FortiWeb-VM offline protection mode


This recipe configures a FortiWeb in a VMware ESX environment that uses the offline protection operation mode to detect threats and attacks directed at web applications and your virtual servers.

Because the web application firewall (WAF) works in offline protection mode (also called sniffer mode), no reconfiguration of the web servers is required. Note that this recipe is the absolute minimum that is needed to configure a working offline protection profile. See the FortiWeb Administration Guide for information on additional configuration that can improve the detection of web application threats to your environment. 


1. Changing the operation mode

Because changing the operation mode deletes several settings, including routes, it is recommended  that you perform this procedure from a network that is directly connected to the FortiWeb.

Alternatively, after you change the operation mode, use the ESX Console to configure the routes via the CLI.

Go to System > Status > Status.

In the System Information widget, beside Operation Mode, click Change.

Alternatively, go to System > Config > Operation.


Select Offline Protection, and then click Apply.


2. Configuring the default route

Adding a default route to your FortiWeb-VM is important because it allows it to validate its license by contacting a Fortinet Distribution Network (FDN) server.

Go to System > Network > Static Route.


Alternatively, you can configure the default route from the CLI.

config router static
  edit 1
    set dst
    set gateway
    set device port1

3. Configuring certificates for SSL Inspection

You upload the server private key to FortiWeb so it can use the web server’s certificate to decrypt traffic and scan it for policy violations. This step is required only if your web server uses SSL

Go to System > Certificates > Local. Click Import, and then, for Type, select PKCS12 Certificate.

Browse for the web server certificate that you exported earlier in PKCS12 format (usually a .pfx with a password file).

In some cases, if you have two files (a .cer and a .pem file), for Type, you select Certificate.


4. Configuring the server pool

Go to Server Objects > Server Pool and click Create New.

Enter a Name for the server pool.

Select Offline Protection, and then click OK.

Click Create New, configure the IP of the web server, enable SSL, select the certificate you uploaded earlier (if required), and then click OK.

If the server accepts both HTTP and HTTPS requests, configure the server in the server pool twice: once for each protocol.


5. Configuring the web protection profile

Go to Policy > Server Policy > Server Policy, and then click Create New.

Enter a name for the policy.

Select the server pool you configured earlier.

For Data Capture Port, select an interface that is in the same VSwitch and Virtual Machine Port Group as the listening web server interface.

For Web Protection Profile, select Offline Alert Only.

For Auto Learn Profile, select Default Auto Learn Profile.


6. Enabling traffic logs

Go to Log & Report > Log Config > Other Log Settings > Enable Traffic Log.

When you enable this setting, FortiWeb logs all requests, even if they are not attacks. This can be useful for quickly identifying if your configuration is valid and if the FortiWeb is correctly receiving the mirrored traffic.

Later on, you can also use this traffic log to create several reports based on web site utilization, most used domains, and other Web Analytics indicators.


7. Results

Go to Log & Report > Log Access > Traffic to verify that your web site is receiving requests and that FortiWeb is able to identify them.


Go to Log & Report > Log Access > Attacks to view the latest attacks to your web site.

If no log messages are displayed in the Attack log, you can test the web protection profile you applied by simulating some attacks manually or performing a vulnerability scan.


For further reading, see “How to set up your FortiWeb” in the FortiWeb Administration Guide.