Fortinet 149 FortiWeb 5.0 Patch 6 Administration Guide
3. Create a new policy (Policy > Server Policy > Server Policy).
•In Name, type a unique name for the policy.
•In Virtual Server or Data Capture Port, select your virtual server.
•In HTTP Service, select the predefined HTTP service.
•In Physical Server, select your physical server.
•In Physical Server Port, if your web server does not listen on the standard port 80, type its
port number for incoming HTTP traffic.
•From WAF Auto Learn Profile, select the predefined auto-learning profile.
•From Web Protection Profile, select one of the predefined inline protection profiles.
Traffic should now pass through the FortiWeb appliance to your server. If it does not, see
“Troubleshooting” on page 630. Auto-learning gathers data based upon the characteristics
of requests and responses that it observes.
4. Use the auto-learning report to determine whether auto-learning has observed enough
URLs, parameters, and attacks (Auto Learn > Auto Learn Report > Auto Learn Report; see
“Auto-learning” on page 151).
5. Generate an initial configuration (Auto Learn > Auto Learn Report > Auto Learn Report then
click Generate Config).
6. If necessary, modify the generated profiles to suit your security policy.
7. Modify the policy to select your generated profile in Web Protection Profile.
8. Disable auto-learning by deselecting the auto-learning profile in WAF Auto Learn Profile.
Example 2: Configuring a policy for HTTPSIf you want to protect a single HTTPS web server, and the FortiWeb appliance is operating in
reverse proxy mode, configuration is similar to Example 1: Configuring a policy for HTTP via
auto-learning. (Optionally, you can configure a server policy that includes both an HTTP service
and an HTTPS service.)
To be able to scan secure traffic, however, the FortiWeb appliance must also be configured to
decrypt it, and must be provided with the server’s certificate and private key.
To configure an HTTPS policy
1. Upload a copy of the web server’s certificate (System > Certificates > Local).
2. Configure a policy and profiles according to “Example 1: Configuring a policy for HTTP via
auto-learning” on page 148, except for auto-learning, which you will postpone until these
steps are complete.
When you use an auto-learning profile, any inline protection profile that you use with it
should have Session Management enabled.