Fortinet 5.0 Patch 6 Example 2: Configuring a policy for HTTPS

Fortinet 149 FortiWeb 5.0 Patch 6 Administration Guide

3. Create a new policy (Policy > Server Policy > Server Policy).

•In Name, type a unique name for the policy.

•In Virtual Server or Data Capture Port, select your virtual server.

•In HTTP Service, select the predefined HTTP service.

•In Physical Server, select your physical server.

•In Physical Server Port, if your web server does not listen on the standard port 80, type its

port number for incoming HTTP traffic.

•From WAF Auto Learn Profile, select the predefined auto-learning profile.

•From Web Protection Profile, select one of the predefined inline protection profiles.

Traffic should now pass through the FortiWeb appliance to your server. If it does not, see

“Troubleshooting” on page 630. Auto-learning gathers data based upon the characteristics

of requests and responses that it observes.

4. Use the auto-learning report to determine whether auto-learning has observed enough

URLs, parameters, and attacks (Auto Learn > Auto Learn Report > Auto Learn Report; see

“Auto-learning” on page 151).

5. Generate an initial configuration (Auto Learn > Auto Learn Report > Auto Learn Report then

click Generate Config).

6. If necessary, modify the generated profiles to suit your security policy.

7. Modify the policy to select your generated profile in Web Protection Profile.

8. Disable auto-learning by deselecting the auto-learning profile in WAF Auto Learn Profile.

Example 2: Configuring a policy for HTTPS

If you want to protect a single HTTPS web server, and the FortiWeb appliance is operating in

reverse proxy mode, configuration is similar to Example 1: Configuring a policy for HTTP via

auto-learning. (Optionally, you can configure a server policy that includes both an HTTP service

and an HTTPS service.)

To be able to scan secure traffic, however, the FortiWeb appliance must also be configured to

decrypt it, and must be provided with the server’s certificate and private key.

To configure an HTTPS policy

1. Upload a copy of the web server’s certificate (System > Certificates > Local).

2. Configure a policy and profiles according to “Example 1: Configuring a policy for HTTP via

auto-learning” on page 148, except for auto-learning, which you will postpone until these

steps are complete.

When you use an auto-learning profile, any inline protection profile that you use with it

should have Session Management enabled.