To protect a web server behind the FortiGate using Web Application Firewall (WAF), follow these steps. This configuration requires enabling SSL Inspection with a deep-inspection profile and applying the 'Protecting SSL Server' settings.

Step 1: Enable the WAF Feature.

The WAF feature is not enabled by default. To enable it:

1. Go to System - Feature Visibility.
2. Under the Security Features section, enable Web Application Firewall (WAF).

Step 2: Configure the WAF Profile.

Create a new WAF profile or edit the default one to protect against SQL Injection and Generic Attacks.

1. Go to Security Profiles -> Web Application Firewall.
2. Edit the default profile or create a new one.
3. In the profile:
   1. Locate the SQL Injection (Extended) and Generic Attacks (Extended) signatures.
   2. For each signature:
      1. Set Action to Enable.
      2. Set Action to Block and Severity to High.
   3. Select OK to save the changes.
   4.  The values of the constraints can be adjusted based on the security requirements and the specific needs of the web applications.

Step 3: Configure SSL Inspection for Protecting the SSL Server.

To protect the web server, modify the deep-inspection profile to use the 'Protecting SSL Server' setting and ensure the correct server certificate is applied.

1. Go to Security Profiles -> SSL/SSH Inspection.
2. Edit the existing deep-inspection profile or create a new one.
3. In the profile:
   1. Change the SSL Inspection option to Protecting SSL Server.
   2. Under Server Certificate, import and select the certificate of the web server.

Note:

To upload the web server certificate and troubleshoot refer to these KB articles:

Technical Tip: SSL/TLS and the use of Digital Certificates.

Troubleshooting Tip: A guide to FortiGate and certificate issues.

Troubleshooting Tip: Fixing the error 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert.

Step 4: Apply the Security Profiles to the Firewall Policy.

Finally, apply the configured WAF and SSL Inspection profiles to the firewall policy that allows access to the web server.

1. Go to Policy & Objects -> IPv4 Policy.
2. Edit the policy that allows traffic to the web server.
3. Under the Security Profiles section:
   1. Enable and select the configured WAF profile.
   2. Enable and select the configured SSL Inspection profile.
4. Select OK to save the policy.

The FortiGate will effectively protect the web server behind it using the Web Application Firewall and SSL Inspection with deep inspection and server protection settings.

Note: If the web service is running on a different port, create a new protocol-option profile on Policy&Objects -> Protocol. Option and modify the HTTP port to the one that is being used in the specific scenario. Then on the relevant policy, choose the new protocol option. It will also be necessary to perform this change on the SSL Inspection profile under Protocol Port Mapping. The port can be added on the HTTPS field using a comma after port 443, or by choosing the Inspect all ports option.

Related document:

Troubleshooting Tip: How to investigate if WAF is not generating logs for blocked traffic