Tag Archives: FortiWeb

External Security Devices to The Gate

FortiWeb

To be able to offload HTTP inspection to a FortiWeb device you should:

1. Go to System > External Security Devices, enable HTTP Service, select FortiWeb and add the IP address of your FortiCache device.

2. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Application Firewall. When you add Web Application Firewall to a firewall policy, web traffic accepted by the policy is offloaded to the FortiWeb device for processing.

 

Enabling FortiWeb on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiWeb)

set group address 0.0.0.0

set server-list 5.5.5.25 255.255.255.255 (the IP address of the FortiWeb)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

 

FortiCache

To be able to offload Web Caching to a FortiCache device you should:

1. Go to System > External Security Devices, enable HTTP Service, select FortiCache and add the IP address of your FortiCache device.

2. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Cache.

When you add web caching to a firewall policy, web traffic accepted by the policy is offloaded to the FortiCache device for processing.

Enabling FortiCache on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiCache)

set group address 0.0.0.0

set server-list 5.5.5.45 255.255.255.255 (the IP address of the FortiCache)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

 

FortiMail

To be able to offload Anti-Spam processing to a FortiMail device you should:

1. Go to System > Feature Select and turn on AntiSpam Filter.

2. Go to System > External Security Devices, enable SMTP Service – FortiMail and add the IP address of your FortiMail device.

3. Go to Security Profiles > Anti-Spam and edit an Anti-Spam profile and set Inspection Device to External.

4. Go to Policy & Objects > IPv4 Policy, add or edit a Firewall policy, enable AntiSpam and select the profile for which you set Inspection Device to External.

When you add this Anti-Spam profile to a firewall policy, email traffic accepted by the policy is offloaded to the FortiMail device for processing.

If your FortiGate or VDOM inspection mode is set to flow-based you must use the CLI to set an Anti-Spam profile to external mode and add the Anti-Spam profile to a fire- wall policy.

 

Enabling FortiMail on the External Security Devices page adds the following configuration to the CLI:

config system wccp set service-id 52

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiMail)

set group address 0.0.0.0

set server-list 5.5.5.65 255.255.255.255 (the IP address of the FortiMail)

set authentication disable set forward-method GRE

set return-method GRE

set assignment-method HASH

end

 

Selecting External in the Anti-Spam profile adds the following configuration to the CLI:

config spamfilter profile

edit default

set external enable end

 

Web Application Firewall

Go to Security Profiles > Web Application Firewall. From here you can customize the default Web Application Firewall profile, or create new profiles, to protect against a variety of web-based threats. Web Application Firewall profiles can be created with a variety of options (Signatures and Constraints), similar to other security profiles.

 

You can set the Web Application Firewall to use an External Security Device, such as FortiWeb, by settingĀ Inspection Device to External.

 

Selecting External in the Web Application Firewall profile adds the following configuration to the CLI:

config waf profile edit default

set external enable end

 

You must add the Web Application Firewall profile to a firewall policy in order for that traffic to be offloaded to the External Security Device for processing.

 

If your FortiGate or VDOM Inspection mode is set to flow-based you must use the CLI to set a Web Application Firewall profile to external mode and add the Web Applic- ation Firewall profile to a firewall policy.

 

For more information on this configuration and others, see the FortiWeb Administration Guide.

 

CPU allocation and tuning commands to survive reboot

CPU affinity, whereby a process will execute on a specific CPU, can be changed so it survives a reboot.

 

CLI Syntax:

config system global set av-affinity set ips-affinity

set miglog-affinity end

avaffinity: Affinity setting for AV scanning (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx).

ipsaffinity: Affinity setting for IPS (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx; allowed CPUs must be less than total number of IPS engine daemons). This option is only available if the FortiGate includes NP6 processors and support NTurbo.

miglogaffinity: Affinity setting for logging (64-bit hexadecimal value in the format of xxxxxxxx_xxxxxxxx).