Fortinet 614 FortiWeb 5.0 Patch 6 Administration Guide
Enforcing valid, applicable HTTP
• If your web server does not require anything other than GET or POST, disable unused HTTP
methods to reduce vectors of attack. See “Specifying allowed HTTP methods” on page 436.
• Enforce RFC compliance and any limitations specific to your back-end web servers or
applications to defeat exploit attempts. See “HTTP/HTTPS protocol constraints” on
page 440 and “Limiting file uploads” on page 451.
Sanitizing HTML application inputs
Most web applications are not written with security in mind, and do not correctly sanitize input.
Before a signature or patch is available, you can still block new input-related attacks by
rejecting all invalid input that could potentially break the intended behavior of ASP, PHP,
JavaScript or other applications. See “Validating parameters (“input rules”)” on page 421 and
“Preventing tampering with hidden inputs” on page 430.
Improving performanceWhen configuring your FortiWeb appliance and its features, there are many settings and
practices that can yield better performance.
System performance
• Delete or disable unused policies. FortiWeb allocates memory with each server policy,
regardless of whether it is actually in active use. Configuring extra policies will unnecessarily
consume memory and decrease performance.
• To reduce latency associated with DNS queries, use a DNS server on your local network as
your primary DNS. See “Configuring DNS settings” on page 130.
• If your network’s devices support them, you can create one or more VLAN interfaces. VLANs
reduce the size of a broadcast domain and the amount of broadcast traffic received by
network hosts, thus improving network performance. See “Adding VLAN subinterfaces” on
page 117.
• If you have enabled the server health check feature as part of a server farm and one of the
servers is down for an extended period, you may improve the performance of your FortiWeb
appliance by disabling the physical server, rather than allowing the server health check to
File uploads’ total size Cache Body Length
Number of file uploads 8Malformed Request
Table 57:FortiWeb buffer configuration
Buffer Limit Block oversized requests using
Other buffers also exist. Their limitations, however, vary dynamically.