FortiWeb应用防火墙#

HighlightsValidatedSecurityUniversal PlatformSupportOne NetworkOSSingle Paneof GlassPerformanceFortiGate appliances, interconnectedwith the Fortinet Security Fabric,form the backbone of theFortinet Enterprise Solution/sfDATA SHEETFortiGate/FortiWiFi® 30E Unified Threat Management Distributed Enterprise FirewallDATA SHEET: FortiGate/FortiWiFi 30EHARDWAREInstall in Minutes with FortiExplorerThe FortiExplorer wizard enables easy setup and configuration coupled with easy-to-follow instructions. FortiExplorer runs on popular mobile devices like Android and iOS. Using FortiExplorer is as simple as starting the application and connecting to the appropriate USB port on the FortiGate. By using FortiExplorer, you can be up and running and protected in minutes.Wireless and 3G/4G WAN ExtensionsThe FortiGate supports external 3G/4G modems that allow additional or redundant WAN connectivity for maximum reliability. The FortiGate can also operate as a wireless access point controller to further extend wireless capabilities.Compact and Reliable Form FactorDesigned for small environments, you can simply place the FortiGate/FortiWiFi 30E on a desktop. It is small, lightweight yet highly reliable with superior MTBF (Mean Time Between Failure), minimizing the chance of a network disruption.Superior Wireless CoverageA built-in dual-band, dual-stream access point with internal antennas is integrated on the FortiWiFi 30E and provides speedy 802.11n coverage on both 2.4 GHz and 5 GHz bands. The dual- band chipset addresses the PCI-DSS compliance requirement for rogue AP wireless scanning, providing maximum protection for regulated environments.Interfaces1. USB Port2. Console Port3. 1x GE RJ45 WAN Port4. 4x GE RJ45 Switch PortsFortiGate 30EFortiWiFi 30EInterfaces1. USB Port2. Console Port3. 1x GE RJ45 WAN Port4. 4x GE RJ45 Switch PortsSERVICESFortiGuard ™ Security ServicesFortiGuard Labs offers real-time intelligence on the threat landscape, delivering comprehensive security updates across the full range of Fortinet’s solutions. Comprised of security threat researchers, engineers, and forensic specialists, the team collaborates with the world’s leading threat monitoring organizations, other network and security vendors, as well as law enforcement agencies:§Real-time Updates — 24x7x365 Global Operations research security intelligence, distributed via Fortinet Distributed Network to all Fortinet platforms.§Security Research — FortiGuard Labs have discovered over 170 unique zero-day vulnerabilities to date, totaling millions of automated signature updates monthly.§Validated Security Intelligence — Based on FortiGuard intelligence, Fortinet’s network security platform is tested and validated by the world’s leading third-party testing labs and customers globally.FortiCare ™ Support ServicesOur FortiCare customer support team provides global technical support for all Fortinet products. With support staff in the Americas, Europe, Middle East and Asia, FortiCare offers services to meet the needs of enterprises of all sizes:§Enhanced Support — For customers who need support during local business hours only.§Comprehensive Support — For customers who need around-the-clock mission critical support, including advanced exchange hardware replacement.§Advanced Services — For global or regional customers who need an assigned Technical Account Manager, enhanced service level agreements, extended software support, priority escalation, on-site visits and more.§Professional Services — For customers with more complex security implementations that require architecture and design services, implementation and deployment services, operational services and more.Enterprise BundleFortiGuard Labs delivers a number of security intelligence services to augment the FortiGate firewall platform. You can easily optimize the protection capabilities of your FortiGate with the FortiGuard Enterprise Bundle. This bundle contains the full set of FortiGuard security services plus FortiCare service and support offering the most flexibility and broadest range of protection all in one package.For more information, please refer to the FortiOS data sheet available at filter web traffic based on millions of real-time URL ratings. §Detect, contain and block advanced attacks automatically in minutes with integrated advanced threat protection framework. §Solve your networking needs with extensive routing, switching, WiFi, LAN and WAN capabilities.§Activate all the ASIC-boosted capabilities you need on the fastest firewall platform available.GLOBAL HEADQUARTERS Fortinet Inc.899 Kifer RoadSunnyvale, CA 94086United StatesTel: +/salesEMEA SALES OFFICE 905 rue Albert Einstein Valbonne 06560Alpes-Maritimes, France Tel: +33.4.8987.0500APAC SALES OFFICE 300 Beach Road 20-01The Concourse Singapore 199555Tel: +65.6395.2788LATIN AMERICA SALES OFFICE Sawgrass Lakes Center13450 W. Sunrise Blvd., Suite 430 Sunrise, FL 33323United StatesTel: +1.954.368.9990Copyright© 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary and may be significantly less effective than the metrics stated herein. Network variables, different network environments and other conditions may negatively affect performance results and other metrics stated herein. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet and any such commitment shall be limited by the disclaimers in this paragraph and other limitations in the written contract. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests, and in no event will Fortinet be responsible for events or issues that are outside of its reasonable control. Notwithstanding anything to the contrary, Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.DATA SHEET: FortiGate/FortiWiFi30EFirewall Latency (64 byte UDP packets)130 μs Firewall Throughput (Packets Per Second)180 Kpps Concurrent Sessions (TCP)900,000New Sessions/Second (TCP)15,000Firewall Policies5,000IPsec VPN Throughput (512 byte packets)75 Mbps Gateway-to-Gateway IPsec VPN Tunnels 200Client-to-Gateway IPsec VPN Tunnels 250SSL-VPN Throughput35 Mbps Concurrent SSL-VPN Users (Recommended Maximum)80IPS Throughput (HTTP / Enterprise Mix) 1600 / 240 Mbps SSL Inspection Throughput 2200 Mbps Application Control Throughput 3300 Mbps NGFW Throughput 4200 Mbps Threat Protection Throughput 5150 Mbps CAPWAP Throughput6950 Mbps Virtual Domains (Default / Maximum)5 / 5Maximum Number of FortiAPs (Total / Tunnel Mode) 2 / 2Maximum Number of FortiTokens20Maximum Number of Registered FortiClients 200High Availability ConfigurationsActive/Active, Active/Passive, ClusteringSPECIFICATIONSORDER INFORMATIONNote: A ll performance values are “up to” and vary depending on system configuration. IPsec VPN performance is based on512 byte UDP packets using AES-256+SHA1. 1. IPS performance is measured using 1 Mbyte HTTP and Enterprise Traffic Mix. 2. SSL Inspection is measured with IPS enabled and HTTP traffic, using TLS v1.2 with AES256-SHA. 3. Application Control performance is measured with 64 Kbytes HTTP traffic. 4. NGFW performance is measured with IPS and Application Control enabled, based on Enterprise Traffic Mix. 5. Threat Protection performance is measured with IPS and Application Control and Malware protection enabled, based on Enterprise Traffic Mix. 6. CAPWAP performance is based on 1444 byte UDP packets.。

设置FortiWeb基本配置说明：本文档针对出厂的FortiWeb基本配置进行说明。

建议所有FortiWeb设备在进行简单配置后再开始部署。

本文的后半部分介绍网页防篡改功能。

环境介绍：本文使用FortiWeb1000B做演示。

本文使用的系统版本为4.0.。

步骤一：访问设备出厂设备默认的访问方式是：https、ping、ssh；接口，port1；IP，192.168.1.99；console访问方式：每秒位数9600；数据位8；奇偶校验无；停止位1；数据流控制无。

管理员登陆地址：https://192.168.1.99登陆帐号：admin 密码为空在命令行下恢复出厂设置的方法：execute factoryreset步骤二：系统设置在system—admin—settings中设置语言和超时时间在系统—网络—接口中设置接口IP和访问方式在系统—网络—DNS中配置DNS地址在系统—配置—操作中设置模式在系统—管理—管理员中设置管理员密码点击按钮设置密码在系统--维护—系统时间中设置时间在路由—静态中设置路由步骤三：网页防篡改设置网页防篡改功能可以防止静态网页被恶意修改。

它的原理是将所有静态页面备份到FortiWeb的硬盘中，并定期检查Web服务器上页面状态，当网页被恶意修改时，FortiWeb用备份页面还原，保护网站安全。

在网页防篡改中点击新建：主机名/IP地址：输入Web服务器IP连接类型：支持FTP，SSH和Windows共享超过此大小的文件不做监控：默认为10M，可根据实际情况调整不做监控的文件类型：可以规定某些较大的视频或压缩文件不做监控文件有改动时自动恢复到改动前内容：建议勾选。

开启次功能后监控文件有任何改动都会恢复到原始状态，管理员需要通过FortiWeb的上传工具更新页面。

点击确定后过一段时间可以看到状态为已连接，表示FortiWeb将所有监控文件备份到硬盘。

点击已备份文件可以看到文件的详细信息。

设置FortiWeb 透明模式自学习说明：本文档针对FortiWeb 透明模式自学习配置进行说明。

透明模式指FortiWeb 透明部署在服务器和防火墙之间，通过代理HTTP流量，自动学习Web服务器的url访问记录，http访问方法，攻击记录和页面参数输入规则等信息，并生成流量日志和攻击日志的过程。

自学习一段时间后FortiWeb可以根据自学习结果生成推荐配置，将配置加载到服务器策略就可以保护Web服务器安全。

环境介绍：本文使用FortiWeb1000B做演示。

本文使用的系统版本为4.0.。

步骤一：部署方式如下图所示，FortiWeb的管理接口（port1）与上游交换机连接，用于管理设备。

两个V-zone接口分别与上游交换机和下游服务器连接，做透明代理。

不需要更改用户三层环境。

步骤二：配置模式在系统—状态中可以看到工作模式如果不是透明模式，点击更改，将模式改为透明模式步骤三：配置V-zone在系统—网络—Bridge中点击新建。

IP：配置一个与服务器同网段的IP接口成员：根据步骤一的拓扑定义成员，本例是port3和port4步骤四：配置服务器在服务器策略—服务器中设置物理服务器：指向真实的Web服务器地址服务：使用的tcp端口，预定义为80和443，本例使用8000端口 在服务器策略—服务—自定义中设置步骤五：配置自学习内容表在自动学习—默认自动学习规范中输入名称，选择在线保护步骤六：配置策略在服务器策略—策略中点击新建。

选择步骤三中定义好的V-zone接口；选择步骤四中定义好的物理服务器和服务；设置服务器端口，本例为8000；选择步骤五中定义好的Web保护规范和WAF自学习规范。

步骤七：察看自学习内容在自动学习—自动学习报告中点击察看报告。

报告中记录了用户访问过的所有URL、产生的攻击和页面的参数记录。

点击一个页面在参数中可以参看该页面参数规则。

步骤八：察看日志在日志—攻击中可以察看攻击日志步骤九：生成自学习配置在自学习报告中点击生成配置输入配置名称，配置类型选择inline，因为offline自学习是为inline模式作准备在Web保护—Web保护规范—inline保护规范中察看生成的配置。

Version2.8.3版本说明本手册包含了WAF_2.5版本以及后续版本的版本说明，主要介绍了各版本的新增功能、已知问题等内容。

l WAF2.8.3l WAF2.8l WAF_2.7.3l WAF_2.7.1l WAF_2.7l WAF_2.6.5l WAF_2.6l WAF_2.5.1l WAF_2.5WAF2.8.3发布日期：2021年11月19日本次发布主要支持如下功能：l新增WAF国产平台型号SG-6000-W5160-GC，采用飞腾8核处理器，性能更加强大。

l支持识别、转发非HTTP协议流量（HTTP站点）和非SSL协议流量（HTTPS站点），可精准防护HTTP协议流量，同时识别、转发非HTTP协议流量，兼顾用户的安全需求和业务需求。

l基于ARM架构的vWAF以及SG-6000-W5160-GC和SG-6000-W3060-GC支持漏洞扫描功能。

版本发布相关信息：https:///show_bug.cgi?id=25662平台和系统文件新增功能已解决问题已知问题浏览器兼容性以下浏览器通过了WebUI测试，推荐用户使用：l IE11l Chrome获得帮助Hillstone Web应用防火墙设备配有以下手册：请访问https://进行下载。

l《Web应用防火墙_WebUI用户手册》l《Web应用防火墙_CLI命令行手册》l《Web应用防火墙_硬件参考指南》l《Web应用防火墙典型配置案例手册》l《Web应用防火墙日志信息参考指南》l《Web应用防火墙SNMP私有MIB信息参考指南》l《vWAF_WebUI用户手册》l《vWAF_部署手册》l《WAF国产系列_硬件参考指南》服务热线：400-828-6655官方网址：https://WAF2.8发布日期：2021年9月17日本次发布主要支持如下功能：l vWAF支持部署在基于鲲鹏和飞腾架构的虚拟化平台上。

l支持多虚拟路由器模式，站点可通过绑定不同的虚拟路由器对Web网站进行精细化防护。

While web applications are now an integral part of every company’s core business infrastructure, they also provide a high profile target for malicious activities. These malicious activities can range from simple defacement attacks to more damaging denial of service attacks or data harvesting attacks. The more serious malicious activity can result in damage to customer confidence and loyalty, brand reputation, and corporate credibility. Mandated by the Payment Card and Industry Data Security Standard (PCI DSS) regulatory framework, the protection of web applications are a tremendous challenge that traditional security tools are unable to solve.The FortiWeb-1000B appliance protects web applications and web services from attacks and data loss. Using advanced techniques to protect against SQL injection, Cross site scripting and a range of other attacks, FortiWeb appliances help to prevent identity theft, financial fraud, and corporate espionage that can result in significant damage to a corporation’s bottom-line. With Web Application Firewall, XML Firewall, Web Traffic Acceleration, and Application Traffic Balancer capabilities built into one hardware accelerated platform, the FortiWeb-1000B appliance meets data security standards, reduces deployment effort, and offers cost-effective web application security for any medium or large enterprise.FortiWeb ™-1000BMedium Enterprise Large EnterpriseCombined Web Application and XML Firewall••••••••••••••••••Datasheet••••••••••••••••••Inline Reverse Proxy, Transparent, and Offline Deployment ModesAuto-Learning Security ProfilesFortiWeb-1000B (FWB-1000B)FLEXIBLE DEPLOYMENT OPTIONSFortiWeb supports inline reverse proxy, transparent, and offline deployment modes. It provides a totally flexible solution to introduce FortiWeb into existing network implementations without the need for a network-level redesign. The offline mode and transparent mode can monitor and analyze real time web traffic, without requiring changes to the existing web application or network infrastructure.Copyright© 2009 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.FWB1000B-DAT-R1-0909GLOBAL HEADQUARTERS Fortinet Incorporated1090 Kifer Road, Sunnyvale, CA 94086 USA Tel +1-408-235-7700 Fax +/sales EMEA SALES OFFICE-FRANCE Fortinet Incorporated 120 rue Albert Caquot06560, Sophia Antipolis, France Tel +33-4-8987-0510 Fax +33-4-8987-0501APAC SALES OFFICE-SINGAPORE Fortinet Incorporated 61 Robinson Road#09-04 Robinson Centre Singapore 068893Tel: +65-6513-3730Fax: +65-6223-6784。

Transparent Inspection orTrue Transparent ProxyOf lne Mode orReverse Proxy• Multiple deployment optionsTransparent Inspection and True Transparent Proxy, Reverse Proxy and Offline Allow you to fit FortiWeb into any environ-ment.• Auto-Learn Security ProfilingAutomatically and dynamically build a security model of protected applications by continuously monitoring real time user activity. Eliminate the need for manual con-figuration of security profiles.• Authentication OffloadOffload your web server authentication to the Forti-Web platform while supporting different authentication schemes such as Local, LDAP, NTLM and Radius.• Policy wizard and pre-defined policiesAllows for one click deployments and greatly eases the process of policies creation.• High AvailabilityThe high availability mode provides configuration syn-chronization and allows for a network-level fail- overin the event of unexpected outage events. Integratedbypass interfaces provide additional fail open capability for single box deployments.• VirtualizationProvides a Virtual Appliance for VMware ESX and ESXi3.5/4.0/4.1 platforms mitigating blind spots in virtualenvironments.• Application Layer Vulnerability ProtectionProvide out of the box protection for the most complex attacks such as SQL Injection, Cross Site Scripting,CSRF and many others. Together with the Auto Learn profiling system and advanced abilities, FortiWeb is able to create rules down to the single application element.• Data Leak PreventionExtended monitoring and protection for credit cardleakage and application information disclosure by tightly monitoring all outbound traffic. Allow customers tocreate their own granular signatures and DLP patterns together with predefined rules for any type of events.• Application SupportStreamlined monitoring and protection for well-known applications and protocols such as Microsoft Exchange, SharePoint, ActiveSync and RPC over HTTP.• Anti Web DefacementUnique capabilities for monitoring protected applications for any defacement and ability to automatically and quickly revert to stored version.• Vulnerability AssessmentsAutomatically scans and analyzes the protected webapplications and detects security weaknesses, potential application known and unknown vulnerabilities to com-plete a comprehensive solution for PCI DSS.• HTTP RFC Compliance ValidationFortiWeb blocks any attacks manipulating the HTTPprotocol by maintaining strict RFC standards to prevent attacks such as encoding attacks, buffer overflows and other application specific attacks.• AntivirusScan file uploads using Fortinet’s Antivirus engine with regular FortiGuard updates.• PCI DSS complianceFortiWeb is the only product that provides a Vulnerabil-ity Scanner module within the web application firewall that completes a comprehensive solution for PCI DSS requirement 6.6.• Protects against OWASP top 10Incorporating a positive and a negative security modulebased on bidirectional traffic analysis and an embeddedbehavioral based anomaly detection engine FortiWeb fully protects against the OWASP TOP 10.• FortiGuard LabsUtilizing Fortinet’s renowned FortiGuard service FortiWebcustomers get up to date dynamic protection from the Forti-net Global Security Research Team, which researches and develops protection against known and potential application security threats.• Application Aware Load BalancingIntelligent, application aware layer 7 load balancingeliminates performance bottlenecks, reduces deploy-ment complexity and provides seamless applicationintegration.• Data CompressionAllows efficient bandwidth utilization and response time to users by compressing data retrieved from servers.• SSL OffloadWith the integration of award winning FortiASIC™ tech-nology, FortiWeb is able to process tens of thousands of web transactions by providing hardware accelerated SSL offloading.Cross Site Scripting SQL Injection Session Hijacking Cookie Tampering /PoisoningCross Site Request Forgery Command injection Remote File InclusionForms TamperingHidden Field Manipulation Outbound Data Leakage HTTP Request Smuggling Remote File Inclusion Encoding AttacksBroken Access Control Forceful Browsing Directory Traversal Site Reconnaissance Search Engine Hacking Brute Force Login Access Rate Control Schema PoisoningXML Parameter Tampering XML Intrusion PreventionWSDL Scanning Recursive Payload External Entity Attack Buffer Overflows Denial of Service.FortiWeb Protects Against a Wide Range of AttacksThe Auto-Learn profiling capability is completely transparent and does not require any changes to the application or network architecture. FortiWeb does not scan the application in order to build the profile, but rather analyzes the traffic as it monitors it flowing to the application. By creating a comprehensive security model of the application FortiWeb can now protect against any known or unknown vulnerabilities, zero day attacks.FortiWeb Auto-Learn ProfilingAnalyze user geographic location and web site access based on Hit, Data and Attack vectors.Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.GLOBAL HEADQUARTERSFortinet Incorporated1090 Kifer Road, Sunnyvale, CA 94086 USA Tel +1.408.235.7700 Fax +1.408.235.7737/salesEMEA SALES OFFICE – FRANCEFortinet Incorporated 120 rue Albert Caquot06560, Sophia Antipolis, France Tel +33.4.8987.0510Fax +33.4.8987.0501APAC SALES OFFICE – SINGAPOREFortinet Incorporated300 Beach Road 20-01, The Concourse Singapore 199555Tel: +65-6513-3734Fax: +65-6295-0015FWEB-DAT-R12-201206FST-PROD-DS-FWEBESXi 4.1 with 3GB of vRAM assigned to the 4 vCPU and 8 vCPU FortiWeb Virtual Appliance and 1GB of vRAM assigned to the 2 vCPU FortiWeb Virtual Appliance.。

WebApplicationFirewall（WAF）入门Web Application Firewall又名WEB应用安全防火墙，简称WAF，07年底08年开始Web应用防火墙日趋流行，过去这些工具被很少数的大型项目垄断，但是，随着大量的低成本产品的面市以及可供选择的开源试用产品的出现，它们最终能被大多数人所使用。

在这篇文章中，先向大家介绍Web应用防火墙能干什么，然后快速的概览一下Web应用防火墙最有用的一些特征。

通过这篇文章的阅读，大家能清楚地了解web应用防火墙这个主题，掌握相关知识。

什么是web应用防火墙？有趣的是，还没有人能真正知道web应用防火墙究竟是什么，或者确切的说，还没有一个大家认可的精确定义。

从广义上来说，Web 应用防火墙就是一些增强 Web应用安全性的工具。

然而，如果我们要深究它精确的定义，就可能会得到更多的疑问。

因为一些Web应用防火墙是硬件设备，一些则是应用软件；一些是基于网络的，另一些则是嵌入WEB服务器的。

国外市场上具有WEB应用防火墙功能的产品名称就有不同的几十种，更不用说是产品的形式和描述了。

它难以界定的原因是这个名称包含的东西太多了。

较低的网络层（Web应用防火墙被安置在第七层）被许多设备所覆盖，每一种设备都有它们独特的功能，比如路由器，交换机，防火墙，入侵检测系统，入侵防御系统等等。

然而，在HTTP 的世界里，所有这些功能都被融入在一个设备里：Web应用防火墙。

总体来说，Web应用防火墙的具有以下四个方面的功能：1. 审计设备：用来截获所有HTTP数据或者仅仅满足某些规则的会话2. 访问控制设备：用来控制对Web应用的访问，既包括主动安全模式也包括被动安全模式3. 架构/网络设计工具：当运行在反向代理模式，他们被用来分配职能，集中控制，虚拟基础结构等。

4. WEB应用加固工具：这些功能增强被保护Web应用的安全性，它不仅能够屏蔽WEB应用固有弱点，而且能够保护WEB应用编程错误导致的安全隐患。

FAQFortiWeb: Web Application Firewall (WAF) Comprehensive, High-Performance Web Application SecurityCan’t an IPS or Firewall provide protection for hosted web-based applications?Next Generation and Application Aware IPS firewalls extend and enhance protection and add additional functionality but the majority ofthe ‘application aware’ functionality is focused on securing/restricting internal clients when accessing the internet but not securing internal applications from external threats. Web Application Firewalls are different as they protect internal web applications from sophisticated application layer external attacks. They provide both a positive and negative security model and protect against the major threats to applications today (SQL Injection, Cross Site Scripting, URL Access, CSRF, Injection attacks and more).Why is FortiWeb’s AI-based Machine Learning threat detection superior to other threat detection methods?Other vendors use application learning using an observational method to automate profile creation for web-based application protection. Application learning is a good detection method, but it has many drawbacks. These include:n high false-positive detectionsnnn labor-intensive to fine tunenn unobserved legitimate traffic creates anomaliesn aggressive tuning lets attacks slip through more easilynnn changes to the application require substantial re-learning to prevent false-positive detectionsFortiWeb’s behavioral detection uses two layers of AI-based machine learning and statistical probabilities to detect anomalies and threats separately. With machine learning FortiWeb is able to deliver near 100% application threat detection accuracy with virtually no resources required to manage it. AI-based machine learning for FortiWeb creates nearly a “set and forget” web application firewall that doesn’t sacrifice accuracy for ease of management.What size WAF do I need?There are many factors that determine WAF sizing ranging from application throughput, numbers of users, and number of sites to be protected. We strongly recommend discussing your requirements with a Fortinet Partner to find the best option to meet your needs.How does FortiWeb Cloud differ from an on-prem FortiWeb deployment?FortiWeb Cloud is a ‘skinny’ WAF solution offering negative security model rules while the FortiWeb platform is a full blown WAF offering both positive and negative security models. Most customers using a Cloud WAF are looking for a set-it-and-forget type solution that they can quickly configure and use without having to manage daily. By offering a subset of what FortiWeb on-prem offers but with a simple, straightforward configuration and management FortiWeb Cloud addresses these requirements.Do I need a WAF if I already have a Secure Web Gateway (SWG)?Yes. A SWG protects users within the organization from accessing infected external websites or undesirable content hosted outside of the organization. A WAF protects hosted web-based applications from attacks that are initiated by external attackers. A simplified view is the SWGs protect users and WAFs protect applications.1Copyright © 2019 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be February 19, 2019 9:51 AM Mac:Users:susiehwang:Desktop:Egnyte:Egnyte:Shared:Creative Services:Team:Susie-Hwang:Egnyte:Shared:CREATIVE SERVICES:Team:Susie-Hwang:2019:FAQ-FortiWeb:FAQ-FortiWeb-021919-950am FAQ | FortiWeb: Web Application Firewall (WAF)358956-0-0-EN FortiWeb WAF vs. WAF in an ADCA dedicated WAF appliance will not decrease performance, plus an appliance like FortiWeb has the processing power to perform behavior-based detection of application attacks. Most WAF modules on ADCs offer only basic WAF protection for applications.Can a FortiWeb permanently patch application vulnerabilities?Yes it can. FortiWeb can provide temporary application patching until development teams are able deploy permanent patches forvulnerabilities, or it can permanently patch them. It is usually recommended to permanently fix a known vulnerability, however there are many situations where that isn’t possible or practical, such as inherited applications or older applications that are about to be retired.。

构建全面的WEB应用安全系统FortiWEBFortinet SE Jerry Wang议程Web 威胁概述FortiWEB 介绍Fortiweb 产品线成功案例1234Fortinet 公司介绍5Web应用安全•web网站安全•企业对外宣传、营销、甚至工作流程Web化•客户、员工、合作伙伴间通过web进行互动•web网站的安全包括三个特质：保密性、完整性、可用性•90%的Web应用有安全缺陷：•跨站攻击(XSS) –80%•SQL注入–62%•参数篡改–60%•Cookie 毒化–37%•Web威胁在不断增加•攻击漏洞查找方式的多样化•SQL注入的发生在2006年增加了超过1000%•每天有2,500 个Web服务器被‘黑’现有的安全设备•网络层防火墙•IPS•UTM•流量分析•流量控制•网页防篡改•上网行为管理•网络督察当前的Web威胁Web威胁”就是利用Internet 对Web服务执行各种恶意活动，如身份窃取、私密信息窃取、带宽资源占用等。

面对Web威胁的快速增长，传统的安全防护技术对Web威胁越来越感到无能为力几乎所有的Web威胁都无法被防病毒软件发现目前安全现状（2010年）•甘肃省人事厅网站被黑2010年4月24日有图有真相•/topic/readSub_11428108_0_0.html•2010年5月29号派带网站被黑•/hyzx/dzsw/2010/0529/143.html•微软官方网站被黑出现大量少儿不宜的内容•/publicforum/content/free/1/1831203.shtml •北京大学网站被黑黑客假北大校长名义发文•/a/20080928/000072.htm•佛山中级人民法院网站被“黑”•/20100803/n273943860.shtml2010年1月12日早上，搜索引擎网站百度（）被发现无法打开，网站处于无法访问状态，也没有出现任何提示消息。

据网友反应，今早8点多，曾经被定向到一个“Iranian Cyber Army”（中文：伊朗网军）网页上。

第1章第2章2.1 2.2 2.2.1 2.2.2 2.2.3 2.3 2.4 第3章3.1 3.2录FORTINET 配置步骤配置步骤...... 2 FORTINET 防火墙日常操作和维护命令 (29)防火墙配置......29 防火墙日常检查 (29)防火墙的会话表：（系统管理－状态－会话）......29 检查防火墙的CPU、内存和网络的使用率......31 其他检查 (31)异常处理……31 使用中技巧……32 FORTGATE 防火墙配置维护及升级步骤……33 FORTIGATE 防火墙配置维护......33 FORTIGATE 防火墙版本升级 (33)第1章Fortinet 配置步骤章1.1.1.1 Fortigate 防火墙基本配置Fortigate 防火墙可以通过“命令行”或“WEB 界面”进行配置。

本手册主要介绍后者的配置方法。

首先设定基本管理IP 地址，缺省的基本管理地址为P1 口192.168.1.99，P2 口192.168.100.99。

但是由于P1 口和P2 口都是光纤接口，因此需要使用Console 口和命令行进行初始配置，为了配置方便起见，建议将P5 口配置一个管理地址，由于P5 口是铜缆以太端口，可以直接用笔记本和交叉线连接访问。

之后通过https 方式登陆到防火墙Internal 接口，就可以访问到配置界面1.系统管理”菜单1.1 “状态”子菜单1.1.1 “状态”界面“状态”菜单显示防火墙设备当前的重要系统信息，包括系统的运行时间、版本号、OS 产品序列号、端口IP 地址和状态以及系统资源情况。

如果CPU 或内存的占用率持续超过80%，则往往意味着有异常的网络流量（病毒或网络攻击）存在。

1.1.2 “会话”显示界面Fortigate 是基于“状态检测”的防火墙，系统会保持所有的当前网络“会话”（sessions）。

这个界面方便网络管理者了解当前的网络使用状况。

功能优点硬件加速FortiASIC 有效地提高设备处理速度，从而使安全防护体系不会成为网络的瓶颈。

FortiGate 3950BFortiGate3951B根据需求可扩展性能Fortinet 标准的扩展插槽可以扩展具有处理能力接口板，也可以扩展数据存储能力，从而提高整体的灵活性一体化的安全架构FortiGate 集多种功能于一体，与采用多个单一功能设备的解决方案相比，以低成本提供更好的防护。

集中管理通过FortiManager 和FortiAnalyzer 可以对该设备进行集中管理和日志，从而简化部署、监控和维护。

WeFortiGate ® -3950系列万兆多功能安全设备FortiGate 3950系列为大型企业及数据中心提供了高性能的、可扩展的、综合网络安全体系的解决方案。

FortiGate 3950系列融合多种安全技术于一体：基于FortiASIC 的硬件结构，可扩展的模块化设计，专用的安全FortiOS 内核。

高性能的硬件平台FortiGate 3950系列采用了模块化设计和FortiASIC 技术，最大可以扩展到120Gbps 防火墙吞吐量。

该系列产品实现了万兆和千兆级别上的线速防火墙处理，从而使得用户安全体系的速度能够跟上网络速度的提高。

模块化结构FortiGate 3950B 和FortiGate3951B 采用紧凑型设计，模块化3U 设备，最多可以支持五块FMC 插槽。

可以实现千兆到万兆的线速汇聚和网状互联。

FortiGate 3951B 还提供了四个Fortinet 存储模块(FSM)，其中预装了一块64GB 的固态硬盘卡。

存储模块可以提供本地化存储和为WAN 优化所需要。

集多种安全功能于一体FortiGate3950系列采用了FortiOS 作为操作系统，融合了多种安全技术与网络功能，能够有效发现和阻断各种复杂的攻击行为。

无论是把该设备作为高性能的防火墙使用，还是作为全面的安全解决方案，它都能胜任并且有效地保护用户的网络。

Fortinet防火墙产品WEB 易用性分析报告作者：车永龙部门：联想网御新技术研究所日期：2009-11-17第一部分FortiGate产品介绍FortiGate系列安全网关产品简介：Fortinet的屡获殊荣的FortiGate系列，是采用ASIC加速的UTM解决方案，可以有效地防御网络层和容层的攻击。

FortiGate解决方案能够发现和消除多层的攻击，比如病毒、蠕虫、入侵、以及Web恶意容等等实时的应用，而不会导致网络性能下降。

它所涉及到的全面的安全体系是涵盖防病毒/反垃圾、防火墙、VPN、入侵检测和防御、反垃圾和流量优化。

除了FortiGate以外，Fortinet 还提供FortiMail这样的安全的解决方案，和终端、智能手机安全的FortiClient。

FortiManager和FortiAnalyzer可以实现集中的管理、日志和报表等功能。

FortiGuard升级服务是由Fortinet的专业团队进行维护和升级的，它为新发现和爆发的病毒提供及时、高效的解决方案。

飞塔系列安全网关产品的主要功能包括：第二部分飞塔防火墙产品易用性分析本文将以飞塔防火墙的WEB配置为蓝本，以典型模块为单位将该产品跟我司KingGuard产品在WEB易用性方面进行详尽的比较，以期在对比中挖掘出友商产品的WEB 易用性优点，供研发人员借鉴。

第一节防火墙模块WEB UI易用性分析1 特性简介防火墙模块其实是各个厂商公共的模块，包含的模块其实也较为固定，一般分为，包过滤防火墙，状态防火墙，NAT，诞生于防火墙却衍生为公共模块的访问控制列表，还有IP-MAC绑定等。

飞塔防火墙菜单下包括了资源定义，防火墙策略，虚拟ip（NAT）及保护容表。

以上两图是分别从飞塔跟我司的设备WEB界面上截取的防火墙模块菜单。

具体的分析将在下文中详细阐述。

2 各模块WEB易用性分析2.1策略（对应我司防火墙策略，也是所谓的五元组包过滤）该模块大家叫法不一其实就是所谓的五元组包过滤。