Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ManpreetSingh
Staff
Staff

Created on ‎08-14-2024 12:43 AM Edited on ‎08-30-2024 01:06 AM By Moderator

Article Id 332909

Technical Tip: How to configure a Web Application Firewall (WAF) to protect a web server behind FortiGate

Description

This article describes how to configure a Web Application Firewall (WAF) on a FortiGate firewall to protect a web server.

It covers enabling the WAF feature, configuring a WAF profile to guard against SQL Injection and Generic Attacks, setting up SSL Inspection with deep inspection and server protection, and applying these security profiles to the relevant firewall policy.
Scope FortiGate.
Solution

To protect a web server behind the FortiGate using Web Application Firewall (WAF), follow these steps. This configuration requires enabling SSL Inspection with a deep-inspection profile and applying the 'Protecting SSL Server' settings.

 

image.png

 

Step 1: Enable the WAF Feature.

 

The WAF feature is not enabled by default. To enable it:

  1. Go to System - Feature Visibility.
  2. Under the Security Features section, enable Web Application Firewall (WAF).

 

Step 2: Configure the WAF Profile.

 

Create a new WAF profile or edit the default one to protect against SQL Injection and Generic Attacks.

  1. Go to Security Profiles -> Web Application Firewall.
  2. Edit the default profile or create a new one.
  3. In the profile:
    1. Locate the SQL Injection (Extended) and Generic Attacks (Extended) signatures.
    2. For each signature:
      1. Set Action to Enable.
      2. Set Action to Block and Severity to High.
    3. Select OK to save the changes.

 

image 1.PNG

 

Step 3: Configure SSL Inspection for Protecting the SSL Server.

 

To protect the web server, modify the deep-inspection profile to use the 'Protecting SSL Server' setting and ensure the correct server certificate is applied.

  1. Go to Security Profiles -> SSL/SSH Inspection.
  2. Edit the existing deep-inspection profile or create a new one.
  3. In the profile:
    1. Change the SSL Inspection option to Protecting SSL Server.
    2. Under Server Certificate, import and select the certificate of the web server.

 

image 2.PNG

 

Step 4: Apply the Security Profiles to the Firewall Policy.

 

Finally, apply the configured WAF and SSL Inspection profiles to the firewall policy that allows access to the web server.

  1. Go to Policy & Objects -> IPv4 Policy.
  2. Edit the policy that allows traffic to the web server.
  3. Under the Security Profiles section:
    1. Enable and select the configured WAF profile.
    2. Enable and select the configured SSL Inspection profile.
  4. Select OK to save the policy.

 

image.png

 

The FortiGate will effectively protect the web server behind it using the Web Application Firewall and SSL Inspection with deep inspection and server protection settings.

 

Note: If the web service is running on a different port, create a new protocol-option profile on Policy&Objects -> Protocol. Option and modify the HTTP port to the one that is being used in the specific scenario. Then on the relevant policy, choose the new protocol option. It will also be necessary to perform this change on the SSL Inspection profile under Protocol Port Mapping. The port can be added on the HTTPS field using a comma after port 443, or by choosing the Inspect all ports option.

 

Related document: 

How to investigate if WAF is not generati... - Fortinet Community
2711
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.