’t forget to retest. Prior testing is no longer applicable.

FortiWeb Administration Guide Fortinet Technologies Inc.

Policies 217

Policies

The Policy menu configures policies and protection profiles.

You can configure most protection features and traffic modification at any time. However, FortiWeb does not apply
most features until you include them in a policy that governs traffic (either directly or indirectly, via protection
profiles).

See also

l Supported features in each operation mode on page 71

l Matching topology with operation mode & HA mode on page 74

How operation mode affects server policy behavior

Policy and protection profile behavior and supported features varies by the operation mode. For details, see Supported
features in each operation mode on page 71.
The WCCP operation mode is similar to True Transparent Proxy, except web servers see the FortiWeb network
interface IP address and not the IP address of the client.

Policy behavior by operation mode

Operation mode

Reverse Proxy Offline Protection True Transparent Transparent

Proxy Inspection

Matches by l Service Virtual server’s V-zone (bridge), but V-zone (bridge), but
l Virtual server network interface, not its IP address. not its IP address.
but not its IP
address.

Violations Blocked or Attempts to block Blocked or Attempts to block by

modified, according by mimicking the modified, according mimicking the client
to profile. client or server and to profile. or server and
requesting to reset requesting to reset
the connection; the connection; does
does not modify not modify
otherwise. otherwise.

Profile l Inline l Offline l Inline l Offline

support protection Protection protection Protection
profiles profiles profiles profiles

SSL Certificate used to Certificate used to Certificate used to Certificate used to

FortiWeb Administration Guide Fortinet Technologies Inc.

Policies 218

Operation mode

Reverse Proxy Offline Protection True Transparent Transparent

Proxy Inspection

offload SSL from decrypt and scan decrypt and scan decrypt and scan
the servers to only; does not act only; does not act only; does not act as
FortiWeb; can as an SSL origin or as an SSL origin or an SSL origin or
optionally re- terminator. terminator. terminator.
encrypt before
forwarding to the
destination server.

Forwarding l Forwards to a Lets the traffic pass Forwards to a Lets the traffic pass
server pool through to a server server pool member through to a member
member using pool member, but (but allowing to of a server pool, but
the port does not load- pass through, does not load
number where balance. without actively balance.
it listens; redistributing
similar to a connections) using
network the port number
address where it listens.
translation
(NAT) policy on
a general-
purpose
firewall.
l Can route
connections to
a specific
server pool
based on
HTTP content.

The way that FortiWeb determines which policy to apply to a connection varies by operation mode. The appliance
applies only one policy to each connection.
If a TCP connection does not match any of the policies, FortiWeb either refuses the connection (if it is operating in
Reverse Proxy mode) or denies the connection (if it is operating in other operation modes). Even if the TCP connection
has a matching policy and is allowed, subsequently, if the HTTP/HTTPS request is not allowed by the policy’s profiles, it
is considered to be in violation of the policy and the client may be blocked at the application (request) level or connection
level, depending on the Action that you configure.
Policies are not applied while they are disabled. For details, see Enabling or disabling a policy on page 256.

Configuring the global object white list

Go to Server Objects > Global > Global White List, the Predefined Global White List tab displays a predefined

list of common Internet entities, such as:

FortiWeb Administration Guide Fortinet Technologies Inc.

Policies 219

l the FortiWeb session cookie named cookiesession1

l Google Analytics cookies such as __utma
l the URL icon /favicon.ico
l AJAX parameters such as __LASTFOCUS

that your FortiWeb appliance can ignore when it enforces your policies. FortiGuard FortiWeb Security Service service
updates the predefined global white list. However, you can also whitelist your own custom URLs, header field, cookies,
and parameters on the Custom Global White List tab in Server Objects > Global > Global White List.
When enabled, white-listed items are not flagged as potential problems. This feature reduces false positives and
improves performance.
To include white list items during policy enforcement, you must first disable them in the global white list.

To disable an item in the predefined global white list

1. Go to Server Objects > Global > Global White List and select the Predefined Global White List tab.
To access this part of the web UI, your administrator’s account access profile must have Read and Write
permission to items in the Server Policy Configuration category. For details, see Permissions on page 56.
2. To see the items that each section contains and to expose those items’ Enable check box, click the plus (+) and
minus (-) icons.
3. In the row of the item that you want to disable, click the switch to off in the Enable column.
4. Click Apply.

To configure a custom global white list

1. Go to Server Objects > Global > Global White List and select the Custom Global White List tab.
To access this part of the web UI, your administrator’s account access profile must have Read and Write
permission to items in the Server Policy Configuration category. For details, see Permissions on page 56.
2. Click Create New.
3. From Type, select the part of the HTTP request where you want to white list an object. Available configuration

FortiWeb Administration Guide Fortinet Technologies Inc.

Policies 220

fields vary by the type that you choose.

l If Type is URL:

Request Type Indicate whether the Request URL on page 220 field will contain a literal
URL (Simple String), or a regular expression designed to match multiple
URLs (Regular Expression).

Request URL Depending on your selection in the Request Type on page 220 field, enter
either:
l The literal URL, such as /robots.txt, that the HTTP request must
contain in order to match the rule. The URL must begin with a
backslash ( / ).
l A regular expression, such as ^/*.html, matching all and only the
URLs to which the rule should apply. The pattern does not require a
slash ( / ); however, it must at match URLs that begin with a slash,
such as /index.html.
Do not include the domain name, such as www.example.com.
To create and test a regular expression, click the >> (test) icon. This opens
the Regular Expression Validator window where you can fine-tune the
expression. For details, see Regular expression syntax on page 880.

FortiWeb Administration Guide Fortinet Technologies Inc.

Policies 221

l If Type is Parameter:

Name Type Indicate whether the Name on page 221 field will contain a literal
parameter name (Simple String), or a regular expression designed to
match all parameter names (Regular Expression).

Name Enter one of the following:

l The name of the parameter as it appears in the URL or HTTP body if
Name Type on page 221 is Simple String.
For example, if the URL ends with the parameter substring
?userName=rowan, you would type userName.
l A regular expression that matches the name attribute of the
parameter if Name Type on page 221 is Regular Expression.
Note: FortiWeb does not support regular expressions that begin with an
exclamation point ( ! ). For information on language and regular expression
matching, see Regular expression syntax on page 880.

Request Status Enable to apply this rule only to HTTP requests for specific URLs.
Configure Request URL on page 221 if it is enabled.

Request Type Indicate whether the Request URL on page 221 field will contain a literal
URL (Simple String), or a regular expression designed to match multiple
URLs (Regular Expression).

Request URL Depending on your selection in the Request Type on page 221 field, enter
either:
l The literal URL, such as /robots.txt, that the HTTP request must
contain in order to match the rule. The URL must begin with a
backslash ( / ).
l A regular expression, such as ^/*.html, matching all and only the
URLs to which the rule should apply. The pattern does not require a
slash ( / ); however, it must match URLs that begin with a slash, such
as /index.html.
Do not include the domain name, such as www.example.com.
To create and test a regular expression, click the >> (test) icon. This opens
the Regular Expression Validator window where you can fine-tune the
expression. For details, see Regular expression syntax on page 880.

Domain Status Enable to apply this rule only to HTTP requests for specific domains.
If enabled, also configure Domain on page 221.

Domain Type Indicate whether the Domain on page 221 field will contain a literal
domain/IP address (Simple String), or a regular expression designed to
match multiple domains/IP addresses (Regular Expression).

Domain Depending on your selection in the Domain Type on page 221 field, enter
either:
l The literal domain, such as /robots.com, that the HTTP request
must contain in order to match the rule. The domain must begin with
a backslash ( / ).
l A regular expression, such as ^/*.com, matching all and only the
domains to which the rule should apply. The pattern does not require

FortiWeb Administration Guide Fortinet Technologies Inc.

Policies 222

a slash ( / ); however, it must match domains that begin with a slash,
such as /robots.com.
To create and test a regular expression, click the >> (test) icon. This opens
the Regular Expression Validator window where you can fine-tune the
expression. For details, see Regular expression syntax on page 880.
Caution: Do not whitelist untrusted subdomains that use vulnerable
cookies. It could compromise the security of that domain and its network.

l If Type is Cookie:

Name Type the name of the cookie as it appears in the HTTP request, such as
NID.
Domain Type the partial or complete domain name or IP address as it appears in
the cookie, such as:
www.example.com
.google.com
10.0.2.50
If clients sometimes access the host via IP address instead of DNS, create
white list objects for both.
Caution: Do not whitelist untrusted subdomains that use vulnerable
cookies. It could compromise the security of that domain and its network.

Path Type the path as it appears in the cookie, such as / or /blog/folder.

l If Type is Header Field:

Header Name Type Indicate whether the Name on page 222 field will contain a literal name
(Simple String), or a regular expression designed to match multiple
names (Regular Expression).

Name Depending on your selection in the Header Name Type on page 222 field,
enter either:
l The literal name, such as Accept-Encoding, that the HTTP
request must contain in order to match the rule.
l A regular expression, such as */*\r\n, matching the names to
which the rule should apply. .
To create and test a regular expression, click the >> (test) icon. This opens
the Regular Expression Validator window where you can fine-tune the
expression. For details, see Regular expression syntax on page 880.

4. Click OK.

See also

l Configuring an HTTP server policy on page 242

l IPv6 support on page 33

FortiWeb Administration Guide Fortinet Technologies Inc.

Policies 223

Configuring a protection profile for inline topologies

Inline protection profiles combine previously configured rules, profiles, and policies into a comprehensive set that can be
applied by a policy. Inline protection profiles contain only the features that are supported in inline topologies, which you
use with operation modes such as Reverse Proxy and True Transparent Proxy.

Inline protection profiles include features that require an inline network topology.
They can be configured at any time, but cannot be applied by a policy if the
FortiWeb appliance is operating in a mode that does not support them. For details,
see How operation mode affects server policy behavior on page 217.

To configure an inline protection profile

1. Before configuring an inline protection profile, first configure any of the following that you want to include in the
profile:
l a client management policy (see Client management on page 237)
l a signature set (see Blocking known attacks & data leaks on page 461)
l a HTTP protocol constraints profile (see HTTP/HTTPS protocol constraints on page 532)
l an X-Forwarded-For: or other X-header rule (see Defining your proxies, clients, & X-headers on page 193)
l a cookie security policy (see Protecting against cookie poisoning and other cookie-based attacks on page 450)
l a custom policy (see Combination access control & rate limiting on page 437)
l an oracle padding protection rule (see Defeating cipher padding attacks on individually encrypted inputs on
page 508)
l a cross-site request forgery (CSRF) protection rule (see Defeating cross-site request forgery (CSRF) attacks on
page 511)
l an HTTP header security policy (see Addressing security vulnerabilities by HTTP Security Headers on page
515)
l a Man in the Browser protection policy (see Protection for Man-in-the-Browser (MiTB) attacks on page 549)
l a URL encryption policy (see "URL encryption on page 457")
l a SQL/XSS syntax based detection policy (see Syntax-based SQL/XSS injection detection on page 482)
l a parameter validation policy (see Validating parameters (“input rules”) on page 519)
l a hidden field protection rule (see Preventing tampering with hidden inputs on page 524)
l a file security policy (see Limiting file uploads on page 597)
l a WebSocket security policy (see WebSocket protocol on page 545)
l a URL access policy (see Restricting access to specific URLs on page 433)
l an allowed method policy (see Specifying allowed HTTP methods on page 529)
l a CORS protection policy (see Cross-Origin Resource Sharing (CORS) protection on page 453)
l a bot mitigation policy (see Configuring bot mitigation policy on page 756)
l an XML protection policy (see Configuring XML protection on page 561)
l a JSON protection policy (see Configuring JSON protection on page 556)
l an OpenAPI validation policy (see OpenAPI Validation on page 573)
l an API gateway policy (see Configuring API gateway policy on page 592)
l a DoS protection policy (see Grouping DoS protection rules on page 624)
l a mobile API protection policy (see Configuring mobile API protection on page 588)
l a URL rewriting or redirection set (see Rewriting & redirecting on page 628)

FortiWeb Administration Guide Fortinet Technologies Inc.

Policies 224

l an authentication policy (see Offloading HTTP authentication & authorization on page 340)
l a site publishing policy (see Single sign-on (SSO) (site publishing) on page 359)
l a file compression rule (see Configuring compression offloading on page 649)
l an IP reputation policy (see Blacklisting source IPs with poor reputation on page 442)
l an IP list policy (see Blacklisting & whitelisting clients using a source IP or source IP range on page 447)
l a Geo IP policy (see Blacklisting & whitelisting countries & regions on page 445)
l a user tracking policy (see Tracking users on page 380)
l a trigger if you plan to use policy-wide log and alert settings (see Viewing log messages on page 718)
2. Go to Policy > Web Protection Profile and select the Inline Protection Profile tab.
To access this part of the web UI, your administrator’s account access profile must have Read and Write
permission to items in the Web Protection Configuration category. For details, see Permissions on page 56.
3. Click Create New.
Alternatively, click the Clone icon to copy an existing profile as the basis for a new one. The predefined profiles
supplied with your FortiWeb appliance cannot be edited, only viewed or cloned.
4. Configure these settings:

Name Type a unique name that can be referenced in other parts of the configuration.
The maximum length is 63 characters.

Client Management Enable to track a client by the inserted cookie, or source IP when cookie is
prohibited.
For details, see Client management on page 237.

Signatures Select the name of the signature set you have configured in Web Protection
> Known Attacks, if any, that will be applied to matching requests.
Enable AMF3, XML, or JSON Protocol Detection if applicable.
Attack log messages for this feature vary by which type of attack was
detected. For a list, see Blocking known attacks & data leaks on page 461.

HTTP Protocol Constraints Select the name of an HTTP parameter constraint, if any, that will be applied
to matching requests. For details, see HTTP/HTTPS protocol constraints on
page 532.
Attack log messages for this feature vary by which type of constraint was
violated.

X-Forwarded-For Select the X-Forwarded-For: and X-Real-IP: HTTP header settings to

use, if any. For details, see Defining your proxies, clients, & X-headers on
page 193.
Note: Configuring this option is required if the true IP address of the client is
hidden from FortiWeb because a load balancer or other web proxy is deployed
in front. In that case, you must configure an X-header rule so that FortiWeb
will block only requests related to the original client. Otherwise, it may block
all requests whenever any attack occurs, since all requests will appear to
originate from the proxy’s IP.

Cookie Security Policy Select the name of a cookie security policy to apply to matching requests. For
details, see Protecting against cookie poisoning and other cookie-based
attacks on page 450.

If the Security Mode on page 450 option in the policy is Signed, ensure that

FortiWeb Administration Guide Fortinet Technologies Inc.

Policies 225

Configuring a protection profile for inline topologies on page 223 is On.

Custom Policy Select the name of a combination source IP, rate limit, HTTP header, and
URL access policy, if any, that will be applied to matching requests. For