Protecting a server running web applications

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will use a Web Application Firewall profile to protect a server that is running a web application, such as web mail. In this example, the default profile will be targeted to block SQL injection attempts, as well as generic attacks.

Web Application Firewall is only available when Inspection Mode is Proxy-based.

1. Enabling Web Application Firewall

Go to System > Feature Select and enable Web Application Firewall. Select Show More and enable Multiple Security Profiles.

Apply your changes.

2. Editing the default Web Application Firewall profile

Web Application Firewall profiles are created with a variety of options, called Signatures and Constraints. Once these options are enabled, Action can be set to Allow, Monitor, or Block, and Severity can be set to High, Medium, or Low.

You can also use a Web Application Firewall profile to enforce an HTTP method policy, which controls the HTTP method allowed when accessing websites that match the specified pattern.

Go to Security Profiles > Web Application Firewall and edit the default profile.

In this example, the signatures for SQL Injection (Extended) and Generic Attacks (Extended) have been enabled, with the Action set to Block and Severity set to High.

Trojans and Known Exploits are also blocked by default.

3. Applying the profile to a security policy

Go to Policy & Objects > IPv4 Policy and edit the policy that allows access to the web server.

Under Security Profiles, enable Web Application Firewall and set it to use the default profile. Set the appropriate Proxy Option and set SSL/SSH Inspection to use the deep-inspection profile.

 

4. Results

Use the following URL to simulate an attack on your web server, substituting the IP address of your server:

http:///<server IP>/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1
An error message appears, stating that the web application firewall has blocked the traffic.  

5. Offloading to a FortiWeb

If you have a FortiWeb, you may be able to offload the functions of the Web Application Control to your FortiWeb. To find out if this option is available, refer to the FortiOS or FortiWeb Release Notes for information about device compatibility.

Go to System > External Security Devices and enable HTTP Service. Enter your FortiWeb’s IP address.

If necessary, enable Authentication and enter the FortiWeb’s password.

 

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
  • Frank Reterink

    Would it be possible to change the URL? Our goal would be to add the user name from the SSL session to the URL the firewall sends to the report server. This username would be the autorization filter on the data. Since the username comes from the session the user cannot change it.

    • bdickie

      FortiOS WAF support is very basic. I think you would need FortiWeb for this kind of functionality. I would recommend contacting customer support.

  • Corben Leek

    I activated WAF in my policy but sqlinjects aren’t blocked

  • easy

    Do I need to turn on NAT in the security policy ? Is WAF going to work with port forwarding ?

    • bdickie

      Actually no NAT is not required in the security policy. In fact it would be better if NAT were not enabled. Yes WAF does work with port forwarding. This is a very basic example, that just shows how to add WAF features. Normally the firewall policy would be configured with a VIP for port forwarding.