Fortinet 608 FortiWeb 5.0 Patch 6 Administration Guide
Fine-tuning & best practicesThis topic is a collection of fine-tuning and best practice tips and guidelines to help you
configure your FortiWeb appliances for the most secure and reliable operation.
While many features are optional or flexible such that they can be used in many ways, some
practices are generally a good idea because they reduce complication, risk, or potential issues.
Hardening security
FortiWeb is designed to enhance the security of your web sites and web applications, and when
fully configured, it can automatically plug holes commonly used by attackers to compromise a
system.
This section lists tips to further enhance security.
Top ol og y
• To protect your web servers, install the FortiWeb appliance or appliances between the web
servers and a general purpose firewall such as a FortiGate. FortiWeb complements, and
does not replace, general purpose firewalls. FortiWeb appliances are designed
specifically to address HTTP/HTTPS threats; general purpose firewalls have more features to
protect at lower layers of the network.
• Make sure web traffic cannot bypass the FortiWeb appliance in a complex network
environment.
• Disable all network interfaces that should not receive any traffic.
Figure 69:Disabling port4 in System > Network > Interface
For example, if administrative access is typically through port1, the Internet is connected to
port2, and web servers are connected to port3, you would disable (“bring down”) port4. This
This section includes only recommendations that apply to a combination of multiple features, to
the entire appliance, or to your overall network environment.
For feature-specific recommendations, see the tips in each feature’s instructions.