Fortinet 5.0 Patch 6 Fine-tuning & best practices

Fortinet 608 FortiWeb 5.0 Patch 6 Administration Guide

Fine-tuning & best practices

This topic is a collection of fine-tuning and best practice tips and guidelines to help you

configure your FortiWeb appliances for the most secure and reliable operation.

While many features are optional or flexible such that they can be used in many ways, some

practices are generally a good idea because they reduce complication, risk, or potential issues.

FortiWeb is designed to enhance the security of your web sites and web applications, and when

fully configured, it can automatically plug holes commonly used by attackers to compromise a

system.

This section lists tips to further enhance security.

• To protect your web servers, install the FortiWeb appliance or appliances between the web

servers and a general purpose firewall such as a FortiGate. FortiWeb complements, and

does not replace, general purpose firewalls. FortiWeb appliances are designed

specifically to address HTTP/HTTPS threats; general purpose firewalls have more features to

protect at lower layers of the network.

• Make sure web traffic cannot bypass the FortiWeb appliance in a complex network

environment.

• Disable all network interfaces that should not receive any traffic.

Figure 69:Disabling port4 in System > Network > Interface

For example, if administrative access is typically through port1, the Internet is connected to

port2, and web servers are connected to port3, you would disable (“bring down”) port4. This

This section includes only recommendations that apply to a combination of multiple features, to

the entire appliance, or to your overall network environment.

For feature-specific recommendations, see the tips in each feature’s instructions.