FortiWeb - FortiGuard Licenses / subscriptions explined

Sergg · ‎11-15-2019

Dear Experts,

Can you please point me towards some technical explanations what are the protections/signatures provided by each type of FortiWeb FortiGard subscriptions.

Am I right that out of the box FortiWeb will cover standard OWASP 20, plus:

[ul]

Support Registration - harware support + new firmware versions

FortiGuard Security Service – there will be constant stream of product specific signatures

AV is self explanatory (I wonder why one need AV on WAF)

IP Reputation – will provide definition on known bot harms, and low score internet subnets

Credential Stuffing – “Fortinet’s Credential Stuffing Defense identifies login attempts using credentials that have been compromised using an always up-to-date feed of stolen credentials.”

FortiSandBox is self explanatory (again, not sure about need for this on the WAF)[/ul]

If there is a WAF device with NONE of the subscriptions – how much security can be delivered for Web Apps? Are there any "FortiGuard Security Service" come inside the firmware update with each new firmware version?

Here is example screenshot:

Regards,

Sergej

#### References ####

The definition from the Administrator guide is quite vague - https://docs.fortinet.com...702/fortiguard-updates

FortiGuard updates
One of the most important things you can do is to ensure that your FortiWeb is receiving regular updates from the FortiGuard FortiWeb Web Security service and FortiGuard Antivirus service.
Without these updates, your FortiWeb cannot detect the newest threats.
Event logs record FortiGuard update attempts. In addition to scheduling polls for automatic updates, you can also manually update the service packages or initiate an connectivity test to the FDN at any time. For details, see Connecting to FortiGuard services.

and - https://docs.fortinet.com/document/fortiweb/6.2.1/administration-guide/210196/blocking-known-attacks...

Blocking known attacks & data leaks
Many attacks and data leaks can be detected by FortiWeb using signatures. Enable signatures to defend against many attacks in the OWASP Top 10 (https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project), including many more:
[ul]Cross-site scripting (XSS)SQL injection and many other code injection stylesRemote file inclusion (RFI)Local file inclusion (LFI)OS commandsTrojans/virusesExploitsSensitive server information disclosurePersonally identifiable information leaks[/ul]
To defend against known attacks, FortiWeb scans:
[ul]Parameters in the URL of HTTP GET requestsParameters in the body of HTTP POST requestsXML in the body of HTTP POST requests (if Enable XML Protocol Detection is enabled. See To configure an inline protection profile.)CookiesHeadersJSON Protocol DetectionUploaded filename(MULTIPART_FORM_DATA_FILENAME)[/ul]
In addition to scanning standard requests, FortiWeb can also scan XML And Action Message Format 3.0 (AMF3) serialized binary inputs used by Adobe Flash clients to communicate with server-side software. For details, see Enable AMF3 Protocol Detection and Configuring a protection profile for inline topologies (for inline protection profiles) or Enable AMF3 Protocol Detection (for Offline Protection profiles).
Updating signatures
Known attack signatures can be updated. For information on uploading a new set of attack definitions, see Uploading signature & geography-to-IP updates and Connecting to FortiGuard services. You can also create your own; for details, see Defining custom data leak & attack signatures.