Fortinet 505 FortiWeb 5.0 Patch 6 Administration Guide
Vulnerability scans
You can scan for known vulnerabilities on your web servers and web applications, helping you
to design protection profiles that are an effective and efficient use of processing resources.
Vulnerability reports from a certified vendor can help you comply with regulations and
certifications that require periodic vulnerability scans, such as Payment Card Industry Data
Security Standard (PCI DSS).
Run vulnerability scans during initial FortiWeb deployment (see “How to set up your FortiWeb”
on page 60) and any time you are staging a new version of your web applications. You may also
be required by your compliance regime to provide reports on a periodic basis, such as quarterly.
Each vulnerability scan starts from an initial URL, authenticates if set up to do so, then scans for
vulnerabilities in web pages that it crawls to from links on the initial page. After performing the
scan, the FortiWeb appliance generates a report from the scan results.
To run a web vulnerability scan
1. Optionally, configure email settings. Email settings included in vulnerability scan profiles
cause FortiWeb to email scan reports (see “Configuring email settings” on page 576).
2. Prepare the staging or development web server for the scan (see “Preparing for the
vulnerability scan” on page 506).
3. Create a scan schedule, unless you plan to execute the scan manually. The schedule defines
the frequency the scan will be run (see “Scheduling web vulnerability scans” on page 507).
4. Create a scan profile. The profile defines which vulnerabilities to scan for (see “Configuring
vulnerability scan settings” on page 508).
5. Create a scan policy. The policy integrates a scan profile and schedule (see “Running
vulnerability scans” on page 513).
6. Either start the vulnerability scan manually (see “Manually starting & stopping a vulnerability
scan” on page 515), or wait for it to run automatically according to its schedule.
7. Examine vulnerability scan report. The report provides details and analysis of the scan
results (see “Viewing vulnerability scan reports” on page 516).
Create and run web vulnerability scans early in the configuration of your FortiWeb appliance.
Use the reports to locate vulnerabilities and fine-tune your protection settings.
If you have many web servers, you may want a FortiScan appliance to:
deepen vulnerability scans
• integrate patch deployment
prioritize and track fixes via ticketing
offload and distribute scans to improve performance and remove bottlenecks