The Fortinet Security Fabric

Introducing the Security Fabric

Presenter
Date

© Copyright Fortinet Inc. All rights reserved.

FortiWeb Training
Overview
Date

© Copyright Fortinet Inc. All rights reserved.

Web Application Attacks

 Web applications are the interface to a wide array of confidential

information stored on back-end databases
» Intellectual property, social security numbers, medical records, payroll
information, credit card numbers etc.
 Attractive targets for hackers because they are public facing
applications open to the Internet
 Web application vulnerabilities may allow the attacker to gain
access to server resources and back-end databases

3
HTTP Threats

 Aim of attack is to compromise the target web server:

» Steal critical information
» Deface the portal
» Post malicious files to exploit site users
 Some of the most prevalent attack techniques :
» Cross-site scripting (XSS) and cross-site request forgery (CSRF)
» Brute force login attack
» SQL injection
» Credit card theft and information leakage
» Forceful browsing
» Cookie poisoning

5
Application Layer Security

Network Firewall
• Network firewalls detect network attacks
• Inspect IP and port
IPS/Deep Packet
Inspection Firewalls
• IPS products detect known signatures only
• No real HTTP understanding (headers, FortiWeb
parameters, etc.) Web Application Firewall
• Signature evasion is possible, No protection
of SSL traffic, No application awareness
• No user awareness, High rate of false Network / Application layer
positives Transport (OSI 5-7)
layer
(OSI 1-4)
Only Web Application Firewalls can
detect and block application attacks!

6
FortiWeb WAF Deployment and Management Features

Multiple Deployment Four operational modes to fit into any

Options environment. Physical and virtual appliances
available.
Auto-Learn Security Automatically and dynamically build a security
Profiling model of protected applications by continuously
monitoring real time user activity
FortiGuard IP Reputation It aggregates data from sensors around the world
to keep information about threatening source up-
to-date

High Availability Configuration synchronization and network level

fail-over in the event of unexpected outage events.
Integrated bypass interfaces provide additional
fail-open capability for single box deployments
IPv6 It is supported for Reverse Proxy deployments.
IPv4 to IPv6 and IPv6 to IPv4 communication,
including mixed server farm configuration, are also
supported
7
FortiWeb WAF Protection and Monitoring Features

Application Layer Out of the box protection for the most complex
Vulnerability Protection attacks such as SQL Injection, Cross Site
Scripting, CSRF and many others
Data Leak Prevention Extended monitoring and protection for data
leakage and application information disclosure by
tightly monitoring all outbound traffic
Web Anti Defacement Unique capabilities for monitoring protected
applications for any defacement and ability to
automatically and quickly revert to stored version

Vulnerability Assessments Automatically scans and analyzes the protected

web applications and detects security
vulnerabilities to complete a comprehensive
solution for PCI DSS
DoS Protection multiple protection mechanisms for DoS
Attack

8
FortiWeb WAF Application Delivery Features

Application Aware Load Intelligent, application aware layer 7 load

Balancing balancing eliminates performance bottlenecks,
reduces deployment complexity and provides
seamless application integration
Data Compression Allows efficient bandwidth utilization and response
time to users by compressing data retrieved from
servers
SSL Offload With the integration of award winning FortiASIC™
technology, FortiWeb is able to process tens of
thousands of web transactions by providing
hardware accelerated SSL offloading
Authentication Offload Offload your web server authentication to the
FortiWeb platform while supporting different
authentication schemes such as Local, LDAP,
NTLM and Radius

9
FortiWeb Family- Appliances

FWB-4000E

Performance & Scalability

FWB-3000E
FWB-600D

FWB-1000D

FWB-400D

FWB-100D

WAF < 1 Gbps 1 – 10 Gbps 10+ Gbps

SSL Software ASIC ASIC

Ports GE GE/10GE GE/10GE

10
FortiWeb Product Matrix
100D 400D 600D 1000D 3000E/3010E 4000E

WAF Throughput 25 Mbps 100 Mbps 250 Mbps 1 Gbps 5 Gbps 20.0 Gbps
Latency Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms Sub-ms
SSL Software Software Software ASIC ASIC ASIC

L7 Load Balancing P P P P P P

L7 DoS Protection P P P P P P

Site Publishing/SSO P P P P P P

Vulnerability Scanner P P P P P P

Antivirus/antimalware P P P P P P

Form Factor Desktop 1U 1U 2U 2U 2U

GE Port 4 4 4 (2 bypass) 6 (4 bypass) 8 bypass 8 bypass

GE SFP 0 4 4 2 4 4
10GE SFP+ 0 0 0 0 4 4
ADOMs N/a 32 32 64 64 64

11
 FortiWeb Virtual Appliances
Enterprise grade virtual WAF
 Deploy WAFs without extra hardware
 Dynamic expansion in VM environments
 Resource efficiency with uncompromised WAF functionality
 VMware, Microsoft Hyper-V, Citrix XenServer, Open Source Xen, KVM, Amazon
Web Services (AWS) and Microsoft Azure.

Technical Specifications FortiWeb VM01 FortiWeb VM02 FortiWeb VM04 FortiWeb VM08
vCPU Support (Max) 1 2 4 8
Memory Support (Max) Unlimited* Unlimited* Unlimited* Unlimited*
Network Interface Support (Max) 10 10 10 10
Storage Support (Min / Max) 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB 40 GB / 1TB

12
Operation modes

 Reverse Proxy (Default)

 Transparent Inspection
 True Transparent Proxy
 Offline Protection

13
Reverse Proxy (Default)

 Requests are destined to the IP address of the FortiWeb

 FortiWeb appliance acts as a reverse proxy
 Incoming traffic can be modified, blocked or logged
 It offers the broadest feature support

14
Transparent Inspection

 Requests are destined to the IP address of the web server directly

 FortiWeb asynchronously intercepts and inspects the traffics
 In case of power failure, the FortiWeb unit will fail-to-wire using its bypass
interface thus all traffic to the web application is maintained
 Incoming traffic can be logged or blocked but not modified

15
True Transparent Proxy

 Requests are destined to the IP address of the web server directly

 FortiWeb transparently proxies the traffic
 Incoming traffic can be blocked, logged or modified

16
Offline Protection

 Ideal mode for proof of concepts

 Traffic is duplicated to the FortiWeb and the Web Server simultaneously
through port mirroring or SPAN port
 Inspected traffic can be logged, attempted to block but not modified

17
How Does FortiWeb Block Attacks?

 Varies by operating mode

 Reverse Proxy mode / True Transparent Proxy mode
» When physically in line & processing in sync,
FortiWeb always blocks / sanitizes HTTP request
» Depending on attack/config., may either return HTTP error to client / send TCP RST
» If request accepted, makes secondary connection to
protected web server
» Exception: Buffers exceeded, and you’ve configured FortiWeb to
pass oversize traffic

18
How Does Reverse Proxy Mode Block Attacks?

Attack never reaches servers

X Attack detected
Request blocked
FortiWeb replies with
HTTP error or TCP RST

19
How Does FortiWeb Block Attacks?

 Varies by operating mode

 Offline mode / Transparent Inspection mode
» When physically out-of-band (i.e. mirror/SPAN port) or
forwarding packet first then scanning (to minimize latency),
FortiWeb can try to reset TCP connection (RST)
» May be too late to block
» Not 100% reliable due to:
 Race condition – attack interrupt depends on CPU load &
speed of inline route
 Can’t sanitize/rewrite – packets have already egressed to server

20
How Does Offline Mode Block Attacks?

Some packets reach servers, but

often can’t complete attack
(connection interrupted)

X RACE: Attack detected

after packet forwarded
FortiWeb tries interrupt
via TCP RST

21
Topology: FortiWeb Before, or After SNAT?

22
Topology: FortiWeb After SNAT

23
Topology: FortiWeb Before SNAT

24
Configuring FortiWeb to Find the Original Client’s IP

Your front-end
load balancer’s
IP
25
Administrative Domains (ADOMs) on FortiWeb

 Logically separates each of your protected web apps

» Domains share physical resources, but behave logically like separate FortiWebs
» Ideal for hosting providers and enterprises – multi-tenant
 Similar to VDOMs on FortiGate
» Separate policies, protection settings, and administrators for each domain
» Restructures GUI, CLI
» On FortiAnalyzer,
or FortiWeb CLI,
each FortiWeb ADOM
Acme Co. ABC Inc. XYZ Ltd.
may be called either
ADOM or VDOM
 Also distinguishes
externally stored logs

26
Assigning Administrators to ADOMs

 After enabling ADOMs, you should usually create more administrator

accounts and assign each to a specific ADOM: root, adom0, etc.

Domain A Domain B Domain C

27
Access Profiles & ADOM Administrators

Only “prof_admin” profile

gives access to Global
settings.
Other access profiles are
relative to a specific ADOM:
root, adom0, etc.
However, “prof_admin” still doesn’t
make an account into “admin” or
“maintainer”.

Domain A Domain B Domain C

28
FortiWeb Training
System Configuration
Date

© Copyright Fortinet Inc. All rights reserved.

GUI and CLI Access

 Web Login
https://192.168.1.99

 FortiOS Like CLI

31
Real Time Dashboard

 Customizable Dashboard
» System information
» CLI console
» System resources
» FortiGuard Information
» Attack log console
» Event log console
» Server status
» Policy sessions

32
Context Sensitive On-Line Help

33
Network Interfaces

34
V-Zone (bridge)

 The FortiWeb forwards the traffic inside a V-Zone as a Layer-2

switch
 Required for True Transparent Proxy or Transparent Inspection
modes
 All network ports can be added to the V-zone except port1

port1

35
V-Zone configuration

36
Routing

 The FortiWeb look in the routing table for the destination IP

address
 The most specific route will always be chosen
 If there is more than one specific route, the FortiWeb unit will
choose the route with the smallest index number

37
IP-Based Forwarding

 By default, protocols other than HTTP and HTTPS are not

forwarded to the protected physical servers
 You can enable forwarding of non-web traffic destined for your
physical servers by using the following CLI command:
# config router setting
(setting)# set ip-forward enable
(setting)# end

38
Admin Accounts

 By default, a FortiWeb unit has one administrator account named

admin
» It is associated with the profile prof_admin, which grants full access to the
FortiWeb unit
» It cannot be renamed or deleted

39
Access Profiles

 Access profiles determine the authorization rights for each specific

configuration section

40
FortiGuard Subscription Services

 FortiGuard provides automatic updates for:

» FortiWeb Security Services:
 Attack signatures (such as XSS, SQL injection)
 Information leakage patterns
 Predefined data patterns (such as credit card number, social security number)
 Predefined data types and suspicious URLs
 Global White List and web robot patterns
 Web vulnerability scan pattern
» FortiGuard Antivirus Service:
 Virus signatures for AV scanning
» FortiGuard IP Reputation Service:
 IP addresses that have been blacklisted

41
FortiGuard Updates

42
Fail-open

 The fail-open feature is a fail-to-wire mechanism which is triggered

by any of these unit events:
» Shut down
» Reboot
» Unexpected power loss
 When activated, all the traffic crosses the FortiWeb uninspected
and without proxy (like a wire)
 Supported only in transparent operational modes and on
appliances with CP7 processors
 Fail-open cannot be enabled if the FortiWeb unit is member of
High Availability (HA) cluster

43
Fail-Open Configuration

Connectivity is
interrupted

Connections are passed through

Policy and profile filtering is
bypassed

44
High Availability (HA)

 A cluster of two FortiWeb units can be configured in Active-

Passive or Active-Active mode
 The following requirements must be met:
» Identical hardware platform
» Identical firmware version
» Identical operational mode

45
HA topology

46
Heartbeat Interface

 Physical ports with an IP address configured cannot be used as

heartbeat interfaces
 The heartbeat interface is used for keepalive messages and
synchronization
 The slave’s configuration is synchronized with the master one
every 30 seconds

47
Fail-over

 A fail-over can be triggered by one of the following reasons:

» Interruption in the heartbeat traffic according with the detection interval and
lost threshold configured
» A link failure event on a monitored port

48
HA Configuration

49
Firmware upgrade

 Starting for FortiWeb 4.4, the HA upgrade process is seamless:

» The master automatically sends the new firmware to the slave
» The slave upgrades its firmware first and reboots
» After rebooting, the slave becomes the master unit
» The master then upgrades its firmware and reboots

50
Why Log Externally?

 Logs & reports exist on FortiWeb, but …

 Flexibility. FortiAnalyzer reports are more customizable
 Performance. Extensive, frequent attack/traffic logs:
» Reduce FortiWeb performance
 Increases disk access related CPU load
 By default, traffic logs stored in RAM only – ephemeral (can override this via CLI)
» Increase risk of premature hard disk failure
 Scalability. Not limited to local FortiWeb storage capacity
 Visibility. For forensics, use FortiAnalyzer or a 3rd party SIEM to
correlate logs from your network ecosystem & show the whole attack
» FortiGate, FortiDB, FortiADC logs
» 3rd party logs such as Apache/IIS/nginx

51
Setup on FortiAnalyzer

52
External Logging to a FortiAnalyzer

1. Enable ADOMs on FortiAnalyzer.

» If using FortiWeb ADOMs, also enable “advanced ADOM” mode on FortiAnalyzer
2. Create an ADOM for FortiWeb devices. (Initializes new database that
matches their specific log schema.)
3. On FortiAnalyzer device list, add an ADOM with FortiWeb.
4. Configure FortiAnalyzer with event handlers
(for log notification) and report datasets (SQL queries).
» Alternatively, external reporting engines can query the database
» Schema is available
5. Configure FortiWeb to send logs to FortiAnalyzer.

53
FortiWeb Training
Policies and Profiles
Date

© Copyright Fortinet Inc. All rights reserved.

Server Policies

 Server Policies are used to:

» Determine which connections are allowed or blocked
» Apply protection policies which specify how traffic is inspected
 Only one policy is applied per HTTP/S connection
 If there is no matching policy, behavior is mode dependent
» In Reverse Proxy mode, all non-matching traffic is denied
» With all other modes, all non-matching traffic is allowed

56
Web Protection Profiles Definition

 Web Protection Profiles are used to define the type of inspection

to perform on the network traffic

 Two types of Web Protection Profiles:

» Inline Web Protection
» Offline Web Protection

57
Configuration Steps for Reverse-Proxy
Web
Protection Web
Policy Protection
Profile

1
2
Server
Virtual Policy
Server
Application
Delivery
Policy
5
3
1 DoS
Physical
Policy
Server or
Server Farm

1 4

58
Configuration Steps for Transparent Modes
Web
Protection Web
Policy Protection
Profile

1
2
Server
V-Zone Policy

Application
Delivery
Policy
5
3
1 DoS
Server
Policy (*)
Farm
(*) Only in True
Transparent Proxy mode

1 4

59
Configuration Steps for Offline Protection
Web
Protection Web
Policy Protection
Profile

1
2
Server
Policy

Application
Delivery
Policy
5

1 Server
Farm One port is selected
as the “Data
Capture Port”
3

60
Policy Behavior by Operational Mode
Reverse Proxy Offline Protection True Transparent Transparent
Proxy Inspection
Matches by •Server port •Data Capture Port •V-zone (bridge) •V-zone (bridge)
•Virtual Server •Server Farm •Server Farm •Server Farm

Violations •Block •Attempt to block •Block •Attempt to

•Modify by sending TCP •Modify block by
reset sending TCP
reset
SSL •Offloading •Decrypt and Scan •Decrypt and Scan •Decrypt and
capabilities only only scan only
• Optional re-
encryption
Forwarding •Forwarding to •Pass-through to •Pass-through to •Pass-through
a single server server farm server farm to server farm
•Load balancing member member member
to server farm

61
Creating a Virtual Server

 In Reverse Proxy mode, the FortiWeb unit replies to ARP requests

looking for the MAC address of the Virtual Server IP addresses

62
Creating a Server Pool

 Server Pool define the physical IP addresses of the real web

servers
 Physical servers can be grouped into the Server Pools

63
Server Farms

 Physical Servers can be grouped into Server Pools:

» Reverse Proxy Mode: Traffic is load balanced (forwarded) among the
members of the server pool
» Offline Protection/Transparent Modes: Traffic is passed through to the
members of the server pool

64
Load Balancing

 The following load balancing algorithms can be used to distribute

new connections among the physical servers of a server farm:
» Round Robin
» Weighted Round Robin
» Least Connection
» HTTP session based Round Robin

65
Round Robin

 Distributes any new connection to the next physical server in the

server farm, regardless of weight, response time, traffic load, or
number of existing connections

1
FortiWeb
1 2 3
2 Web application
Servers

66
Weighted Round Robin

 Similar to the round robin method, except that physical servers

with a higher weight value receives a larger percentage of
connections
 For example:

For every 10 requests sent to physical server wg1, wg2 receives 2 requests

67
Least Connection

 Distributes any new connection to the physical server with the

fewest number of existing, fully-formed connections

68
HTTP Session Based Round Robin

 Distributes any new TCP connection (if it is not associated with an

existing web session), to the next physical server in the server
farm
 However, if the new TCP connection is associated with an existing
web session, it is distributed to the same physical server that has
been receiving all the previous related connections

69
Session Persistence

 Session = Sequence of related requests from non-idle client

 Without sessions to correlate separate HTTP requests, FortiWeb’s
load balancer will distribute next request to a different back-end
web server
 Breaks many types of features if no sessions
» Login is required, only 1st server remembers login
» Shopping cart without shared session memory/DB
» Etc.
 If FortiWeb must forward client session’s requests to same server,
select persistence method in the server pool

70
Session Persistence (cont.)

 Methods to define a session: Client IP- or HTTP cookie-based

» Client IP to same server IP
 Dynamic source NAT could break session persistence
» Hint from existing web app cookie: that cookie to same server
 PHPSESSID
 JSESSID
 ASPSESSID
 Custom (indicate name with Persistent Cookie)
» Insert a cookie named cookiesession2: send that cookie to same server
 Client-side cookie blocking could break session persistence
 Not the same as FortiWeb’s security scanning session cookie, cookiesession1
 Different purpose, different “session”

71
Server Health Checks

 Server health checks are used to monitor physical servers for

responsiveness

72
Server Policy for Single-Server Reverse Proxy

73
Certificate Management

 The FortiWeb unit requires the use of digital certificates for the
following tasks:
» SSL offloading and content scanning (Reverse Proxy only)
» HTTPS session content scanning (Transparent modes and Offline
Protection)

74
Certificate Signing Request

 A certificate request file

containing the public key and
subject information can be
generated from the
FortiWeb’s GUI

 The resulting .csr file can

then be submitted and signed
by a Certificate Authority

75
Certificate Status

 When the Certificate Request form has been completed, the

certificate appears as PENDING
 An administrator can download the .csr file in Base-64 format and
submit it to a CA to obtain the signed certificate

76
Certificate Importing

 The CA signed certificate can be imported on the FortiWeb unit

(Base-64 format)
 Successfully imported certificates can be used in Server Policies

77
SSL Offloading

 The FortiWeb unit can be configured to handle SSL negotiations,

encryption and decryption on behalf of the physical servers
 SSL 3.0, TLS 1.0, and TLS 1.1 are supported
 Available in Reverse Proxy mode only

78
Server Policy SSL Offloading

Select a service

Set of rules (CRL,

etc) to verify client
certificates

79
SSL Inspection

 When the FortiWeb unit operates in either Offline Protection or

one of the Transparent Modes, the option “SSL” must be enabled
in the Server Pool members to decrypt and scan HTTPS
connections

80
Customized Services

 The administrator can create customized services if virtual servers

receive traffic on non-standard TCP port numbers

81
FortiWeb Training
Web Protection
Date

© Copyright Fortinet Inc. All rights reserved.

Web Protection Profile

 Determines the type of

inspection to perform on
HTTP/HTTPS connections
 Organized into sections
 Some options require the
use of “Session
Management”

87
Standalone IP or Shared IP

 The FortiWeb unit checks the identification field of the IP Header

to define an IP address as standalone or shared (for example
more than one user sharing a single public IP address)
 If this field changes randomly and not sequentially, the IP address
is considered shared – otherwise, it is standalone

88
Shared IP Configuration

89
IP List

 Black IP addresses
» They are not allowed to connect to the protected web servers
 Trust IP addresses
» They are exempted from most of the protection scan and policies

90
Brute Force Login

 It attempts to penetrate systems by using computational power

and different combinations of usernames and passwords
 Brute force login sensors tracks the rate at which each source IP
address makes requests for specific URLs
 If the rate exceeds the threshold, additional requests are blocked
for a specific period of time

91
Brute Force Login Entry

92
HTTP Protocol Constraints

 Protection against buffer overflows attacks for web servers that do

not restrict the maximum length of some elements of the HTTP
protocol
 Protection against vulnerabilities related with illegal host names,
HTTP version and HTTP request methods

93
Protocol Constraints Configuration

94
Cookies Overview

 The HTTP protocol was not designed to maintain the data related
with the same user during the navigation
 Cookies were introduced to achieve session management

95
Cookies Sequence

96
Cookie Poison

 While cookies are supposed to be stored and sent back to the

server unchanged, an attacker may modify the cookie and send a
different one
 This aim is to steal someone else identity and get access to
confidential data

97
Cookie Poison Detection

 To detect any change in the cookies, the FortiWeb unit encrypts the
digest of the cookie. This value is added as an additional cookie to
the cookie list under the syntax :
“AuthCookie_fortinet_waf_auth=<ENC>”
 If the attacker replies with a different cookie, the digest will not match
 When a cookie poison attack is detected, one of the following
actions can be triggered:
» Alert and deny
» Remove cookie
» Alert
» Period block

98
Start Page

 Protection against state-based attacks

 Define the valid starting URL for a web application
 Used to enforce the use of the starting page each time a user
starts accessing the web application
 Clients must begin from the starting page if they want to initiate a
new HTTP session

100
Start Page Configuration

Actions:
• Alert
• Alert&Deny
• Period Block
• Redirect
• Send 403 Forbidden

101
Page Access

• Define URLs that must be accessed in a specific order

» To enforce the business logic of a web application
» To prevent cross-site request forgery (CSRF) and other state-based
attacks

Example: Given the page access rule set shown below:

» /addToCart.do?item=*
» /checkout.do?login=*
» /shipment.do
» /payment.do
If a user accesses the checkout.do page before addToCart.do, the FortiWeb
unit can block the request

102
Page Access Configuration

 Either literal URL or regular expressions can be

use for the URL patterns

103
URL Access

 Define if a HTTP request will be blocked or allowed based on the

hostname and URL

104
URL Access Configuration

 URL Access Rules are then assigned to an URL Access Policy

105
Parameter Validation

 Defines which parameters in a form are mandatory

 Sets limits for the maximum length of each parameter
 Defines the mandatory format or data type for each parameter
 Applicable to visible input only, no for hidden inputs

106
Parameter Validation Rules

 Validation rules must be created first and then assigned to a

Validation Policy
 Data Types can be customized

107
Upload Restriction Rules

 Limits the file size and file types that can be uploaded to a
protected server

108
Upload Restriction Policy

 You can enable AV scan, Trojan Detection and to send files to

FortiSandbox

109
IP Reputation

 Regularly updated if you have subscribed the FortiWeb to the

FortiGuard IP Reputation service
 FortiGuard maintains a list of public IP addresses with their
reputation and category
 An IP’s reputation is poorer if it is known to have been
participating in attacks
 The category defines the type of attack an IP address has been
involved

110
IP Reputation Policy

 It a global setting that specifies the actions to take depending on

the reputation category of a blacklisted IP address

111
Allow Known Search Engines

 Search engines, such as Google or Yahoo!, retrieves the entire

websites content for offline access. They often access web sites at
a more rapid rate than human users
 When enabled, known search engines are exempted from:
» DoS sensors
» Brute force login sensors
» HTTP protocol constraints
» Access Control
 FortiWeb uses the source IP addresses of the packets to know if
the traffic is coming from a known search engine

112
Known Search Engines

113
Signature Policies

 Signature Policies are used to protect web servers from:

» Cross-site scripting (XSS) attacks
» SQL injection
» Common exploits
» Generic Attacks
» Bad Robots
» Trojans
» Information Disclosure
» Credit card detection
 The “Extended” signatures are more likely to cause false
positives, but may be required in high-security environments

114
Signature Policy Configuration

115
Cross Site Scripting (XSS)

 An attacker injects client-side script into a web page viewed by a

different user
 Exploits flaws or weaknesses in web applications that do not
validate or encode user input prior to generating output
 Variety of attacks based on XSS is limitless, but they commonly
include transmitting private data like cookies or other session
information to the attacker

116
SQL Injection

 Aim of attack is to insert an SQL statements into the data input

going from the user to the application
 A successful SQL injection exploit can perform tasks such as:
» Read sensitive data from the database
» Modify database data (Insert/Update/Delete)
» Execute administrative operations on the database (such as shutdown the
DB management system)
» Recover the content of a file present on the DB file system

117
Other Signature Policy Options

 ‘Trojans’ includes the signatures for known Trojans, viruses,

malware, and greyware
» You must also configure a file upload restriction policy with AV scan
enabled
 Information Disclosure detects server error messages and other
sensitive messages in the HTTP headers, such as CF Information
Leakage
 Bad Robots
 Credit Card Detection

119
Fine Tuning the Signature Policy

 Signature policies can be individually enabled or disabled

 URLs exceptions can be added to each individual signature

120
Anti-Defacement

 A defacement attack changes the visual appearance of the web

site.
 Hackers usually left a message with their pseudonym and the
reason for the attack
 The Anti-Defacement feature monitors web site files for any
changes at specified time intervals
 If a change is detected, the FortiWeb unit can notify the
administrator and/or automatically restores the web site contents
to the previous backup revision

121
Anti-Defacement Configuration

122
How Anti-Defacement Works

 The FortiWeb unit takes a backup of all the files matching the
policy configured. It also stores a checksum of them
 During configurable intervals, the FortiWeb unit takes again the
checksum of the files being monitored
 If a change is identified, the administrator has three possibilities:
» Can delete the file(s) altogether
» If you Acknowledge the changes, you are accepting them
» Restore the files to a previous revision kept by the FortiWeb unit

123
FortiWeb User Tracking

 Automatic recognition of user logins

Joe – Active
 Users tracked throughout entire Session ID: 3450001AB
Login Page
session by binding user name to Account Page
Admin Page

session ID Mark – Active

Session ID: 5499459DE
Login Page

 Suspicious activity can be traced Product Pages

Shopping Cart

back to user account

 All activity tracked, ‘good’ and ‘bad’
 Login pages set up by Admin
 Aids in attack forensics and Jessica – Not Active
Session ID: N/a
identifying malicious/compromised Will be tracked once
logged into application John – Logged Out
users Session ID: 9984578C2
Login Page
Product Pages
Shopping Cart
Activity stored in logs

124
FortiWeb User Tracking

125
Web Vulnerability Scan

 Used to detect known vulnerabilities on your web server and

applications such as:
» SQL Injection
» Cross Site Scripting
» Source code disclosure
» OS Commanding
 Required for regulations and certification compliance such as the
Payment Card Industry Data Security Standard (PCI DSS)

126
Vulnerability Scan Preparation

 Do not scan live web sites

» Duplicate the web site and its database into a test environment and then
perform the scan in that environment
 Disable rate limiting for connections originating from the IP
address of the FortiWeb unit
 Schedule an appropriate time to run the vulnerability scan

127
Vulnerability Scan Profile

 The Web Vulnerability Scan Profile defines the following:

» Web server to scan
» Specific vulnerabilities to scan for
» Login options
» List of URLs to scan
» Scan Mode:
 Basic
 Enhanced

128
Vulnerability Scan Profile Configuration

129
Vulnerability Scan Schedule

130
Vulnerability Scan Policy

 The vulnerability scan policy defines:

» The vulnerability scan profile to use
» The type of scan (immediate or scheduled)
» The format of the report

131
Vulnerability Scan Report

132
Vulnerability Report Details

133
 Third Party Scanner – Virtual Patching
 Automatically use scan results to virtually patch vulnerabilities
 XML integration customized to each scanning service
 Partners
» IBM AppScan
» HP Webinspect
Web
» WhiteHat Application

» Acunetix
» Qualys

FortiWeb Automatic
Vulnerability
Patches

Third-party
Scanner
Vulnerabilities
XML

134
Virtual Patching

135
Virtual Patching

136
Virtual Patching

137
FortiWeb Training
Application Delivery and DoS Protection
Date

© Copyright Fortinet Inc. All rights reserved.

Authentication Offload
 A FortiWeb unit can force users to authenticate before allowing the
access to a web page
 The following authentication methods are supported:
» Local user
» LDAP
» NTLM
» RADIUS
 Configuration steps:
» Local Users and/or Remote Servers
» User Group
» Authentication Rules
» Authentication Policy
» Apply the Authentication Policy to a Web Protection Profile

140
Local User

 User accounts and credentials are stored locally in the FortiWeb

141
Remote Server (Radius example)

 User accounts and credentials are stored in a remote

authentication server that could be LDAP, Radius or NTLM

142
Authentication Rule

 User groups are applied to Authentication Rules

143
Authentication Policy

 Authentication Rules are applied to Authentication Policies

 The ‘Alert Type’ setting specifies what to log

144
Authentication Offloading Sequence

145
File Compress Policy

 Data compression services can be offloaded to the FortiWeb unit

 The FortiWeb unit compresses the individual files (based on the
types you select) that make up the page
 The maximum pre-compressed file size is 64 KB
» Files larger than this limit are transmitted uncompressed
» Specific pages can be exempted through the policy settings

146
File Compress Policy Configuration

 Allows efficient bandwidth utilization and faster response time to

users
 Provides security scanning for compressed data

147
Offloading Response Compression

 FortiWeb compresses, not servers

» Client decompresses if this header exists:
» Content-Encoding: gzip
» RPC clients often cannot compress
 Reduces total bandwidth for files that comprise a web page
» Efficient WAN bandwidth use
» Faster response time to users
» Tradeoff: Takes some CPU time
 Maximum pre-compressed file size varies by RAM & config.
» FortiWeb’s buffer size: System > Config > Advanced
» If file is too big for buffer, can’t be compressed

148
Configuring the Cache

150
Why Redirect Clients?

 Client requests directory but forgets trailing slash (/)

» Server might look for file of that name, which does not exist…
 Moved web pages/applications/servers
 Avoid 404 Not Found errors

 Redirect to secure channel (HTTPS)

» Return 301 Moved Permanently code and rewrite <a> hyperlinks
in HTML body
» Use together with injecting HSTS header

151
How Redirects Work

GET /rss.xml HTTP/1.1

Host: www.example.com
Connection: keep-alive…

HTTP/1.1 302 Object moved

Location: http://www.example.com/feed
Content-Type: text/html
Set-Cookie: cookiesession2=CXYTNTFEIZ…

GET /feed HTTP/1.1 GET /feed HTTP/1.1

Host: www.example.com Host: www.example.com
Connection: keep-alive Connection: keep-alive
Cookie: cookiesession2=CXYTNTFEIZ… Cookie: cookiesession2=CXYTNTFEIZ…

HTTP/1.1 200 OK HTTP/1.1 200 OK

Last-Modified: Wed, 01 Apr 2015 07:59:17 GMT Server: Apache
ETag: "810-4f61ec71f1f40" Last-Modified: Wed, 01 Apr 2015 07:59:17 GMT
Content-Length: 12064… ETag: "810-4f61ec71f1f40"
Content-Length: 12064…

152
Packet Trace: ARP through HTTPS Redirect

Client gets MAC of link to

virtual server’s IP
Client TCP handshake
HTTP request
Back-end TCP connection
from FortiWeb to server
HTTPS redirect

Client requests again,

now via HTTP inside TLS 1.2

153
Why Rewrite?

 Caches often don’t work if URL has parameters

 Human-readable URLs are easier to remember
» Search engines give these a better rank
 Translate public Internet DNS names to private network hosts
» store.example.com to nginx1.example.com etc.
 Access control
» Return copyright notice if other sites are hot linking, or…
» Return 403 Forbidden
 Cloak information disclosure
» Don’t show “.asp” etc. file names
» Don’t show “/drupal” etc. folder names
 Replace vulnerable functions
 Sanitize responses during post-compromise cleanup
» Protect your clients from DB-stored XSS attacks

154
How Rewrites Work

GET /login HTTP/1.1

Host: www.example.com
Connection: keep-alive…

GET /wp-login.php HTTP/1.1

Host: www.example.com
Connection: keep-alive
Cookie: cookiesession2=CXYTNTFEIZ…

HTTP/1.1 200 OK
Last-Modified: Wed, 01 Apr 2015 07:59:17 GMT
ETag: "810-4f61ec71f1f40"
Content-Length: 12064…

HTTP/1.1 200 OK
Last-Modified: Wed, 01 Apr 2015 07:59:17 GMT
ETag: "810-4f61ec71f1f40"
Content-Length: 12064…

155
Config Rewrite

156
Denial of Service Protection

 FortiWeb offers protection against different types of DoS attacks

» Syn flood, low-rate DoS, slowloris, slow POST attack
 Organized by which open system interconnections (OSI) model
layer they limit:
» Application layer (HTTP or HTTPS)
» Network and Transport layer (TCP/IP)

157
HTTP Access Limit

 Sets a limit for the amount of HTTP requests coming from an IP

» It offers a mechanism to validate that the requests are coming from a real
browser
» Performs a specified action if the rate of requests exceeds the limit

158
Real Browser Enforcement

 Hackers sometimes use automated attack tools to send

overwhelming amounts of requests to a target web site
 If the request limit is reached, the FortiWeb sends back a web
page, which includes a JavaScript file that validates the client
 The validation must occur within the timeout defined
 If the validation fails, the specified action is executed

159
Malicious IPs

 Limits the number of TCP connections per HTTP session cookie to

protect socket usage
 If the amount of connections exceeds the limit, the specified action
is performed

160
HTTP Flood Prevention

 Limits the number of HTTP requests with the same session cookie
 If Real Browser Enforcement is enabled and the limit is reached,
the FortiWeb will validate if the requests are coming from a real
browser

161
TCP Flood Prevention

 Limiting TCP connections per source IP address

 Only standalone IP addresses (no share IP) counted

162
Applying DoS Protection

Steps:
1. Create individual DoS Protection Rules
2. Group the DoS Protection Rules by creating a DoS Protection
Policy
3. Apply the DoS Protection Policy to the Web Protection Profile

163
Stronger DDoS Protection?

 Choose the right tool for the job & layer up

 If your apps are high-profile targets & mission critical, think
industrial-grade DDoS protection – add a FortiDDoS
» Specialized hardware (ASICs) to approach line speed inspection
» Learns your normal traffic patterns and automatically adapts
» Defends all downstream devices, not just HTTP
 FortiWeb can block many DDoS attacks, but…
» IP/TCP/HTTP only
» ASICs are for bypass, cryptography,
patterns, not network anomaly analysis
» Performance depends on software and CPU –
may not be powerful enough against
massive DDoS attacks

164