Baixe o app para aproveitar ainda mais
Prévia do material em texto
FortiWeb Administration Guide VERSION 6.1.0 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ FORTIGATE COOKBOOK http://cookbook.fortinet.com FORTINET TRAINING SERVICES http://www.fortinet.com/training FORTIGUARD CENTER http://www.fortiguard.com END USER LICENSE AGREEMENT http://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdocs@fortinet.com June 19, 2019 FortiWeb 6.1.0 Administration Guide 3rd Edition http://docs.fortinet.com/ http://video.fortinet.com/ https://blog.fortinet.com/ https://support.fortinet.com/ http://cookbook.fortinet.com/how-to-work-with-fortinet-support/ http://cookbook.fortinet.com/ http://www.fortinet.com/training/ http://www.fortiguard.com/ http://www.fortinet.com/doc/legal/EULA.pdf mailto:techdocs@fortinet.com https://www.fortinet.com/ Change log March 27, 2019 Initial release. TABLE OF CONTENTS Change log 3 Introduction 20 Benefits 20 Architecture 22 Scope 22 What’s new 24 New features 24 AI-based machine learning bot detection 24 AD FS proxy 24 High Availability (HA) new features 24 TACACS+ support 24 Enforcement of new FortiGuard signature updates 24 Multiple local certificate support 24 Q-in-Q VLAN tunneling 25 Traffic mirror 25 SNI Support in offline mode 25 Comments supported for an attack log 25 Flags supported for an attack log 25 Enhancements 25 Web Vulnerability Scan (WVS) module optimized and enhanced 25 Machine Learning: Enhanced HTTP request method learning algorithm 25 Machine Learning: Support database synchronization in Active-Passive mode 26 Machine Learning: Add additional samples from attack logs 26 Add predefined rules for Exchange 2019 26 HTTP Protocol Constraints enhancement 26 Cookie Security enhancement 26 Custom Rule enhancements 26 Support forwarding username in the HTTP header 26 Cookieless support in Site Publish 26 Support special characters in user tracking rule 27 Route requests based on Geo IP 27 Support displaying the original source IP and country in traffic logs 27 Add administrative access to aggregation or redundant interfaces 27 Support generating event logs when concurrent connections reach the limit 27 Support for HTTP Headers in signature exceptions 27 Support setting a timeout value for the DNS proxy cache 27 Firewall policy modifications 27 SAN support in Certificate Signing Request (CSR) 27 More SNI policies 27 Support setting Alert Only for up to 1024 signatures 28 V-zone interface limit lifted 28 Offline license Support 28 Support FARGATE on AWS ECS 28 Key concepts 29 Workflow 29 Sequence of scans 31 IPv6 support 38 Solutions for specific web attacks 40 HTTP/HTTPS threats 40 DoS attacks 45 HTTP/2 support 46 HTTP sessions & security 47 FortiWeb sessions vs. web application sessions 50 Sessions & FortiWeb HA 51 Example: Magento & FortiWeb sessions during failover 52 HA heartbeat & synchronization 53 Data that is not synchronized by HA 54 Configuration settings that are not synchronized by HA 55 How HA chooses the active appliance 56 Heartbeat packet Ethertypes 57 Administrative domains (ADOMs) 58 Defining ADOMs 60 Assigning administrators to an ADOM 61 How to use the web UI 61 System requirements 62 URL for access 62 Permissions 62 Trusted hosts 65 Maximum concurrent administrator sessions 65 Global web UI & CLI settings 65 Buttons, menus, & the displays 68 Deleting entries 70 Renaming entries 70 Shutdown 71 How to set up your FortiWeb 73 Appliance vs. VMware 73 Registering your FortiWeb 73 Planning the network topology 73 External load balancers: before or after? 74 How to choose the operation mode 77 Supported features in each operation mode 78 Matching topology with operation mode & HA mode 80 Topology for Reverse Proxy mode 80 Topology for either of the transparent modes 82 Topology for Offline Protection mode 84 Topology for WCCP mode 86 Topologies for high availability (HA) clustering 86 Connecting to the web UI or CLI 89 Connecting to the web UI 90 Connecting to the CLI 91 Updating the firmware 95 Testing new firmware before installing it 96 Installing firmware 98 Updating firmware on an HA pair 102 Installing alternate firmware 103 Booting from the alternate partition 106 Changing the “admin” account password 107 Setting the system time & date 109 Setting the operation mode 111 Configuring a high availability (HA) FortiWeb cluster 113 Full mesh HA 116 Load-balancing in active-active HA 117 Fail-over in active-active HA 118 Session synchronization in active-active HA 118 Configuring HA 118 Replicating the configuration without FortiWeb HA (external HA) 127 Configuring FortiWeb to receive traffic via WCCP 132 Configuring the FortiWeb WCCP client settings 132 Viewing WCCP protocol information 134 Example: Using WCCP with FortiOS 5.2.x 135 Example: Using WCCP with FortiOS 5.4 136 Example: Using WCCP with multiple FortiWeb appliances 137 Example: Using WCCP with a Cisco router 139 Configuring the network settings 141 To configure a network interface or bridge 141 Configuring the network interfaces 143 Configuring a bridge (V-zone) 150 Link aggregation 152 Configuring redundant interfaces 156 Adding a gateway 159 Creating a policy route 163 The difference between static route and policy route 163 Using policy route to divert traffic based on source IPs 163 Using policy route and the ip-forward command to configure FortiWeb as a router 165 Notice for using policy route in an one-arm topology 166 Configuring DNS settings 167 Connecting to FortiGuard services 169 Choosing the virus signature database & decompression buffer 172 Accessing FortiGuard via a proxy 173 How often does Fortinet provide FortiGuard updates for FortiWeb? 174 Scheduling automatic signature updates 175 Manually initiating update requests 177 Uploading signature & geography-to-IP updates 178 Enforcing new FortiGuard signature updates 179 Receive quarantined source IP addresses from FortiGate 180 Configuring basic policies 181 Example 1: Configuring a policy for HTTP 181 Example 2: Configuring a policy for HTTPS 182 Example 3: Configuring a policy for load balancing 182 Generate protection profiles using a scanner report 183 WhiteHat Sentinel scanner report requirements 183 Telefónica FAAST scanner report requirements 184 HP WebInspect scanner report requirements 185 Testing your installation 188 Reducing false positives 189 Testing for vulnerabilities & exposure 189 Expanding the initial configuration 189 Switching out of Offline Protection mode 190 Policies 192 How operation mode affects server policy behavior 192 Configuring the global object white list 193 Configuring a protection profile for inline topologies 195 Configuring a protection profile for an out-of-band topology or asynchronous mode of operation 204 Configuring an HTTP server policy 209 HTTP pipelining 221 Multiplexing client connections 222 Enabling or disabling a policy 222 Configuring traffic mirror 223 Enabling traffic mirror 223 Creating a traffic mirror rule 223 Configuring a traffic mirror policy 224 Configuring FTP security 225 Enabling FTP security 225 Creating an FTP command restriction rule 226 Creating an FTP file check rule 228 Configuring an FTP security inline profile 229 Before creating an FTP security inline profile 230 Creating an FTP server pool 231 Creating an FTP server policy 235 Before creating an FTP server policy 236 Enabling or disabling a policy 239 AD FS Proxy 240 FortiWeb as an AD FS proxy 240 The workflow of the AD FS authentication process 241 Configuring FortiWeb as an AD FS proxy 242 Configuring a virtual server 242 Creating an AD FS server pool 243 Uploading trusted CA certificates 247 Creating an AD FS server policy 249 Troubleshooting 252 FortiView 254 Interface 255 Navigating FortiView 255 View Types 258 Topology 260 Single Server/Server Pool 260 ContentRouting 263 Security 266 Countries 266 Threats 268 Server Policies 271 Scanner Integration 274 Traffic 276 Sources 276 Countries 278 Sessions 280 Sources 280 Policies 282 Ending sessions 283 Backups 285 backup full-config 288 Syntax 288 Example 289 Related topics 289 Restoring a previous configuration 289 Debug log 291 Administrators 293 Configuring access profiles 296 Grouping remote authentication queries and certificates for administrators 298 Changing an administrator’s password 299 Certificate-based Web UI login 300 Users 303 Authentication styles 303 Via the “Authorization:” header in the HTTP/HTTPS protocol 303 Via forms embedded in the HTML 304 Via a personal certificate 306 Offloading HTTP authentication & authorization 306 Configuring local end-user accounts 308 Configuring queries for remote end-user accounts 309 Configuring an LDAP server 309 Configuring a RADIUS server 314 Configuring an NTLM server 316 Configuring a Kerberos Key Distribution Center (KDC) server 316 Configuring a Security Assertion Markup Language (SAML) server 317 Configuring a Terminal Access Controller Access Control System (TACACS)+ server 318 Adding servers to an authentication server pool 320 Grouping users 321 Applying user groups to an authorization realm 322 Grouping authorization rules 324 Single sign-on (SSO) (site publishing) 326 Two-factor authentication 327 RSA SecurID authentication 327 Changing user passwords at login 328 Using Kerberos authentication delegation 328 Types of Kerberos authentication delegation 328 Configuring Windows Authentication for Kerberos authentication delegation 329 Configuring Service Principal Names for Kerberos authentication 330 Offloaded authentication and optional SSO configuration 332 To create an Active Directory (AD) user for FortiWeb 341 Example: Enforcing complex passwords 346 Tracking users 347 Defining your web servers & load balancers 352 Protected web servers vs. allowed/protected host names 352 Defining your protected/allowed HTTP “Host:” header names 352 Defining your web servers 355 Configuring server up/down checks 355 Configuring session persistence 359 Configuring server-side SNI support 361 Creating a server pool 361 Routing based on HTTP content 373 Example: Routing according to URL/path 384 Example: Routing according to the HTTP “Host:” field 384 Example: HTTP routing with full URL & host name rewriting 385 Defining your proxies, clients, & X-headers 387 Indicating the original client’s IP to back-end web servers 388 Indicating to back-end web servers that the client’s request was HTTPS 389 Blocking the attacker’s IP, not your load balancer 389 Configuring virtual servers on your FortiWeb 392 Defining your network services 393 Defining custom services 394 Predefined services 394 Enabling or disabling traffic forwarding to your servers 395 Secure connections (SSL/TLS) 396 Offloading vs. inspection 396 Supported cipher suites & protocol versions 398 SSL offloading cipher suites and protocols (Reverse Proxy and True Transparent Proxy) 398 Selecting the supported cipher suites using the advanced SSL settings 399 SSL inspection cipher suites and protocols (offline and Transparent Inspection) 402 Uploading trusted CA certificates 403 Grouping trusted CA certificates 406 How to offload or inspect HTTPS 406 Using session keys provided by an HSM 408 Generating a certificate signing request 410 Uploading a server certificate 413 Supplementing a server certificate with its signing chain 416 Configuring multiple local certificates 417 Allowing FortiWeb to support multiple server certificates 418 Forcing clients to use HTTPS 421 HTTP Public Key Pinning 421 How to apply PKI client authentication (personal certificates) 423 Example: Generating & downloading a personal certificate from Microsoft Windows 2003 Server 428 Example: Downloading the CA’s certificate from Microsoft Windows 2003 Server 430 Example: Importing the personal certificate & private key to a client’s trust store on Microsoft Windows 7 431 Uploading the CA’s certificate to FortiWeb’s trusted CA store 432 Configuring FortiWeb to validate client certificates 433 Configure FortiWeb to validate server certificates 435 Use URLs to determine whether a client is required to present a certificate 436 Seamless PKI integration 437 Revoking certificates 440 How to export/back up certificates & private keys 441 How to change FortiWeb's default certificate 442 Configuring OCSP stapling 442 Access control 444 Restricting access to specific URLs 444 Combination access control & rate limiting 448 Blacklisting & whitelisting clients 453 Blacklisting source IPs with poor reputation 453 Blacklisting & whitelisting countries & regions 457 Blacklisting & whitelisting clients using a source IP or source IP range 459 Blacklisting content scrapers, search engines, web crawlers, & other robots 460 Blocking client devices with poor reputation 461 How device reputation works 461 Configuring device tracking & device reputation security policies 462 Example configuration and resulting behavior of a device reputation security policy 467 Protecting against cookie poisoning and other cookie-based attacks 470 Blocking known attacks & data leaks 474 False Positive Mitigation for SQL Injection signatures 483 Enable False Positive Mitigation for SQL Injection and SQL Injection (Extended) 484 Syntax-based SQL injection detection 484 How syntax-based SQL injection detection works 485 Built-in SQL statement templates 486 SQL injection types 486 Enable Syntax Based SQL Injection detection 487 Configuring action overrides or exceptions to data leak & attack detection signatures 487 Example: Concatenating exceptions 492 Filtering signatures 493 Defining custom data leak & attack signatures 493 Example: ASP .Net version & other multiple server detail leaks 497 Example: Zero-day XSS 499 Example: Local file inclusion fingerprinting via Joomla 501 Defeating cipher padding attacks on individually encrypted inputs 502 Defeating cross-site request forgery (CSRF) attacks 506 Addressing security vulnerabilities by HTTP Security Headers 510 Enforcing page order that follows application logic 512 Specifying URLs allowed to initiate sessions 516 Preventing zero-day attacks 521 Validating parameters (“input rules”) 521 Bulk changes to input validation rules 526 Preventing tampering with hidden inputs 527 Specifying allowed HTTP methods 531 Configuring allowed method exceptions 533 HTTP/HTTPS protocol constraints 534 Configuring HTTP protocol constraint exceptions 543 WebSocket protocol 547 Creating WebSocket security rules 547 To create a WebSocket security rule 548 To add a WebSocket security rule to a WebSocket security policy 549 Creating WebSocket security policies 550 To create a WebSocket security policy 550 To add a WebSocket security policy in a web protection profile 550 Protection for Man-in-the-Browser (MiTB) attacks 551 Obfuscation 551 Encryption 551 Anti-Keylogger 552 AJAX Request White list 552 Creating Man in the Browser (MiTB) Protection Rule 553 Creating an MiTB protection rule 553 Protecting the standard user input field 555 Protecting the passwords 556 Adding white list for the AJAX Request 556 Creating Man in the Browser (MiTB) Protection Policy 557 Protection for APIs 558 Use cases 559 Creating OpenAPI files 568 To create an OpenAPI file 569 To add an OpenAPI file to an OpenAPI validation policy 571 Creating OpenAPI validation policies 572 To create an OpenAPI validation policy 572 To apply an OpenAPI validation policy in a web protection profile 573 To view the OpenAPI validation related logs 573 Configuring XML protection 575 Importing XML schema files 575 Creating XML protection rules 576 Creating XML protection policies 580 Importing WSDL files 581 Configuring attack logs to retain packet payloads for XML protection 582 Limiting file uploads 583 Restricting uploads by file type and size 583 Using FortiSandbox to evaluate uploaded files 583 Anti-defacement 590Specifying files that anti-defacement does not monitor 594 Accepting or reverting changed files 595 Reverting a defaced website 596 Rate limiting 597 DoS prevention 597 Configuring application-layer DoS protection 597 Limiting the total HTTP request rate from an IP 598 Limiting TCP connections per IP address by session cookie 601 Preventing an HTTP request flood 604 Configuring network-layer DoS protection 607 Limiting TCP connections per IP address 607 Preventing a TCP SYN flood 609 Grouping DoS protection rules 609 Preventing brute force logins 610 Rewriting & redirecting 614 Example: HTTP-to-HTTPS redirect 619 Example: Full host name/URL translation 622 Example: Sanitizing poisoned HTML 624 Example: Inserting & deleting body text 627 Example: Rewriting URLs using regular expressions 628 Example: Rewriting URLs using variables 629 Caching 631 What can be cached? 634 Compression 636 Configuring compression exemptions 636 Configuring compression offloading 637 Compliance 640 Database security 640 Authorization 641 Preventing data leaks 641 Vulnerability scans 641 Preparing for the vulnerability scan 642 Live websites 642 Network accessibility 642 Traffic load & scheduling 642 Scheduling web vulnerability scans 643 Configuring vulnerability scan profiles 644 Running vulnerability scans 647 Viewing/downloading vulnerability scan reports 649 Advanced/optional system settings 651 Changing the FortiWeb appliance’s host name 651 Fail-to-wire for power loss/reboots 652 Customizing error and authentication pages (replacement messages) 653 Attack block page HTTP response codes 653 Macros in custom error and authentication pages 653 Image macros 654 Customize the message returned for LDAP errors (%%REPLY_TAG%% macro) 655 Configuring the integrated firewall 656 Advanced settings 660 Example: Setting a separate rate limit for shared Internet connections 663 Monitoring your system 664 Status dashboard 664 System Information widget 666 FortiGuard Information widget 668 System Resources widget 671 Attack Log widget 672 HTTP Throughput Monitor widget 672 HTTP Hit History widget 673 Attack Event History widget 674 Event Log Console widget 677 Policy Sessions widget 677 Operation widget 678 Policy Status dashboard 678 Health Check Status 679 Session Count 679 RAID level & disk statuses 680 Logging 680 About logs & logging 681 Log types 681 Log severity levels 682 Log rate limits 682 Configuring logging 683 Enabling log types, packet payload retention, & resource shortage alerts 683 Configuring log destinations 687 Obscuring sensitive data in the logs 691 Configuring Syslog settings 692 Configuring FortiAnalyzer policies 693 Configuring SIEM policies 694 Configuring FTP/TFTP policies 695 Configuring triggers 697 Viewing log messages 697 Viewing a single log message as a table 700 Viewing packet payloads 700 Downloading log messages 700 Deleting log files 702 Coalescing similar attack log messages 702 Alert email 703 Configuring email settings 703 Configuring alert email for event logs 705 SNMP traps & queries 706 Configuring an SNMP community 708 MIB support 710 Reports 711 Customizing the report’s headers, footers, & logo 713 Restricting the report’s scope 714 Choosing the type & format of a report profile 716 Scheduling reports 718 Selecting the report’s file type & delivery options 718 Viewing & downloading generated reports 719 Bot analysis 721 Blocked users 721 Monitoring currently blocked IPs 721 Monitoring currently tracked devices 722 FortiGuard updates 724 Vulnerability scans 724 Machine learning 725 Enabling machine learning policy 726 Configuring anomaly detection profiles 727 Allow sample collection for domains 731 IP List Type and Source IP list 731 Configuring machine-learning templates 731 Viewing domain data 735 Overview 735 Tree View 737 Parameter View 740 Viewing anomaly detection log 743 Configuring bot detection profiles 748 Basic Concepts 748 Sample collecting 748 Model building 748 Model running 749 Creating bot detection profiles 749 Limit sample collection from IPs 755 Exception URLs 755 Viewing bot detection model status 756 Viewing the bot detection violations 758 Fine-tuning & best practices 760 Hardening security 760 Topology 760 Administrator access 761 User access 764 Signatures & patches 765 Buffer hardening 765 Enforcing valid, applicable HTTP 767 Sanitizing HTML application inputs 767 Improving performance 767 System performance 767 Antivirus performance 767 Regular expression performance tips 768 Logging performance 769 Report performance 770 Vulnerability scan performance 770 Packet capture performance 770 TCP transmission performance tuning 770 Improving fault tolerance 771 Alerting the SNMP manager when HA switches the primary appliance 771 Reducing false positives 771 Regular backups 775 Downloading logs in RAM before shutdown or reboot 776 Downloading logs in RAM before shutdown or reboot 776 Troubleshooting 777 Frequently asked questions 777 Administration 777 FortiGuard 777 Access control and rewriting 777 Logging and packet capture 778 Security 778 Performance 778 IPMI (FortiWeb 3000E and 4000E only) 778 Upgrade 778 How do I recover the password of the admin account? 778 What is the maximum number of ADOMs I can create? 778 How do I upload and validate a license for FortiWeb-VM? 778 How do I troubleshoot a high availability (HA) problem? 780 How do I upload a file to or download a file from FortiWeb? 782 Why did the FortiGuard service update fail? 783 Why is URL rewriting not working? 783 How do I create a custom signature that erases response packet content? 784 How do I reduce false positives and false negatives? 784 Why is FortiWeb not forwarding non-HTTP traffic (for example, RDP, FTP) to back-end servers even though set ip-forward is enabled? 785 How do I prevent cross-site request forgery (CSRF or XSRF) with a custom rule? 786 Why does my Advanced Protection rule that has both Signature Violation and HTTP Response Code filters not detect any violations? 786 What's the difference between the Packet Interval Timeout and Transaction Timeout filters in an Advanced Protection rule? 787 What ID numbers do I use to specify a Signature Violation filter when I use the CLI to create a custom access rule? 787 Why is the Signature Violation filter I added to my Advanced Protection custom rule not working? 788 Why don't my back-end servers receive the virtual server IP address as the source IP? 788 Why do I not see HTTP traffic in the logs? 788 Why do I see HTTP traffic in the logs but not HTTPS traffic? 791 How do I store traffic log messages on the appliance hard disk? 792 Why is the most recent log message not displayed in the Aggregated Attack log? 792 How can I sniff FortiWeb packets (packet capture)? 793 How do I trace packet flow in FortiWeb? 793 Why is the number of cookies reported in my attack log message different from the number of cookies that message detail displays? 794 Why does the attack log message display the virtual server IP address as the destination IP instead of the IP address of the back-end server that was the target of the attack? 794 How do I detect which cipher suite is used for HTTPS connections? 795 How can I strengthen my SSL configuration? 795 Why can’t a browser connect securely to my back-end server? 795 How do I use performance tests to determine maximum performance? 796 How can I measure the memory usage of individual processes? 796 How can I use IPMI to shut down or power on FortiWeb remotely? 796 How do I reformat the boot device (flash drive) when I restore or upgrade the firmware? 797 How do I set up RAID for a replacement hard disk? 797 Tools 798 Ping & traceroute 798 Log messages 799 Diff 800 Packet capture 800 Packet capture via CLI command 800 Packet capture via Web UI 804 Diagnostic commands in the CLI 805 Retrieving debug logs 805 How to troubleshoot 806 Establishing a system baseline 806 Determining the source of the problem 806 Planning & access privileges 807 Solutionsby issue type 807 Connectivity issues 808 Checking hardware connections 808 Examining the ARP table 809 Checking routing 809 Examining the routing table 817 Checking port assignments 817 Performing a packet trace 817 Debugging the packet processing flow 818 Checking the SSL/TLS handshake & encryption 818 Resource issues 819 Killing system-intensive processes 820 Monitoring traffic load 820 Preparing for attacks 820 Login issues 821 Checking user authentication policies 821 When an administrator account cannot log in from a specific IP 821 Remote authentication query failures 822 Resetting passwords 822 Data storage issues 823 Bootup issues 823 Hard disk corruption or failure 824 Power supply failure 825 Issues forwarding non-HTTP/HTTPS traffic 827 Resetting the configuration 827 Restoring firmware (“clean install”) 828 Appendix A: Port numbers 832 Appendix B: Maximum configuration values 835 Maximum number of ADOMs, policies, & server pools per appliance 835 Per appliance configuration maximums 836 Per ADOM configuration maximums 837 Maximum values on FortiWeb-VM 844 Appendix C: Supported RFCs, W3C, & IEEE standards 845 RFCs 845 RFC 792 845 RFC 1213 845 RFC 2548 845 RFC 2616 845 RFC 2617 845 RFC 2665 845 RFC 2965 846 RFC 4918 846 RFC 5280 846 RFC 6176 846 W3C standards 846 Extensible markup language (XML) 1.0 (Third Edition) 846 XML Current Status 846 IEEE standards 846 Std 802.1D 846 Std 802.1Q 847 Std 802.1ad 847 Appendix D: Regular expressions 848 Regular expression syntax 848 Popular FortiWeb regular expression syntax 849 What are back-references? 854 Cookbook regular expressions 855 Language support 857 Appendix E: How to purchase and renew FortiGuard licenses 859 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Introduction FortiWeb is a web application firewall (WAF) that protects hosted web applications from attacks that target known and unknown exploits. Using multi-layered and correlated detection methods, FortiWeb defends applications from known vulnerabilities and zero-day threats. The Web Application Security Service from FortiGuard Labs uses information based on the latest application vulnerabilities, bots, suspicious URL and data patterns, and specialized heuristic detection engines to keep your applications safe. FortiWeb also offers a machine-learning function that enables it to automatically detect malicious web traffic. In addition to detecting known attacks, the feature can detect potential unknown zero-day attacks to provide real-time protection for web servers. FortiWeb allows you to configure these features: l Vulnerability scanning and patching l IP reputation, web application attack signatures, credential stuffing defense, anti-virus, and FortiSandbox Cloud powered by FortiGuard l Real-time attack insights and reporting with advanced visual analytics tools l Integration with FortiGate and FortiSandbox for ATP detection l Behavioral attack detection l Advanced false positive and negative detection avoidance FortiWeb hardware and virtual machine platforms are available for medium and large enterprises, as well as for service providers. Benefits FortiWeb is designed specifically to protect web servers. It provides specialized application layer threat detection and protection for HTTP and HTTPS services, including: l Apache Tomcat l nginx l Microsoft IIS l JBoss l IBM Lotus Domino l Microsoft SharePoint l Microsoft Outlook Web App (OWA) l RPC and ActiveSync for Microsoft Exchange Server l Joomla l WordPress FortiWeb’s integrated web-specific vulnerability scanner drastically reduces challenges associated with protecting regulated and confidential data by detecting your exposure to the latest threats, especially the OWASP Top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project). Introduction 20 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project FortiWeb 6.1.0 Administration Guide Fortinet Inc. FortiWeb’s HTTP firewall and denial-of-service (DoS) attack-prevention protects your web applications from attack. Using advanced techniques to provide bidirectional protection against sophisticated threats like SQL injection and cross- site scripting (XSS) attacks, FortiWeb also helps you defend against threats like identity theft, financial fraud, and corporate espionage. FortiWeb provides the tools you need to monitor and enforce government regulations, industry best practices, and internal security policies, including firewalling and patching requirements from PCI DSS (https://www.pcisecuritystandards.org/security_standards/getting_started.php). FortiWeb’s application-aware firewall and load balancing engine can: l Secure HTTP/HTTPS applications. l Prevent and reverse defacement. l Improve application stability. l Monitor servers for downtime & connection load. l Reduces response times. l Accelerate SSL/TLS.* l Accelerate compression. l Rewrite content on the fly. * On VM models, acceleration is due to offloading the cryptography burden from the back-end server. On hardware models, cryptography is also hardware-accelerated via ASIC chips. FortiWeb significantly reduces deployment costs by consolidating WAF, hardware acceleration, load balancing, and vulnerability scanning in a single platform with no per-user pricing. These features: l Reduce the total resources required to protect your regulated, Internet-facing data. l Ease the challenges associated with policy enforcement and regulatory compliance. Introduction 21 https://www.pcisecuritystandards.org/security_standards/getting_started.php FortiWeb 6.1.0 Administration Guide Fortinet Inc. Architecture FortiWeb can be deployed in a one-arm topology, but is more commonly positioned inline to intercept all incoming client connections and redistribute them to your servers. FortiWeb has TCP- and HTTP-specific firewalling capabilities. Because it's not designed to provide security to non-HTTP/HTTPS web applications, it should be deployed behind a firewall such as FortiGate that focuses on security for other protocols, including FTP and SSH. Once FortiWeb is deployed, you can configure it from a web browser or terminal emulator on your management computer. Scope This document describes how to set up and configure FortiWeb. It provides instructions to complete first-time system deployment, including planning the network topology, and ongoing maintenance. It also describes how to use the web user interface (web UI), and contains lists of default utilized port numbers, configuration limits, and supported standards. If you are using FortiWeb-VM, this document assumes that you have already followed the instructions in the FortiWeb- VM Install Guide: http://docs.fortinet.com/fortiweb/hardware After completing "How to set up your FortiWeb" on page 73, you will have: Introduction 22 http://docs.fortinet.com/fortiweb/hardware FortiWeb 6.1.0 Administration Guide Fortinet Inc. l Administrative access to the web UI and/or CLI. l Completed firmware updates, if any. l Configured the system time, DNS settings, administrator password, and network interfaces will be configured. l Set the operation mode. l Configured basic logging. l Created at least one server policy. You can use the rest of this document to: l Update the FortiWeb appliance. l Reconfigure features. l Use advanced features, such as anti-defacement. l Diagnose problems. This document does not provide a reference for the CLI. For that information, see the FortiWeb CLI Reference: http://docs.fortinet.com/fortiweb/reference This document is intended for system administrators, not end users. If you are accessing a website protected by FortiWeb and have questions, please contact your system administrator. Introduction 23 http://docs.fortinet.com/fortiweb/reference FortiWeb 6.1.0 Administration Guide Fortinet Inc. What’s new FortiWeb 6.1.0 offers the following new features and enhancements. New features AI-based machine learningbot detection FortiWeb now offers AI-based machine learning bot detection that complements the existing signature and threshold based rules. With this new capability, you can deploy FortiWeb to detect sophisticated bots that can sometimes go undetected. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=bot_detection_policy. AD FS proxy FortiWeb can act as an AD FS proxy to safely allow access requests to your AD FS server from the internet. Web protection profiles can be applied to protect your AD FS servers from vulnerability exploits, bots, malware uploads, DoS attacks, advanced persistent threats (APTs), and zero day attacks. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=adfs_policies_add. High Availability (HA) new features FortiWeb now supports reserving multiple network interfaces on each HA cluster member. The configurations of the reserved interfaces are not synchronized to other members in the HA cluster. You can create static routes and policy routes that are used only by a specific cluster member. FortiWeb runs health check for the server policies applied to the HA cluster. It reports event logs if the connection between the HA cluster member and the back-end server is not available. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=ha. TACACS+ support TACACS+ authentication is now supported for FortiWeb admin users. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=tacacsPlusUsers_view. Enforcement of new FortiGuard signature updates FortiWeb now allows to deploy new signature updates in alert mode. This provides a mechanism for customers to first test new signatures in their environment before setting them to block mode. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=stage_signature. Multiple local certificate support You can now combine RSA, DSA, and ECDSA certificates in Multi-certificate, and reference it in server policy in Reverse Proxy mode and pserver in True Transparent Proxy mode. What’s new 24 http://help.fortinet.com/fweb/610/index.htm#cshid=bot_detection_policy http://help.fortinet.com/fweb/610/index.htm#cshid=adfs_policies_add http://help.fortinet.com/fweb/610/index.htm#cshid=ha http://help.fortinet.com/fweb/610/index.htm#cshid=tacacsPlusUsers_view http://help.fortinet.com/fweb/610/index.htm#cshid=stage_signature FortiWeb 6.1.0 Administration Guide Fortinet Inc. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=cert_multi_list"How to offload or inspect HTTPS" on page 406 Q-in-Q VLAN tunneling In True Transparent Proxy mode, to expand the VLAN space, Q-in-Q is introduced for FortiWeb to stack 802.1Q and 802.1ad headers in the Ethernet frame, so that multiple VLANs can be reused in a core VLAN. For more information ,see http://help.fortinet.com/fweb/610/index.htm#cshid=interface_list. Traffic mirror In Reverse Proxy mode and True Transparent Proxy mode, you can configure FortiWeb to send traffic to third party IPS/IDS devices through network interfaces for traffic monitoring. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=traffic_mirror_view. SNI Support in offline mode Offline SNI is introduced in pserver of server pool in Offline Inspection mode or Transparent Inspection mode. FortiWeb uses the server certificate to decrypt SSL-secured connections for the website specified by domain. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=sni. Comments supported for an attack log You can now add or edit comments for an attack log. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=log_access. Flags supported for an attack log You can set any of the three flags "Action Required", "Action Taken", and "Dismissed" for an attack log. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=log_access. Enhancements Web Vulnerability Scan (WVS) module optimized and enhanced l Show, stop, and repeat buttons are added in Web Vulnerability Scan Policy tab. l Scan templates are added in Scan Profile tab to pre-define the scan profile. l Configuration items are optimized in Scan Profile > Scan Profile tab. l The display interface of Scan History tab is modified. l XML format of scan report is added to support scanner integration. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=wvs_policy_list. Machine Learning: Enhanced HTTP request method learning algorithm l Up to 1024 samples are required to build the model. l A time range can be set to specify the minimum duration of the sample collection period. What’s new 25 http://help.fortinet.com/fweb/610/index.htm#cshid=cert_multi_list http://help.fortinet.com/fweb/610/index.htm#cshid=interface_list http://help.fortinet.com/fweb/610/index.htm#cshid=traffic_mirror_view http://help.fortinet.com/fweb/610/index.htm#cshid=sni http://help.fortinet.com/fweb/610/index.htm#cshid=log_access http://help.fortinet.com/fweb/610/index.htm#cshid=log_access http://help.fortinet.com/fweb/610/index.htm#cshid=wvs_policy_list FortiWeb 6.1.0 Administration Guide Fortinet Inc. l The Trust and Black IP lists are used to limit or block samples from certain IP ranges. l Support rebuilding the machine learning model for HTTP request methods. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=machine_learning_policy. Machine Learning: Support database synchronization in Active-Passive mode In Active-Passive mode, the machine learning database can be synchronized from the master node to the slave node. Machine Learning: Add additional samples from attack logs If the attack reported by the anomaly detection model is in fact legitimate traffic, you can now add the triggered pattern to the machine learning model directly. The system rebuilds the model accordingly so that the traffic with the similar characteristics will not be reported as attacks anymore. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=machine_learning_policy. Add predefined rules for Exchange 2019 Predefined rules are added for Exchange 2019 in Signatures and HTTP Protocol Constraints. HTTP Protocol Constraints enhancement FortiWeb now supports setting Threat Weight for Odd and Even Space Attack, Malformed URL, and Illegal Chunk Size. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=protocolConstraints_edit. Cookie Security enhancement In Cookie Security Policy, it's now supported to set the Allow Suspicious Cookies option when the Security Mode is Signed. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=cookie_security_policy. Custom Rule enhancements FortiWeb has enhanced the Custom Rule to provide more flexible access control: l Support filtering out the traffic with null HTTP header value. l Support using regular expression to match the HTTP header name. l Add Geo IP filter to match the traffic from specified countries. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=advanced_access_rule. Support forwarding username in the HTTP header FortiWeb supports setting custom HTTP header in Site Publish Rule to forward username to the back-end server. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=site_publish. Cookieless support in Site Publish In Site Publish, it's now supported to authenticate clients without using cookies. HTTP Basic delegation, Kerberos delegation, and No Delegation are allowed for the cookieless authentication. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=site_publish. What’s new 26 http://help.fortinet.com/fweb/610/index.htm#cshid=machine_learning_policy http://help.fortinet.com/fweb/610/index.htm#cshid=machine_learning_policy http://help.fortinet.com/fweb/610/index.htm#cshid=protocolConstraints_edithttp://help.fortinet.com/fweb/610/index.htm#cshid=cookie_security_policy http://help.fortinet.com/fweb/610/index.htm#cshid=advanced_access_rule http://help.fortinet.com/fweb/610/index.htm#cshid=site_publish http://help.fortinet.com/fweb/610/index.htm#cshid=site_publish FortiWeb 6.1.0 Administration Guide Fortinet Inc. Support special characters in user tracking rule It's now allowed to enter special characters in the Username Field, Password Field, and Log Off URL in the User Tracking Rule. FortiWeb stops detecting Cross-site Scripting attacks for the values of these options. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=userTrackingRule_add. Route requests based on Geo IP FortiWeb now supports routing requests to back-end servers based on IP addresses from selected countries. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=http_content_routing_policy. Support displaying the original source IP and country in traffic logs FortiWeb displays the original source IP and country in traffic logs if the Use X-Header to Identify Original Client's IP option is enabled in the X-Forwarded-For rule referenced by a server policy. Add administrative access to aggregation or redundant interfaces FortiWeb now supports configuring administrative access to aggregation or redundant interfaces. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=interface_edit. Support generating event logs when concurrent connections reach the limit When the concurrent connections to the back-end server reach the maximum number, FortiWeb generates warning- level event logs and blocks any further connections. Support for HTTP Headers in signature exceptions You can now create signature exceptions for HTTP headers. For more information, see http://help.fortinet.com/fweb/610/index.htm#cshid=serverProtectionException_view. Support setting a timeout value for the DNS proxy cache A CLI command is added to set the timeout value for the DNS proxy cache. The DNS proxy renews the DNS records stored in its cache if the current ones expire. For more information, see http://help.fortinet.com/fweb/610/cli/index.htm#FortiWeb/CLI-reference/system_network_ option.htm. Firewall policy modifications l The connection requests from FortiWeb to the DNS server are allowed by default. l Firewall configurations are allowed to be modified even if the license is expired. SAN support in Certificate Signing Request (CSR) FortiWeb supports adding at most ten Subject Alternative Names (SAN) to specify additional host names (domain names, IP addresses, and email addresses). More SNI policies FortiWeb now supports up to 1024 SNI policies. What’s new 27 http://help.fortinet.com/fweb/610/index.htm#cshid=userTrackingRule_add http://help.fortinet.com/fweb/610/index.htm#cshid=http_content_routing_policy http://help.fortinet.com/fweb/610/index.htm#cshid=interface_edit http://help.fortinet.com/fweb/610/index.htm#cshid=serverProtectionException_view http://help.fortinet.com/fweb/610/cli/index.htm#FortiWeb/CLI-reference/system_network_option.htm http://help.fortinet.com/fweb/610/cli/index.htm#FortiWeb/CLI-reference/system_network_option.htm FortiWeb 6.1.0 Administration Guide Fortinet Inc. Support setting Alert Only for up to 1024 signatures It's now supported to set Alert Only for up to 1024 signatures in one administrative domain. V-zone interface limit lifted FortiWeb now supports configuring VLAN (including 802.1Q and 802.1ad) and physical interface in one V-zone. Offline license Support A FortiWeb license type specially designed for the closed network environment is now available for FortiWeb-VMs on Microsoft Hyper-V. Support FARGATE on AWS ECS The FARGATE launch type is supported when deploying FortiWeb container on AWS ECS. For more information, see https://docs.fortinet.com/vm/aws/fortiweb/6.1/deploying-fortiweb-container-on- ecs/6.1.0/779171/creating-virtual-private-cloud-vpc. What’s new 28 https://docs.fortinet.com/vm/aws/fortiweb/6.1/deploying-fortiweb-container-on-ecs/6.1.0/779171/creating-virtual-private-cloud-vpc https://docs.fortinet.com/vm/aws/fortiweb/6.1/deploying-fortiweb-container-on-ecs/6.1.0/779171/creating-virtual-private-cloud-vpc FortiWeb 6.1.0 Administration Guide Fortinet Inc. Key concepts This chapter defines basic FortiWeb concepts and terms. If you are new to FortiWeb, or new to network security, this chapter can help you to quickly understand: l "Workflow" on page 29 l "Sequence of scans" on page 31 l "IPv6 support" on page 38 l "Solutions for specific web attacks" on page 40 l "HTTP/2 support" on page 46 l "HTTP sessions & security" on page 47 l "HA heartbeat & synchronization" on page 53 l "Administrative domains (ADOMs)" on page 58 l "How to use the web UI" on page 61 l "Shutdown" on page 71 Workflow Begin with "How to set up your FortiWeb" on page 73 for your initial deployment. These instructions guide you to the point where you have a simple working configuration. Ongoing use is located in subsequent chapters, and includes instructions for processes including: l Backing up FortiWeb l Updating FortiWeb l Configuring optional features l Adjusting policies if: l New attack signatures become available l Requirements change l Fine-tuning performance l Periodic web vulnerability scans if required by your compliance regime l Monitoring for defacement or focused, innovative attack attempts from advanced persistent threats (APTs) l Monitoring for accidentally blacklisted client IPs Because policies consolidate many protection components, you should configure policies after you've configured those components. Key concepts 29 FortiWeb 6.1.0 Administration Guide Fortinet Inc. This figure illustrates the general configuration process: This figure illustrates the configuration process for setting up DoS protection: 1. Configure anti-DoS settings for each type: l TCP connection floods ("Limiting TCP connections per IP address" on page 607) l TCP SYN floods ("Preventing a TCP SYN flood" on page 609) l HTTP floods ("Preventing an HTTP request flood" on page 604) l HTTP access limits ("Limiting the total HTTP request rate from an IP" on page 598) l Malicious IPs (TCP connection floods detected by session cookie instead of source IP address, which could be shared by multiple clients; "Limiting TCP connections per IP address by session cookie" on page 601) 2. Group the settings together into a comprehensive anti-DoS policy ("Grouping DoS protection rules" on page 609). 3. Select the anti-DoS policy in a protection profile, and enable Session Management ("Configuring a protection profile for inline topologies" on page 195). 4. Select the protection profile in a server policy ("Configuring an HTTP server policy" on page 209). Key concepts 30 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Sequence of scans FortiWeb applies protection rules and performs protection profile scans in the order of execution according to the below table. To understand the scan sequence, read from the top of the table (the first scan/action) toward the bottom (the last scan/action). Disabled scans are skipped. You may find the actual scan sequence sometimes is different from what we list below in the scan sequence table. There might be various reasons, for example, for the scans involving the whole request or response package, its sequence may vary depending on when the package is fully transferred to FortiManager. File Security is one of the scan items that involve scanning the whole package. FortiWeb scans Content-Type: and the body of the file for File Security. While the Content-Type: is scanned instantly, the body of the file may be postponed after the subsequent scans until the whole body of the file is done uploading to FortiWeb. Please also note that when we talk about scan sequence, it refers to the sequence within the same package. For example, HTTPRequest Limit precedes the TCP Connection Number Limit in the scan sequence table. However, if there are two pakages containing HTTP traffic and TCP traffic respectively, and the TCP package arrives first, FortiManager thus checks the TCP Connection Number Limit first. To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. The blocking style varies by feature and configuration. For example, when detecting cookie poisoning, instead of resetting the TCP connection or blocking the HTTP request, you could log and remove the offending cookie. For details, see each specific feature. Scan/action Involves Request from client to server Add X-Forwarded-For: (page 388) l X-Forwarded-For: l X-Real-IP: l X-Forwarded-Proto: IP List * (individual client IP black list or white list) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l Source IP address of the client in the IP layer. IP Reputation (page 201) Source IP address of the client depending on your configuration of X- header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X- Execution sequence (web protection profile) Key concepts 31 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Scan/action Involves headers" on page 387. Quarantined source IP addresses Source IP address of the client in the IP layer. Allow Known Search Engines (page 201) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l Source IP address of the client in the IP layer. Geo IP (page 201) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l Source IP address of the client in the IP layer. WebSocket Protocol l Host: l URL in HTTP header l Origin: l Upgrade: l Frame Size/Message Size l sec-websocket-extenstions Add HSTS Header (page 215) Strict-Transport-Security: Protected Server Check Host: Allow Method (page 201) l Host: l URL in HTTP header l Request method in HTTP header Session Management (page 196) l Cookie: l Session state HTTP Request Limit/sec (page 604) (HTTP Flood Prevention) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l Cookie: l Session state l URL in the HTTP header l HTTP request body Key concepts 32 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Scan/action Involves TCP Connection Number Limit (page 602) (Malicious IP) l Cookie: l Session state l Source IP address of the client in the IP layer l Source port of the client in the TCP layer HTTP Request Limit/sec (Shared IP) (page 599) (HTTP Access Limit) l ID field of the IP header l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X- Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l HTTP request body TCP Connection Number Limit (page 607) (TCP Flood Prevention) l Source IP address of the client in the IP layer. l Source port of the client in the TCP layer. Brute Force Login (page 200) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X- Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l URL in the HTTP header l Source port of the client in the TCP layer l ID field of the IP header l Host: HTTP Authentication (page 202) Authorization: The global object white list l Cookie: cookiesession1 l URL if browserconfig.xml, AJAX URL parameters such as __ LASTFOCUS, and others as updated by the FortiGuard Security Service. ADFS Proxy l Host: l URL in HTTP header l Request method in HTTP header l Other request headers, especially the X-MS-* headers l Parameters in the URL l Cookies Site Publish (page 202) l Host: l Cookie: l URL of the request for the web application Key concepts 33 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Scan/action Involves URL Access (page 200) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l Host: l URL in HTTP header l Source IP of the client in the IP header Padding Oracle Protection (page 199) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l Host: l URL in HTTP header l Individually encrypted URL, cookie, or parameter HTTP Protocol Constraints (page 200) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l Content-Length: l Parameter length l Body length l Header length l Header line length l Count of Range: header lines l Count of cookies Start Pages (page 200) l Host: l URL in HTTP header l Session state Page Access (page 200) (page order) l Host: l URL in HTTP header l Session state File Security (page 200) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l Content-Type: in PUT and POST requests l URL in HTTP header l The body of the file Key concepts 34 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Scan/action Involves Parameter Validation (page 199) l Host: l URL in the HTTP header l Name, data type, and length Configuring a protection profile for inline topologies (page 195) Content-Type: Machine Learning - Bot Detection l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l Host: l URL in the HTTP header l HTTP version l Content-Type: l Response status code l Request method in HTTP header l Referer: l User-Agent: Defeating cross-site request forgery (CSRF) attacks (page 506) l <a href> l <form> Protection for Man-in-the- Browser (MiTB) attacks(page 551) l Host: l URL in HTTP header l Request method in HTTP header l Parameters in URL l Content-Type: Web Cache (page 202) l Host: l URL in the HTTP header l Size in kilobytes (KB) of each URL to cache Signatures l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387. l HTTP headers l HTML Body l URL in HTTP header l Parameters in URL and request body Key concepts 35 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Scan/action Involves Device Reputation l Cookies and other headers l URL in HTTP header l Request method in HTTP header l Parameters in URL l Multipart filename Hidden Fields Protection (page 200) l Host: l URL in the HTTP header l Name, data type, and length of <input type="hidden"> Custom Policy (page 199) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387 l URL in the HTTP header l HTTP header l Parameter in the URL, or the HTTP header or body User Tracking l Host: l Cookie: l Parameters in the URL l URL in HTTP header l HTTP body l Client's certificate XML Validation l Host: l URL in HTTP header l HTTP request headers & body OpenAPI Validation l Host: l HTTP headers, especially the content-type: headers l URL in HTTP header l Request method in HTTP header l Parameters in URL l Multipart filename URL Rewriting (page 202) (rewriting & redirects) l Host: l Referer: l Location: l URL in HTTP header l HTML body Key concepts 36 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Scan/action Involves Machine Learning - Anomaly Detection l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387 l URL in the HTTP header l Request method in HTTP header l Parameter in the URL, or the HTTP header or body l Content-Type: File Compress (page 202) Accept-Encoding: Cookie Security Policy (page 199) l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387 l Cookie: Reply from server to client Configuring a protection profile for inline topologies (page 195) Content-Encoding: Hidden Fields Protection (page 200) l Host: l URL in the HTTP header l Name, data type, and length of <input type="hidden"> Custom Policy (page 199) l HTTP response code l Content Type URL Rewriting (page 202) (rewriting) l Host: l Referer: l Location: l URL in HTTP header l HTML body Web Socket Protocol l Upgrade: Chunk Decoding l Transfer-Encoding l Raw body Protection for Man-in-the- Browser (MiTB) attacks (page 551) l Status code l Response body Key concepts 37 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Scan/action Involves Signatures l Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see "Defining your proxies, clients, & X-headers" on page 387 l HTTP headers l HTML Body l URL in HTTP header l Parameters in URL and body l XML in the body of HTTP POST requests l Cookies l Headers l JSON Protocol Detection l Uploaded filename(MULTIPART_FORM_DATA_FILENAME) Device Reputation l Status code l Content-Type: l HTML body User Tracking l Status code l HTTP headers l HTML body HTTP Header Security l HTTP headers * If a source IP is white listed, subsequent checks will be skipped. IPv6 support When the operating mode is Reverse Proxy, Offline Protection, or Transparent Inspection, the features below support IPv6-to-IPv6 forwarding. The features below also support NAT64 to handle environments in which legacy back-end equipment supports only IPv4. l IP/Netmask (page 144) for all types of network interfaces and DNS settings l Gateway (page 160) and Destination IP/Mask (page 160) for IP-layer static routes l Virtual Server (page 211)/V-zone (page 211) l Server Pool (page 212) l Server Health Check (page 363) l Protected Hostnames (page 213) l Add HSTS Header (page 215) l X-Forwarded-For (page 197) l Session Management (page 196) Key concepts 38 FortiWeb 6.1.0 Administration Guide Fortinet Inc. l Cookie Security Policy (page 199) l Signatures (page 197) l Custom Policy (page 199) l Parameter Validation (page 199) l Hidden Fields Protection (page 200) l File Security (page 200) l HTTP Protocol Constraints (page 200) l Brute Force Login (page 200) l URL Access (page 200) l Page Access (page 200) (page order) l Start Pages (page 200) l Allow Method (page 201) l IP List (page 201) (manual, individual IP blacklisting/whitelisting) l File Compress (page 202) l Vulnerability scans (page 641) l Configuring the global object white list (page 193) l Chunk decoding l FortiGuard server IP overrides (see "Connecting to FortiGuard services" on page 169) l URL Rewriting (page 202) (also redirection) l HTTP Authentication (page 202) and LDAP, RADIUS, and NTLM profiles l Geo IP (page 201) l DoS Protection (page 201) l SNMP traps & queries (page 706) l IP Reputation (page 201) l Device Tracking (see "Monitoring currently tracked devices " on page 722) l HTTP Header Security (see "Addressing security vulnerabilities by HTTP Security Headers" on page 510) Features not yet supported are: If a policy has any virtual servers or server pools that contain physical or domain servers with IPv6 addresses, it does not apply these features, even if they are selected. l Shared IP l Policy bypasses for known search engines l Firewall l Log-based reports l Alert email l Syslog and FortiAnalyzer IP addresses l NTP l FTP immediate/scheduled l SCEP l Anti-defacement l HA/Configuration sync Key concepts 39 FortiWeb 6.1.0 Administration Guide Fortinet Inc. l exec restore l exec backup l exec traceroute l exec telnet Solutions for specific web attacks The types of attacks that web servers are vulnerable to are varied, and evolve as attackers try new strategies. FortiWeb offers numerous configurable features for preventing web-related attacks, including denial-of-service (DoS) assaults, brute-force logins, data theft, cross-site scripting attacks, among many more. Early in your deployment of FortiWeb, configure and run web vulnerability scans to detect the most common attack vulnerabilities. You can use this to discover attacks to which you may be vulnerable. For details, see "Vulnerability scans" on page 641. HTTP/HTTPS threats Servers are increasingly being targeted by exploits at the application layer or higher. These attacks use HTTP/HTTPS and may aim to compromise the target web server to steal information, deface it, post malicious files on a trusted site to further exploit visitors to the site, or use the web server to create botnets. Among its many threat management features, FortiWeb fends off attacks that use cross-site scripting, state-based intrusion, and various injection attacks. This helps you comply with protection standards for: l Credit-card data, such as PCI DSS 6.6 l Personally identifiable information, such as HIPAA FortiWeb can also protect against threats at higher layers (HTML, Flash or XML applications).The below table lists several HTTP-related threats and describes how FortiWeb protects servers from them. Attack Technique Description Protection FortiWeb Solution Adobe Flash binary (AMF) protocol attacks Attackers attempt XSS, SQL injection or other common exploits through an Adobe Flash client. Decode and scan Flash action message format (AMF) binary data for matches with attack signatures. Enable AMF3 Protocol Detection (page 197) Botnet Utilizes zombies previously exploited or infected (or willingly participating), distributed usually globally, to simultaneously overwhelm the target when directed by the command and control server(s). Use the FortiGuard IP Reputation Service to gather up-to-date threat intelligence on botnets and block attacks. IP Reputation (page 201) Key concepts 40 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Attack Technique Description Protection FortiWeb Solution Brute force login attack An attacker attempts to gain authorization by repeatedly trying ID and password combinations until one works. Require strong passwords for users, and throttle login attempts. Brute Force Login (page 200) Clickjacking Code such as <IFRAME> HTML tags superimposes buttons or other DOM/inputs of the attacker’s choice over a normal form, causing the victim to unwittingly provide data such as bank or login credentials to the attacker’s server instead of the legitimate web server when the victim clicks to submit the form. Scan for illegal inputs to prevent the initial injection, then apply rewrites to scrub any web pages that have already been affected. l Signatures (page 197) l Parameter Validation (page 199) l Hidden Fields Protection (page 200) l URL Rewriting (page 202) Cookie tampering Attackers alter cookies originally established by the server to inject overflows, shell code, and other attacks, or to commit identity fraud, hijacking the HTTP sessions of other clients. Validate cookies returned by the client to ensure that they have not been altered from the previous response from the web server for that HTTP session. l Cookie Security Policy (page 199) l Add HSTS Header (page 215) Credit card theft Attackers read users’ credit card information in replies from a web server. Detect and sanitize credit card data leaks. Helps you comply with credit card protection standards, such as PCI DSS 6.6. Personally Identifiable Information (page 481) Cross-site request forgery (CSRF) A script causes a browser to access a website on which the browser has already been authenticated, giving a third party access to a user’s session on that site. Classic examples include hijacking other peoples’ sessions at coffee shops or Internet cafés. Specify web pages that FortiWeb protects from CSRF attacks using a special token. Enforce web application business logic to prevent access to URLs from the same IP but different client. l Defeating cross- site request forgery (CSRF) attacks (page 506) l Page Access (page 200) l Add HSTS Header (page 215) Cross-site scripting Attackers cause a browser Content filtering, cookie Cross Site Scripting Key concepts 41 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Attack Technique Description Protection FortiWeb Solution (XSS) to execute a client-side script, allowing them to bypass security. security, disable client-side scripts. (page 478) Denial of service (DoS) An attacker uses one or more techniques to flood a host with HTTP requests, TCP connections, and/or TCP SYN signals. These use up available sockets and consume resources on the server, and can lead to a temporary but complete loss of service for legitimate users. Watch for a multitude of TCP and HTTP requests arriving in a short time frame, especially from a single source, and close suspicious connections. Detect increased SYN signals, close half-open connections before resources are exhausted. DoS Protection (page 201) HTTP header overflow Attackers use specially crafted HTTP/HTTPS requests to target web server vulnerabilities (such as a buffer overflow) to execute malicious code, escalating to administrator privileges. Limit the length of HTTP protocol header fields, bodies, and parameters. HTTP Protocol Constraints (page 200) Local file inclusion (LFI) LFI is a type of injection attack. However, unlike SQL injection attacks, a database is not always involved. In an LFI, a client includes directory traversal commands (such as ../../for web servers on Linux, Apple Mac OS X, or Unix distributions) when submitting input. This causes vulnerable web servers to use one of the computer’s own files (or a file previously installed via another attack mechanism) to either execute it or be included in its own web pages. This could be used for many purposes, including direct attacks of other servers, installation of Block directory traversal commands. Generic Attacks (page 479) Key concepts 42 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Attack Technique Description Protection FortiWeb Solution malware, and data theft of /etc/passwd, display of database query caches, creation of administrator accounts, and use of any other files on the server’s file system. Many platforms have been vulnerable to these types of attacks, including Microsoft .NET and Joomla. Man-in-the-middle (MITM) A device located on the same broadcast network or between the client and server observes unencrypted traffic between them. This is often a precursor to other attacks such as session hijacking. Redirect clients from HTTP to secure HTTPS, then encrypt all traffic and prevent subsequent accidental insecure access. l HTTPS Service (page 214) l Add HSTS Header (page 215) l URL Rewriting (page 202) Remote file inclusion (RFI) RFI is a type of injection attack. However, unlike SQL injection attacks, a database is not always involved. In an RFI, a client includes a URL to a file on a remote host, such as source code or scripts, when submitting input. This causes vulnerable web servers to either execute it or include it in its own web pages. If code is executed, this could be used for many purposes, including direct attacks of other servers, installation of malware, and data theft. If code is included into the local file system, this could be used to cause other, unsuspecting clients who Prevent inclusion of references to files on other web servers. Generic Attacks (page 479) Key concepts 43 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Attack Technique Description Protection FortiWeb Solution use those web pages to commit distributed XSS attacks. Famously, this was used in organized attacks by Lulzsec. Attacks often involve PHP web applications, but can be written for others. Server information leakage A web server reveals details (such as its OS, server software and installed modules) in responses or error messages. An attacker can leverage this fingerprint to craft exploits for a specific system or configuration. Configure server software to minimize information leakage. l Information Disclosure (page 479) l To hide application structure and servlet names, Rewriting & redirecting (page 614) SQL injection The web application inadvertently accepts SQL queries as input. These are executed directly against the database for unauthorized disclosure and modification of data. Rely on key word searches, restrictive context-sensitive filtering and data sanitization techniques. l Parameter Validation (page 199) l Hidden Fields Protection (page 200) l SQL Injection (page 478) Malformed XML To exploit XML parser or data modeling bugs on the server, the client sends incorrectly formed tags and attributes. Validate XML formattingfor closed tags and other basic language requirements. Illegal XML Format (page 198) Caution: Unlike XML protection profiles in previous versions of FortiWeb, Illegal XML Format (page 198) does not check for conformity with the object model or recursive payloads. Key concepts 44 FortiWeb 6.1.0 Administration Guide Fortinet Inc. DoS attacks A denial of service (DoS) attack or distributed denial-of-service attack (DDoS attack) is an attempt to overwhelm a web server/site, making its resources unavailable to its intended users. DoS assaults involve opening vast numbers of sessions/connections at various OSI layers and keeping them open as long as possible to overwhelm a server by consuming its available sockets. Most DoS attacks use automated tools (not browsers) on one or more hosts to generate the harmful flood of requests to a web server. A DoS assault on its own is not true penetration. It is designed to silence its target, not for theft. It is censorship, not robbery. In any event, a successful DoS attack can be costly to a company in lost sales and a tarnished reputation. DoS can also be used as a diversion tactic while a true exploit is being perpetrated. The advanced DoS prevention features of FortiWeb are designed to prevent DoS techniques, such as those examples listed in on page 40, from succeeding. For best results, consider creating a DoS protection policy that includes all of FortiWeb’s DoS defense mechanisms, and block traffic that appears to originate from another country, but could actually be anonymized by VPN or Tor. For details about policy creation, see "DoS prevention" on page 597 and "Blacklisting source IPs with poor reputation" on page 453. Attack Technique Description FortiWeb Solution Botnet Utilizes zombies previously exploited or infected (or willingly participating), distributed usually globally, to simultaneously overwhelm the target when directed by the command and control server(s). Well-known examples include LOIC, HOIC, and Zeus. IP Reputation (page 201) Low-rate DoS Exploits TCP’s retransmission time-out (RTO) by sending short-duration, high-volume bursts repeated periodically at slower RTO time-scales. This causes a TCP flow to repeatedly enter a RTO state and significantly reduces TCP throughput. l TCP Connection Number Limit (page 607) (TCP flood prevention) l HTTP Request Limit/sec (page 604) (HTTP flood prevention) l TCP Connection Number Limit (page 602)(malicious IP prevention) Slow POST attack Sends multiple HTTP POST requests with a legitimate Content-Length: field. This tells the web server how much data to expect. Each POST message body is then transmitted at an unusually slow speed to keep the connection from timing out, and thereby consuming sockets. l URL Access (page 200) l Allow Method (page 201) Slowloris Slowly but steadily consumes all available sockets by sending partial HTTP requests sent at regular intervals. Each HTTP header is never finished by a new line (/r/n) according to the specification, and therefore the server waits for the client to finish, keeping its socket open. This slowly consumes all sockets on a web server without a noticeable spike on new TCP/IP connections l Header Length (page 536) l Number of Header Lines in Request (page 538) Key concepts 45 FortiWeb 6.1.0 Administration Guide Fortinet Inc. Attack Technique Description FortiWeb Solution or bandwidth. Not all web servers are vulnerable, and susceptibility can vary by configuration. Default Apache configurations may be more vulnerable than a server like nginx that is designed for high concurrency. SYN flood Sends a stream of TCP SYN packets. The target server acknowledges each SYN and waits for a response (ACK). Rather than respond, the attacker sends more SYN packets, leaving each connection half-open, not fully formed, so that it may not register on systems that only monitor fully formed connections. Since each half- formed connection requires RAM to remember this state while awaiting buildup/tear-down, many SYN signals eventually consume available RAM or sockets. Syn Cookie (page 213) HTTP/2 support If the FortiWeb is deployed in Reverse Proxy (see "Topology for Reverse Proxy mode" on page 80) or True Transparent Proxy (see "Topology for either of the transparent modes" on page 82) mode, HTTP/2 web communication can be protected by the following FortiWeb's security services: l Session Management (see "Session Management" on page 196) l Attack Signature (see "Blocking known attacks & data leaks" on page 474) l Cookie Security (see "Protecting against cookie poisoning and other cookie-based attacks" on page 470) l HTTP Protocol Constraints (see "HTTP/HTTPS protocol constraints" on page 534) Note: HTTP/2 traffic will bypass the other security services (even if the services are well-configured). How to enable HTTP/2 support Deployment in Reverse Proxy mode When the FortiWeb is operating in Reverse Proxy mode, it can provide end-to-end HTTP/2 security which requires both clients and back-end servers running HTTP/2. Moreover, if the back web servers do not support HTTP/2, FortiWeb (in Reverse Proxy mode) provides the HTTP/2 protections also with conversion protocols between HTTP/2 clients and HTTP/1.1 back-end servers. This allows customers to enjoy HTTP/2 benefits without having to upgrade their web servers. Therefore, when the FortiWeb is operating in Reverse Proxy mode, it requires two necessary configurations for HTTP/2 security: l Server Policy: Enable HTTP/2 in a Server Policy (see HTTP/2 (page 214)), so that HTTP/2 can be negotiated between FortiWeb and clients via SSL ALPN (Application-Layer Protocol Negotiation) during the SSL handshake, if the client's browser supports HTTP/2 protocol. Then, FortiWebcan recognize HTTP/2 traffic and apply the security services to it. l Server Pool: Enable HTTP/2 for a Server Pool (see HTTP/2 (page 366)) if your back-end web servers are running HTTP/2. This indicates HTTP/2 communication between FortiWeb and the backend servers in the server pool. HTTP/2 Traffic processed by FortiWeb will be forwarded to the back web servers through HTTP/2. However, if your web servers do not support HTTP/2, keep the option disabled and FortiWeb will convert the processed HTTP/2 traffic to HTTP/1.x and Key concepts 46 FortiWeb 6.1.0 Administration Guide Fortinet Inc. forward it to the backend servers. Please note that enable this only if your back web servers really support HTTP/2, or connections will go failed. When FortiWeb operates in Reverse Proxy mode, HTTP Content Routing is partially supported if HTTP/2 security inspection is enabled. In such cases, FortiWeb can handle HTTP/2 for client requests, but traffic between FortiWeb and the server(s) must use HTTP, so the HTTP/2 setting in a server pool configuration would have to remain disabled. For details, see "Routing based on HTTP content" on page 373. Deployment in True Transparent Proxy mode Conversion between HTTP/2 clients and HTTP/1.1 back-end servers is not available when the FortiWeb is operating in True Transparent Proxy mode. Therefore, FortiWeb's HTTP/2 inspection must work with the back web servers that really support HTTP/2. When your FortiWeb is operating in True Transparent Proxy mode, only one configuration is required to enable the HTTP/2 support: l Server Pool: Enable SSL and HTTP/2 in a Server Pool (see "To configure a server pool" on page 362). Please make sure your back-end web servers are running HTTP/2, or no HTTP/2 connections will be established between clients and the back servers and enabling HTTP/2 support on the FortiWeb will be kind of meaningless. Note: FortiWeb only supports HTTP/2 for HTTPS (SSL) connections (most browsers support HTTP/2 for only HTTPS). Therefore, for deployment in Reverse Proxy or True Transparent Proxy mode, HTTPS or SSL on the FortiWeb must be enabled for HTTP/2. HTTP sessions
Compartilhar