Fortinet 506 FortiWeb 5.0 Patch 6 Administration Guide
See also
•Preparing for the vulnerability scan
•Running vulnerability scans
•Configuring vulnerability scan settings
•Scheduling web vulnerability scans
•Viewing vulnerability scan reports
Preparing for the vulnerability scanFor best results, before running a vulnerability scan, you should prepare the network and target
hosts for the vulnerability scan.
Live web sites
Fortinet strongly recommends that you do not scan for vulnerabilities on live web sites. Instead,
duplicate the web site and its database in a test environment such as a staging server and
perform the scan in that environment. For more information, see “Scan Mode” on page 510.
Network accessibility
You may need to configure each target host and any intermediary NAT or firewalls to allow the
vulnerability scan to reach the target hosts.
Traffic load & scheduling
You should talk to the owners of target hosts to determine an appropriate time to run the
vulnerability scan. You can even schedule in advance the time that the FortiWeb will begin the
scan.
For example, you might schedule to avoid peak traffic hours, to restrict unrelated network
access, and to ensure that the target hosts will not be powered off during the vulnerability scan.
To determine the current traffic load, see “Real Time Monitor widget” on page 537. For
scheduling information, see “Scheduling web vulnerability scans” on page 507.
See also
•Configuring vulnerability scan settings
•Scheduling web vulnerability scans
•Running vulnerability scans
•Manually starting & stopping a vulnerability scan
•Viewing vulnerability scan reports
Rapid access can result in degraded network performance during the scan. If you do not rate
limit the vulnerability scan, some web servers could perceive its rapid rate of requests as a
denial of service (DoS) attack. You may need to configure the web server to omit rate limiting for
connections originating from the IP address of the FortiWeb appliance. Alternatively, you can
configure the vulnerability scan to send requests more slowly. See “Delay Between Each
Request” on page 510.