Fortinet 148 FortiWeb 5.0 Patch 6 Administration Guide
Configuring basic policies
As the last step in the setup sequence, you must configure at least one policy.
Until you configure a policy, by default, FortiWeb will:
while in reverse proxy mode, deny all traffic (positive security model)
while in other operation modes, allow all traffic (negative security model)
Once traffic matches a policy, protection profile rules are applied using a negative security
model — that is, traffic that matches a policy is allowed unless it is flagged as disallowed by
any of the enabled scans.
Keep in mind:
Change policy settings with care. Changes take effect immediately after you click OK.
• When you change any server policy, you should retest it.
FortiWeb appliances apply policies, rules, and scans in a specific order. This decides each
outcome. (See “Sequence of scans” on page 23.) Review the logic of your server policies
to make sure they deliver the web protection and features you expect.
This section contains examples to get you started:
Example 1: Configuring a policy for HTTP via auto-learning
Example 2: Configuring a policy for HTTPS
Example 3: Configuring a policy for load balancing
Once completed, continue with “Testing your installation” on page 201.

Example 1: Configuring a policy for HTTP via auto-learning

In the simplest scenario, if you want to protect a single, basic web server (that is, it does not
use HTTPS) while the FortiWeb is operating as a reverse proxy, you can save time configuring
your policy by using the auto-learning feature.
To generate profiles and apply them in a policy
1. Create a virtual server on the FortiWeb appliance (Server Objects > Server > Virtual Server).
When used by a policy, it receives traffic from clients.
2. Define your web server using its IP address (Server Objects > Server > Physical Server) or
domain name (Server Objects > Server > Domain Server). When used by a policy, a physical
or domain server defines the web server’s IP address to which accepted client traffic will be
forwarded.