Fortinet 203 FortiWeb 5.0 Patch 6 Administration Guide
Testing for vulnerabilities & exposure
Even if you are not a merchant, hospital, or other agency that is required by law to demonstrate
compliance with basic security diligence to a regulatory body, you still may want to verify your
security.
Denial of service attacks can tarnish your reputation and jeopardize service income.
Hacked servers can behave erratically, decreasing uptime.
Malicious traffic can decrease performance.
Compromised web servers can be used as a stepping stone for attacks on sensitive
database servers.
To verify your configuration, start by running a vulnerability scan. See “Vulnerability scans” on
page 505. You may also want to schedule a penetration test on a lab environment. Based upon
results, you may decide to expand or harden your FortiWeb’s initial configuration (see
“Hardening security” on page 608).
Expanding the initial configuration
After your FortiWeb appliance has operated for several days without significant problems, it is a
good time to adjust profiles and policies to provide additional protection and to improve
performance.
Begin monitoring the third-party cookies FortiWeb observes in traffic to your web servers.
When cookies are found, an icon appears on Policy > Server Policy > Server Policy for each
affected server. If cookies are threats, such as if they are used for state tracking or database
input, consider enabling the Cookie Poisoning Detection option on the inline protection
profiles for those servers.
Add any missing rules and policies to your protection profiles, such as:
page access rules (see “Enforcing page order that follows application logic” on page 411)
start page rules (see “Specifying URLs allowed to initiate sessions” on page 415)
brute force login profiles (see “Preventing brute force logins” on page 362)
rewriting policies (see “Rewriting & redirecting” on page 367)
denial-of-service protection (see “DoS prevention” on page 338)
Especially if you began in offline protection mode and later transitioned to another
operation mode such as reverse proxy, new features may be available that were not
supported in the previous operation mode.
Examine the Attack Event History in the Policy Summary widget on System > Status >
Status. If you have zero attacks, but you have reasonable levels of traffic, it may mean the
protection profile used by your server policy is incomplete and not detecting some attack
attempts.