FortiWeb基本配置

MS中的Fortice模块参数是指在微软公司的操作系统中用于控制和管理Fortice模块的一些重要参数。

这些参数包括但不限于安全等级、防火墙设置、网络访问控制等。

在MS中，通过调整这些参数可以有效地提高系统安全性，防止恶意攻击和病毒感染，保护重要数据和隐私信息。

1. 安全等级安全等级是Fortice模块中最基本的参数之一。

它用于控制系统的整体安全性，包括文件系统安全、网络安全、应用程序安全等。

可以通过调整安全等级来提高系统的抗攻击能力，防止未经授权的访问和窃取。

2. 防火墙设置Fortice模块中的防火墙设置可以帮助用户有效地过滤网络流量，阻止恶意攻击和入侵。

通过设置防火墙规则、访问控制列表等，可以精细地控制网络流量的进出，有效地保护系统安全。

3. 网络访问控制网络访问控制是Fortice模块中非常重要的参数之一。

它可以帮助用户根据需求限制不同用户的网络访问权限，防止敏感数据泄露和网络攻击。

通过设置访问控制策略、用户权限等，可以有效地保护系统和数据的安全。

4. 安全策略管理安全策略管理是Fortice模块中非常重要的功能之一。

用户可以通过安全策略管理来对系统中的各种安全策略进行管理和调整，包括密码策略、加密策略、访问控制策略等。

这些策略可以帮助用户更好地保护系统和数据的安全。

5. 日志和审计Fortice模块中的日志和审计功能可以帮助用户了解系统的安全状态，及时发现安全事件并进行处理。

通过查看日志和审计信息，用户可以快速定位安全问题，并及时采取措施加以解决。

6. 自动化安全保障Fortice模块还提供了自动化安全保障的功能，用户可以通过设置自动化安全保障策略来实现自动化的安全防护和修复。

这对于大型系统来说尤为重要，可以减少管理员的工作负担，提高系统的安全性和稳定性。

MS中的Fortice模块参数是系统安全的关键，通过合理调整这些参数可以有效地提高系统的抗攻击能力和安全性。

管理员应该充分了解这些参数的作用和配置方法，并根据实际情况加以调整，以保护系统和数据的安全。

设置FortiWeb基本配置说明：本文档针对出厂的FortiWeb基本配置进行说明。

建议所有FortiWeb设备在进行简单配置后再开始部署。

本文的后半部分介绍网页防篡改功能。

环境介绍：本文使用FortiWeb1000B做演示。

本文使用的系统版本为4.0.。

步骤一：访问设备出厂设备默认的访问方式是：https、ping、ssh；接口，port1；IP，192.168.1.99；console访问方式：每秒位数9600；数据位8；奇偶校验无；停止位1；数据流控制无。

管理员登陆地址：https://192.168.1.99登陆帐号：admin 密码为空在命令行下恢复出厂设置的方法：execute factoryreset步骤二：系统设置在system—admin—settings中设置语言和超时时间在系统—网络—接口中设置接口IP和访问方式在系统—网络—DNS中配置DNS地址在系统—配置—操作中设置模式在系统—管理—管理员中设置管理员密码点击按钮设置密码在系统--维护—系统时间中设置时间在路由—静态中设置路由步骤三：网页防篡改设置网页防篡改功能可以防止静态网页被恶意修改。

它的原理是将所有静态页面备份到FortiWeb的硬盘中，并定期检查Web服务器上页面状态，当网页被恶意修改时，FortiWeb用备份页面还原，保护网站安全。

在网页防篡改中点击新建：主机名/IP地址：输入Web服务器IP连接类型：支持FTP，SSH和Windows共享超过此大小的文件不做监控：默认为10M，可根据实际情况调整不做监控的文件类型：可以规定某些较大的视频或压缩文件不做监控文件有改动时自动恢复到改动前内容：建议勾选。

开启次功能后监控文件有任何改动都会恢复到原始状态，管理员需要通过FortiWeb的上传工具更新页面。

点击确定后过一段时间可以看到状态为已连接，表示FortiWeb将所有监控文件备份到硬盘。

点击已备份文件可以看到文件的详细信息。

Executive SummaryFortiWeb Cloud Web Application Firewall-as-a-Service (WAFaaS) deliversfull-featured, cost-effective security for web applications with a minimumof configuration and management. Delivered through major cloud platforms, including AWS, Azure, Google Cloud, and Oracle Cloud, FortiWeb Cloud features a high level of scalability as well as on-demand pricing. While FortiWeb Cloud can protect applications deployed in the data center or in the cloud, customers who host their applications on these public clouds can achieve benefits such as reduced latency, simplified compliance, and lower bandwidth costs. Securing Web ApplicationsCloud service providers and application owners share the responsibility for securing web applications deployed to the cloud. This arrangement has advantages in that providers typically deploy robust security for the platform itself, removing that burden from the application owner. However, securing the application itself rests squarely with the owner, a stipulation that AWS1 and other providers make clear in their service agreements.Best practices for web application security include the deployment of a WAF as the cornerstone of a comprehensive security solution. WAFs use a combination of rules, threat intelligence, and heuristic analysis of traffic to ensure that malicious traffic is detected and blocked before reaching web applications.The task of protecting on-premises application software typically falls to a security architect or other security professional within the CIO or CISO organization.In contrast, the DevOps team often fills this role for cloud-based applications, consistent with DevOps principles of end-to-end responsibility and cross-functional, autonomous teams. As a result, DevOps teams need the right tools to embed effective security controls into their process—simply repurposing traditional workflows and processes will not do the job. Also, the additional workload of managing WAFs consumes valuable time on the part of DevOps teams and can elongate time-to-release cycles and inhibit continuous improvement efforts.FortiWeb Cloud Features nn Advanced protection against OWASP Top 10 threats, zero-day threats, and morenn Purchasing flexibility—buy directly through a cloud marketplace or your preferred resellernn Easy deployment with a setup wizard and predefined policiesnn Streamlined management with an intuitive dashboard for end-to-end security visibility and managementnn Delivered on public cloud, including AWS, Azure, Google Cloud, and Oracle Cloud, which offers low latencyand unmatched elasticity and scalabilityCloud-native Solution for Web Application Security: FortiWeb Cloud WAF-as-a-Service for AWS, Azure, Google Cloud, and Oracle Cloud SOLUTION BRIEFThe Expanding Attack SurfaceThe threat landscape today can be daunting for organizations considering a move to the cloud. More than three-quarters of successful attacks are motivated by financial gain,2 which can take the form of ransomware, exfiltration of valuable personal information, or compromised intellectual property. Furthermore, breaches happen fast—87% take place in just minutes 3—and most go undiscovered for months or more (Figure 1).4Internet-facing web applications pose unique security challenges compared to traditional solutions deployed within theorganization’s network perimeter. Every time a company deploys a new internet-facing web application, the attack surface grows. As DevOps teams accelerate the rate of development and new releases, the attack surface evolves more rapidly than ever. This expanded attack surface challenges traditional approaches to application security.Enhanced Protection With FortiWebTo address the diverse needs of organizations for web application security, Fortinet offers the FortiWeb family of solutions.FortiWeb WAF provides advanced features that defend web applications from known and zero-day threats. Using an advanced multilayered and correlated approach, FortiWeb delivers complete security for external and internal web-based applications from the OWASP Top 10 and many other threats. At the heart of FortiWeb are its dual-layer artificial intelligence (AI)-based detection engines that intelligently detect threats with nearly no false-positive detections.FortiWeb Cloud WAF-as-a-ServiceDesigned for web applications that demand the highest level of protection, FortiWeb Cloud provides robust security that is simple to deploy, easy to manage, and cost effective. With FortiWeb Cloud, DevOps teams and security architects alike have access to the same proven detection techniques used in other FortiWeb form factors without the need for costly capitalinvestments. Unlike solutions that simply spin up virtual machines for each customer and increase the management workload, FortiWeb Cloud delivers a true Software-as-a-Service (SaaS) solution that leverages public cloud to offer highly scalable and low-latency application security.FortiWeb VMFortiWeb VM is an enterprise-class offering that provides the FortiWeb functionality in a virtual form factor. Designed forhybrid environments, the virtual version of FortiWeb includes protection for container-based applications. FortiWeb VM can be deployed in VMware, Microsoft Hyper-V, Citrix XenServer, Open Source Xen, VirtualBox, KVM, and Docker platforms.of breaches are financially removed.76%of compromise take minutes or less.87%30JAN of threats go undiscovered for a month or more.68%Figure 1: Threat statistics from recent published studies.uses machine learning (ML)-enabled technology to minimize false positives while accurately identifying real threats.Figure 3: FortiWeb Cloud dashboard.Attacks/ThreatsApplication C o r r e l a t i o n U s e r /D e v i c e T h r e a t S c o r i n gFigure 2: Common attack vectors and remediation techniques.Easy to Deploy and Manage FortiWeb Cloud enables rapid application deployments in the public cloud while addressing compliance standards and protecting business-critical web applications. To facilitate use by nonsecurity professionals, FortiWeb Cloud comes with a setup wizard and a default configuration that can be easily modified to meet individual requirements. FortiWeb Cloud delivers cloud-native application security that can be deployed in minutes. After going through the setup wizard, simply update your DNS setting and your web application is protected.Busy DevOps staff have no time for extensive WAF training. To address this issue, FortiWeb Cloud features an intuitive real-time dashboard that allows DevOps staff and other nonsecurity professionals to see and understand quickly the security status of their web applications (Figure 3).Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.April 6, 2021 11:46 PMInternet Data transfer fees included in FortiWeb subscription Intra-region data transfer feesCost-effective SecurityAs a cloud-native SaaS solution, FortiWeb Cloud features lower capital expenditures (CapEx) and operational expenditures (OpEx) compared to on-premises solutions. AWS, Azure, Google Cloud, and Oracle Cloud provide the hardware and software components of the infrastructure, virtually eliminating the need for capital investments as well as the operating costs associated with platform maintenance. By removing the burden of maintaining and upgrading the platform, customers can focus on improving the application and delivering business value to their organizations.The SaaS business model—pay only for what you use—gives customers flexibility in managing their security budgets as well as the ability to institute chargebacks and other cost-control measures. Customers who host their applications on these clouds can reduce costs significantly because they must only pay data transfer fees for traffic from the application to the WAF—as the data transfer costs for outbound traffic are included in the FortiWeb subscription (Figure 4).Figure 4: Data transfer fees for applications hosted on public clouds.Conclusion Utilizing a comprehensive, correlated, multilayer approach to web application security, FortiWeb Cloud protects web-based applications from all of the Top 10 OWASP security risks and many more. Unique among WAFs on the market, FortiWeb Cloud leverages ML capabilities to detect both known and unknown exploits targeting web applications with almost no false positives. Delivered via public cloud providers including AWS, Azure, Google Cloud, and Oracle Cloud, FortiWeb Cloud features low latency and high elasticity and can easily and quickly scale to accommodate changes in traffic. Further, FortiWeb Cloud keeps web applications safe from vulnerability exploits, bots, malware uploads, DDoS attacks, APTs, and zero-day attacks.1 “Shared Responsibility Model ,” AWS, accessed June 20, 2019.2 “2018 Data Breach Investigations Report ,” Verizon, accessed June 18, 2019.3Ibid.4 Ibid.5 “OWASP Top 10-2017: The Ten Most Critical Web Application Security Risks ,” OWASP, accessed May 25, 2018.。

Transparent Inspection orTrue Transparent ProxyOf lne Mode orReverse Proxy• Multiple deployment optionsTransparent Inspection and True Transparent Proxy, Reverse Proxy and Offline Allow you to fit FortiWeb into any environ-ment.• Auto-Learn Security ProfilingAutomatically and dynamically build a security model of protected applications by continuously monitoring real time user activity. Eliminate the need for manual con-figuration of security profiles.• Authentication OffloadOffload your web server authentication to the Forti-Web platform while supporting different authentication schemes such as Local, LDAP, NTLM and Radius.• Policy wizard and pre-defined policiesAllows for one click deployments and greatly eases the process of policies creation.• High AvailabilityThe high availability mode provides configuration syn-chronization and allows for a network-level fail- overin the event of unexpected outage events. Integratedbypass interfaces provide additional fail open capability for single box deployments.• VirtualizationProvides a Virtual Appliance for VMware ESX and ESXi3.5/4.0/4.1 platforms mitigating blind spots in virtualenvironments.• Application Layer Vulnerability ProtectionProvide out of the box protection for the most complex attacks such as SQL Injection, Cross Site Scripting,CSRF and many others. Together with the Auto Learn profiling system and advanced abilities, FortiWeb is able to create rules down to the single application element.• Data Leak PreventionExtended monitoring and protection for credit cardleakage and application information disclosure by tightly monitoring all outbound traffic. Allow customers tocreate their own granular signatures and DLP patterns together with predefined rules for any type of events.• Application SupportStreamlined monitoring and protection for well-known applications and protocols such as Microsoft Exchange, SharePoint, ActiveSync and RPC over HTTP.• Anti Web DefacementUnique capabilities for monitoring protected applications for any defacement and ability to automatically and quickly revert to stored version.• Vulnerability AssessmentsAutomatically scans and analyzes the protected webapplications and detects security weaknesses, potential application known and unknown vulnerabilities to com-plete a comprehensive solution for PCI DSS.• HTTP RFC Compliance ValidationFortiWeb blocks any attacks manipulating the HTTPprotocol by maintaining strict RFC standards to prevent attacks such as encoding attacks, buffer overflows and other application specific attacks.• AntivirusScan file uploads using Fortinet’s Antivirus engine with regular FortiGuard updates.• PCI DSS complianceFortiWeb is the only product that provides a Vulnerabil-ity Scanner module within the web application firewall that completes a comprehensive solution for PCI DSS requirement 6.6.• Protects against OWASP top 10Incorporating a positive and a negative security modulebased on bidirectional traffic analysis and an embeddedbehavioral based anomaly detection engine FortiWeb fully protects against the OWASP TOP 10.• FortiGuard LabsUtilizing Fortinet’s renowned FortiGuard service FortiWebcustomers get up to date dynamic protection from the Forti-net Global Security Research Team, which researches and develops protection against known and potential application security threats.• Application Aware Load BalancingIntelligent, application aware layer 7 load balancingeliminates performance bottlenecks, reduces deploy-ment complexity and provides seamless applicationintegration.• Data CompressionAllows efficient bandwidth utilization and response time to users by compressing data retrieved from servers.• SSL OffloadWith the integration of award winning FortiASIC™ tech-nology, FortiWeb is able to process tens of thousands of web transactions by providing hardware accelerated SSL offloading.Cross Site Scripting SQL Injection Session Hijacking Cookie Tampering /PoisoningCross Site Request Forgery Command injection Remote File InclusionForms TamperingHidden Field Manipulation Outbound Data Leakage HTTP Request Smuggling Remote File Inclusion Encoding AttacksBroken Access Control Forceful Browsing Directory Traversal Site Reconnaissance Search Engine Hacking Brute Force Login Access Rate Control Schema PoisoningXML Parameter Tampering XML Intrusion PreventionWSDL Scanning Recursive Payload External Entity Attack Buffer Overflows Denial of Service.FortiWeb Protects Against a Wide Range of AttacksThe Auto-Learn profiling capability is completely transparent and does not require any changes to the application or network architecture. FortiWeb does not scan the application in order to build the profile, but rather analyzes the traffic as it monitors it flowing to the application. By creating a comprehensive security model of the application FortiWeb can now protect against any known or unknown vulnerabilities, zero day attacks.FortiWeb Auto-Learn ProfilingAnalyze user geographic location and web site access based on Hit, Data and Attack vectors.Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.GLOBAL HEADQUARTERSFortinet Incorporated1090 Kifer Road, Sunnyvale, CA 94086 USA Tel +1.408.235.7700 Fax +1.408.235.7737/salesEMEA SALES OFFICE – FRANCEFortinet Incorporated 120 rue Albert Caquot06560, Sophia Antipolis, France Tel +33.4.8987.0510Fax +33.4.8987.0501APAC SALES OFFICE – SINGAPOREFortinet Incorporated300 Beach Road 20-01, The Concourse Singapore 199555Tel: +65-6513-3734Fax: +65-6295-0015FWEB-DAT-R12-201206FST-PROD-DS-FWEBESXi 4.1 with 3GB of vRAM assigned to the 4 vCPU and 8 vCPU FortiWeb Virtual Appliance and 1GB of vRAM assigned to the 2 vCPU FortiWeb Virtual Appliance.。