Protecting web applications

1. Enabling Web Application Firewall

Go to System > Features and enable Web Application Firewall. Select Show More and enable Multiple Security Profiles.

Apply your changes.

2. Editing the default Web Application Firewall profile

Web Application Firewall profiles are created with a variety of options, called Signatures and Constraints. Once these options are enabled, Action can be set to Allow, Monitor, or Block, and Severity can be set to High, Medium, or Low.

You can also use a Web Application Firewall profile to enforce an HTTP method policy, which controls the HTTP method allowed when accessing websites that match the specified pattern.

Go to Security Profiles > Web Application Firewall and edit the default profile.

In this example, the signatures for SQL Injection (Extended) and Generic Attacks (Extended) have been enabled, with the Action set to Block and Severity set to High.

3. Applying the profile to a security policy

Go to Policy & Objects > IPv4 Policies and edit the policy that allows connections from the internal network to the Internet.

Under Security Profiles, enable Web Application Firewall and set it to use the default profile. Set the appropriate Proxy Option and set SSL/SSH Inspection to use the deep-inspection profile.

4. Results

Long URLs, such as this link, can be used to simulate an attack on your web browser.

After selecting one of these links, a replacement message will appear, stating that the transfer has been blocked by the Web Application Firewall.

5. Offloading to a FortiWeb

If you have a FortiWeb, you may be able to offload the functions of the Web Application Control to your FortiWeb. To find out if this option is available, refer to the FortiOS or FortiWeb Release Notes for information about device compatibility.

Go to System > External Security Devices and enable HTTP Service. Enter your FortiWeb’s IP address.

If necessary, enable Authentication and enter the FortiWeb’s password.