FortiWeb WAF

Student Lab Guide

FortiWeb 5.8.1

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Lab Exercises
FortiWeb
Contents
Introduction ........................................................................................................... 3
Prerequisites ......................................................................................................... 3
Connectivity Diagram ............................................................................................ 6
Initial Setup ........................................................................................................... 7
Exercise 1: Configure Webservers .................................................................... 7
Exercise 2: Get the FortiGate IP address information ...... Error! Bookmark not
defined.
Exercise 3: Configuring Initial FortiWeb Device Settings ................................... 7
Exercise 3: Accessing the Web UI .................................................................... 9
Lab 2: Configuring FortiWeb Policies and Profiles ............................................ 9
Exercise 1: Configuring Application Load Balancing ....................................... 10
Exercise 2: Activating a Load Balancing Configuration ................................... 11
Exercise 3: SSL Offloading ............................................................................. 14
Lab 3: Cross-Site Scripting .............................................................................. 17
Exercise 1: Executing a XSS and SQL injection Attacks ................................. 17
Exercise 2: Detecting and Blocking XSS Attacks ............................................ 19
Lab 4: DoS ...................................................................................................... 23
Exercise 1: Executing a DoS Attack ................................................................ 23
Exercise 2: Configuring and Testing DoS Protection....................................... 25
Lab 5: Auto Learning ....................................................................................... 29
Exercise 1: Creating an Auto Learning Profile ................................................. 29
Exercise 2: Generating HTTP Traffic ............................................................... 32
Exercise 3: Analyzing the Auto Learn Results ................................................. 33
Lab 6: Web Vulnerability Scan ........................................................................ 37
Exercise 1: Creating a Scan Profile ................................................................. 37
Exercise 2: Performing the Scan and Analyzing Reports ................................ 38
Final: Shutting Down Everything ..................................................................... 42

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
899 Kifer Road
Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Introduction
This document is intended to provide the SE with a tool to show to the Customers
and Partners the main functionalities of the Fortinet devices with virtual machine.
It has several step by step exercises to configure and setup all the devices and
how to show it to the customer.

This document includes FortiWeb.

Prerequisites
Load the ESX-Labs package into your Fusion or VMWare Player/Workstation

Edit ESX-Labs adapter to be connected to a bridge vmnet

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Check the IP your ESXi server received from DHCP. This IP will be referred as
ESX-IP in this document:

Open it from a Web Browser, login as root and password fortinet.

Start the SET-Linux server, then connect to it with user fortinet and password
fortinet.

TIP: if you have any problem with the ESX web GUI, right click over the SET-Linux
VM and select Console > Launch Remote Console.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Open the Linux Terminal and execute the following commands there:

sudo su
cd /root/scripts
./Deploy.sh ESX-IP fwb.conf

Example:

root@SET-Linux:# sudo su
root@SET-Linux:# [sudo] password for fortinet: fortinet
root@SET-Linux:# cd /root/scripts/
root@SET-Linux:# ./Deploy.sh 192.168.10.128 fwb.conf
root@SET-Linux:#

If this is the first installation, just select y for all options and wait for the
deployment of all VMs, which can take some minutes.

If for some reason you want to just reinstall one VM, delete that then run the same
script again, but this time choosing n except for the VM you want to reinstall.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Connectivity Diagram

In our lab either the SET-Linux has 2 interfaces, one getting IP from DHCP and
another locally defined.

FortiWeb has 3 interfaces, port1 is the one connected to DHCP network just to
allow administration access to the GUI.

In case of the coincidence of your local DHCP network is also 10.0.2.0/24, just
change the IPs indicated in the topology to another network from your choice, and
remember that IPs while doing this lab.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Lab 1: Initial Setup
Exercise 1: Configure Webservers

From the ESXi interface, open the WebServer1 VM console with user root and
password fortinet.

Type the following commands:

# ifconfig eth0 up 10.0.1.31 netmask 255.255.255.0 broadcast 10.0.1.255

# route add default gw 10.0.1.1

From the ESXi interface, open the WebServer2 VM console with user root and
password fortinet.

Type the following commands:

# ifconfig eth0 up 10.0.1.32 netmask 255.255.255.0 broadcast 10.0.1.255

# route add default gw 10.0.1.1

Exercise 2: Configuring Initial FortiWeb Device Settings

Turn on the FortiWeb01 if is not already on, At the CLI login prompt, log in with the
default username of admin with no password.

Enter the following command to display system status information for the FortiWeb
device:

#get sys status

The output displays the FortiWeb units serial number, firmware build and
additional settings.

To configure a system hostname for the FortiWeb device enter the following
commands:
#config system global
(global)#set hostname FWB01
(global)#end

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Verify the system interface configuration for port1 by entering the following
command:

#show system interface port1

You should notice that port1 is currently configured with the factory default IP
setting of 192.168.1.99 .

Change the port1 to get IP from DHCP, and configure static IP address for port2
to 10.0.2.1 and port3 to 10.0.1.1 by entering the commands below:

config system interface

edit port1
unset ip
set mode dhcp
set allowaccess ping http https ssh
next
edit port2
set ip 10.0.2.1/24
set allowaccess ping
next
edit port3
set ip 10.0.1.1/24
set allowaccess ping
end

Check the FortiWeb port1 IP received from DHCP. Well refer for it as FWB-IP in
this document:

To change the admin timeout default value (in minutes), execute the following CLI
commands:

# config system global

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 (global)# set admintimeout 480
(global)#end

Exercise 3: Accessing the Web UI

The web UI on the FortiWeb unit can be accessed using a standard web browser.
For proper rendering and display of the graphical user interface, cookies and Java
script must be enabled.

Open a web browser and enter the FortiWeb port1 IP (FWB-IP):

Confirm any security warnings, which may be displayed.

Log in with the default username of admin (all lowercase) with no password.

Go to System -> Maintenance -> System Time and select the right time zone
according with your geographical location:

Click OK to save the change.

You have now completed the initial system configuration of your FortiWeb unit.
Explore the various menu items and screens available in the web UI to become
familiar with the overall layout and organization of system components.

Lab 2: Configuring FortiWeb Policies and Profiles

Objectives
In the lab environment, the FortiWeb unit is deployed in Reverse Proxy mode.
In the following exercises, you will configure a virtual server object on the FortiWeb
unit to perform application load balancing between the two web servers.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Exercise 1: Configuring Application Load Balancing

Go to Server Objects > Server > Virtual Server to define the Virtual IP address
used by the FortiWeb unit to fulfill requests for the web application.

Click Create new and configure the following settings:

Name: WebServer_VS
IP Address: 10.0.2.105/24
Interface: port2

Next you will configure two real server entries and the server pool. Go to Server
Objects> Server Pool and click Create New. Configure the following settings:

Name: WebServer_Real
Type: Reverse Proxy
Single Server/Server Balance Server Balance
Server Health Check HLTHCK_ICMP
Load Balancing Alg. Round Robin
Click OK.

Next you will configure two real server entries.

IP Address: 10.0.1.31
SSL Unchecked
Port: 80
Weight: 1
Click OK to save the configuration.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Repeat the above step to create the second real server entry. Configure the
following settings:

IP Address: 10.0.1.32
SSL Unchecked
Port: 80
Weight: 1
Click OK to save the configuration.

Exercise 2: Activating a Load Balancing Configuration

In this exercise, you will activate the Load Balancing configuration performed in
the previous exercise by selecting it within a Server Policy.

Go to Policy > Server Policy and click Create New. Configure the new Server policy
rule as follows:

Policy Name: WebServer_LB_Policy

Deployment Mode: Single Server/Server Pool
Virtual Server: Webserver_VS
Server Pool: WebServer_Real
HTTP Service: HTTP
Leave all other parameters at their default values and click OK.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 To test the load-balancing algorithm, open a web browser from the SET-Linux and
connect several times from different browsers windows to the Virtual IP:

http://10.0.2.105

Your browser should sometimes connect to the WebServer1 and sometimes to

WebServer2.

To enable traffic logs, go to Log&Report > Log Config > Other Log Settings and
select Enable Traffic Log as shown below:

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Try to connect one more time HTTP to the virtual IP address. To track the path
taken by the HTTP request, go to Log&Report > Log Access > Traffic. The
following is displayed:

To verify the status of the real servers, go to System > Status > Policy Status and
check the Server Status widget.

If both real servers are active the following information should be displayed:

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Exercise 3: SSL Offloading

With the load balance configuration now in place, the next goal is to offload SSL
encryption/ decryption activities from the web servers to the FortiWeb unit.

On the FortiWeb unit go to System > Certificates> Local and click to GENERATE
certificate, then fill the information:

Certificate Name: fwb_cert_yourname

Subject Information: ID Type Host IP
IP: 10.0.2.105

Download and give the file for the instructor to sign. Then click IMPORT and add
the signed certificate:

Server Policy SSL offload

In order to apply SSL offloading, go to Policy > Server Policy > Server Policy and
make the following changes to the existing wg_LB policy:

HTTPS Service: HTTPS

Certificate: fwb_cert_yourname
Click OK.

The connection between the client and the FortiWeb unit is now secured. To
confirm this, connect to the Virtual IP address of the web server:

https://10.0.2.105

When the certificate warning message related to the certificate issuer (CA) is
displayed, click I Understand the Risks then click Add Exception and view the
certificate provided. You should notice that it is issued to the Common Name (CN)
of FortiWeb interface.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Click Close then click Confirm Security Exception to add a certificate exception
entry for this certificate. You should now be able to display the page secured.

Check that the connection to the real webserver is still using HTTP, since in Server
Objects > Server > Server Pool there are only HTTP real servers:

You can change the servers to enable SSL (just check this option, we wont test it
in this laboratory):

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Now lets simulate a server failure. First go to System > Status > Policy Status and
check both servers are responding:

Go to ESX Management console and shutdown WebServer2:

Go to System > Status > Policy Status to see that WebServer2 is already
considered down.

Test access to http://10.0.2.105 and https:10.0.2.105 to check that the VIP still
works but forwarding traffic to the online webserver only.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Lab 3: Cross-Site Scripting

Objectives
In this lab, you will execute a stored cross-site scripting (XSS) attack against the
vulnerable web application. Until this moment FortiWeb was configured to NOT
block attacks to the webserver. Afterwards, you will configure the FortiWeb device
to detect and block the attack.

Exercise 1: Executing a XSS and SQL injection Attacks

From SET-Linux, connect to the website by browsing to the following URL:

http://10.0.2.105

To test the XSS Attack go to the Guestbook section, and under message field
type the following text:

Nome: Whatever
Mensagem: <script>alert('Not Secure')</script>

Click again to the Guestbook menu. Youll have a prompt like this:

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 We are executing the script inside the Web page

This is an example of stored XSS.

To test the SQL Injection, go to the Acesso Cliente Section and fill with the
following ID:

admin'or'x'='x

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Now you can see all available IDs on the database:

Exercise 2: Detecting and Blocking XSS Attacks

Perform the steps below to use the FortiWeb unit to detect and block cross-site
scripting attacks like the one you executed above.

Server Protection Rule

Perform the steps below to create a server protection rule that will prevent cross-
site scripting. Go to Web Protection > Known Attacks > Signatures and click Create
New. Configure the following settings:

Name: xss
Cross Site Scripting: Checked
Action: Alert &Deny
Severity: High

Leave all other parameters at their default values and click OK.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 To create a protection profile, go to Policy >Web Protection Profile > Inline
Protection Profile and click Create New. Configure the following settings:

Name: xss_profile
Known Attacks > Signatures: xss

Leave all other parameters at their default values then click OK.

Server Policy

Next go to Policy > Server Policy and edit the existing policy
(WebServer_LB_Policy). Configure the settings below to identify the traffic you
wish to protect against XSS:

Deployment Mode: Single Server/Server Pool

Virtual Server: WebServer_VS
Physical Server: WebServer_Real
HTTP Service: HTTP
Web Protection Profile: xss_profile

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Click OK.

XSS Prevention

Access the WebServer vulnerable web application by connecting to the following

URL:

http://10.0.2.105

Clear the WebServer database by going to Setup > Reset Database. This will
delete the previously entries inserted by the XSS attack.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Repeat the steps performed in Exercise 1 to run another attack against the web
page. Go to the Guestbook section, and type the following text:

Name: Whatever
Message: <script>alert('Not Secure')</script>

The FortiWeb unit will block your access to the web page.

XSS Attack Log

Observe the entry for this attack in the Attack log, and check the details:

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Test again the SQL Injection attack. Go to the Acesso Cliente Section and fill with
the following values

ID: admin'or'x'='x

Lab 4: DoS

Objectives

You will configure and test a DoS protection policy to block a DoS attack.

Exercise 1: Executing a DoS Attack

In this exercise, you will bring down one of the web servers by executing a DoS
attack against it.

Go to Policy > Server Policy, edit the WebServer_LB_Policy rule and remove the
Web Protection Profile configuration. We are doing this to see the results of the
attack when no protection is applied by FortiWeb

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Connect to the SET-Linux and execute the following tool to generate a Slow POST
attack against 10.0.2.105 - the virtual IP that points to servers:

slowhttptest c 40000 r 200 r 1000 s 10000000 x 1024 u http://10.0.2.105

The Slow POST attack will start and you should see a new window showing
increasing counters for the number of connections attempted, active connections
and connections failed. A Slow-Post attack sends multiple posting of data while
keeping all the connections alive. The connections are kept alive by sending partial
posting data at regular times. This attack can eventually make a web service
unresponsive by consuming all the available resources in the server.

While the attack is running, try to connect several times to the web server using
the http://10.0.2.105. At one point, connection attempts from your browser will start
to fail because the attack has successfully brought down the web service.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Go to FortiWeb Status > Policy Status page to check the concurrent connections
to the webserver:

Cancel the attack on the slowhttptest tool.

Exercise 2: Configuring and Testing DoS Protection

In this exercise, you will configure a DoS Protection Policy. You will then perform
the DoS attack again and verify that the source IP address of the attacker has been
blocked by the FortiWeb.

Create HTTP Access Limit rule

Go to DoS Protection > Network > TCP Flood Prevention and click on Create New.
Configure the setting below:

Name: TCP_Flood
TCP Connection Number Limit 10
Action Period Block
Severity Medium
Block Period 60
Click OK.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Create DoS Protection Policy

Go to DoS Protection > DoS Protection Policy and click on Create New.

Configure the setting below:

Name: DoS_Policy
HTTP Session Based Prevention: Unchecked
HTTP DoS Prevention: Checked
HTTP Access Limit: Please Select (not selected)
TCP Flood Prevention: TCP_Flood

Click OK.

Create the Web Protection Profile

Go to Policy > Web Protection Profile > Inline Protection Profile and click on the
existing profile with the name xss_profile.

Enable Session Management and select DoS_Policy for the DoS Protection
setting. Leave all other parameters at their default values, and then click OK.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Apply the Web Protection Profile to the Server Policy

Go to Policy > Server Policy and edit the WebServer_LB_Policy

Set the Web Protection Profile to xss_profile.

Execute the same DoS attack again with slowhttptest.

You should see a new window showing increasing counters for the number of
connections attempted, active connections and connections failed.

Also, while the attack is running, check you can still access the webserver from
your laptop:

http://10.0.2.105

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Wait until the tool finishes running. The statistics should be like below:

The tool attempted 4000 connections. Only the first 10 (the threshold defined in
the rule) were allowed by the FortiWeb. The other 3950 attempts were blocked.

Go to Log&Report > Monitor > Blocked IPs and check that the IP address has
indeed been blacklisted by the FortiWeb:

The IP address will be blacklisted for 60 seconds (the Block Period) after the
attack. During that time, any HTTP/S connection attempt from that IP address will
be rejected. We can manually remove an IP address from the Blocked IPs list by
clicking of the trash bin icon.

Go to Log&Report > Log Access > Attack and check the log generated after the
attack:

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Lab 5: Auto Learning

Objectives
In this lab, you will use the Auto Learn functionality to monitor HTTP sessions and
create ad hoc profiles to protect the back-end web server.

Exercise 1: Creating an Auto Learning Profile

Go to Policy > Web Protection Profile > Inline Protection Profile and edit the
xss_profile. Verify that Session Management is enabled

Leave all other parameters at their actual values then click OK.
To optimize the learning process, it is recommended to fine tune the default Data
Type Group and Suspicious URL auto-learning settings. The steps included in the
sections below will guide you through this process.

Data Type Group

Go to Auto Learn >Predefined Pattern > Data Type Group and select the check
box for predefine-data-type-group. Click Clone and configure the following
settings:

Name: autolearn_data_type_group
Click OK.

Next, edit autolearn_data_type_group and uncheck the following:

US Zip Code.
US State Name and Abbrev.
Canadian Post Code.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 CA Province Name and Abbrev.
Country Name and Abbrev.
China Post Code.
US Social Security Number.
Canadian Social Insurance Number .

Leave all other parameters at their default values then click OK.

Suspicious URL Rule

Go to Auto Learn> Predefined Pattern > Suspicious URL and select the checkbox
for predefine-suspicious-url-rule. Click on Clone and configure the following
settings:

Name: autolearn_suspicious_url
Server Type: All (sets all selected)
Click OK.

Next, edit the autolearn_suspicious_url and watch the server type selected. Leave
all parameters at their default values and click OK.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Auto Learning Profile

Next you will create an auto learn profile to group the new auto-learning objects
created above. Go to Auto Learn > Auto Learn Profile and click Create New.
Configure the following settings:

Name: autolearn_profile
Data Type Group: autolearn_data_type_group
Suspicious URL: autolearn_suspicious_url_rule

Leave all other parameters at their default values and click OK.

Server Policy

Go to Policy >Server Policy >Server Policy and edit the policy called
WebServer_LB_Policy

Deployment Mode: Single server/Server Pool

Virtual Server: WebServer_VS
Server Pool: WebServer_Real
HTTP Service: HTTP
Web Protection Profile: xss_profile
Auto Learn Profile: autolearn_profile

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Exercise 2: Generating HTTP Traffic

From the SET-Linux, open a terminal. Run the installed nikto Perl script against
the virtual IP address as indicated below:

sudo su
nikto -h 10.0.2.105 C all

The nikto script is an open source web server scanner, which performs network
security assessment.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Exercise 3: Analyzing the Auto Learn Results

Once the scan has completed, go to Auto Learn > Auto Learn Report. Select the
checkbox for the WebServer_LB_Policy report and click View to analyze the
report.

Pay attention to the attacks counted. In a later exercise, we will see how the
learned information can be used to configure protection settings against this type
of attack.

Change the Action to Alert and Deny to Generic Attacks, Known Exploits and
Bad Robot.

Customizing Reports

From the Auto Learn Report page the administrator can customize various fields
including:
Protected Servers
Attacks (Server Protection Rules)
HTTP Methods
URL Access Rules
URL Start Page

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 This information will be used to generate the inline or offline protection profiles.
Click Visits and scroll through the various settings described above.

Profile Generation

To generate an Auto Learn Inline Protection Profile, click Generate Config and
configure the following settings:

Profile Name: auto-attack

Profile Type: Inline
Click OK.

Go to Web Protection > Known Attacks > Signatures and edit the auto-attack
entry. Change the Known Exploits, Generic Attacks and Bad Robot Actions to Alert
& Deny

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Modify Server Rule

To prevent those attacks, you will now modify the server policy to apply the web
protection profile generated from the Auto Learn report.

Go to Policy > Server Policy >Server Policy and edit the policy
WebServer_LB_Policy. From the Web Protection Profile drop down select the
automatically generated auto-attack protection profile. Leave all other
parameters at their default values and click OK.

Next go to Auto Learn > Auto Learn Report> Auto Learn Report. Select the
checkbox for the existing report and click Clean Data to clear the auto learn report.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Generate Traffic

Run the nikto test again against the configured virtual IP.

nikto -h 10.0.2.105 C all

Analyze the Attacks section of the auto learning report. You should observe that
there are no longer detected Known Exploits and Generic Attacks as indicated
below:

They have all been blocked by the configured auto-attack web protection profile.

PS: nikto tool can try different attacks every time you run it, which may cause new
attacks to be shown in the report. You might want to repeat executing it multiple
times to have better tests and consequently better reports.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Lab 6: Web Vulnerability Scan

Objectives
In this lab, you will perform a vulnerability assessment on the web servers
application to comply with PCI DSS A6. All software should be up to date, including
all code libraries used by the application.

Exercise 1: Creating a Scan Profile

Go to Web Vulnerability Scan > Web Vulnerability Scan Profile. Click Create New
and configure the following parameters for your vulnerability assessment:

Name: web_scan
Hostname: http://10.0.1.31/dvwa
Scan: select all
Scan Mode: Enhanced Mode
Request Timeout 30
Delay Between Each Request 0

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Scan Policy

To define the Vulnerability Scan profile to use go to Web Vulnerability Scan > Web
Vulnerability Scan Policy and click Create new. Define the type of scan and the
format of the report as follows:

Name: wscan_policy
Type: Run Now
Profile: web_scan
Report Format: HTML, PDF
Click OK.

Exercise 2: Performing the Scan and Analyzing Reports

The scan should start automatically. However, if this is not the case, go to Web
Vulnerability Scan > Web Vulnerability Scan Policy then click on Start to start it
manually as indicated below:

Wait for the scan process to complete, then go to Web Vulnerability Scan > Scan
History to view the generated vulnerability scan report.

Click on the link to display the report in HTML format and analyze the results.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Navigate through the various report items to analyze the vulnerability scan results.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Lab 7 Anti Defacement

Create a Defacement Profile

It takes some minutes to connect to the server and get all files. Check the
connection numbers of files copied.

Login to Webserver1 and delete one file from the path /var/www. Wait some
seconds and verify that FortiWeb detects the action and restores the file.

Click on the number under Total Changed:

Open a terminal in the WebServer1 and verify that the file was restored.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Lab 8 Virtual Patching

For this Lab, you need to upload a XML file from a Third Party Vulnerability
scanner provided by the instructor.

Go to Web Vulnreability Scan>Scanner Integration and click on Scanner File

Import. Select Acunetix and upload the XML File.

Rule Name: Acunetix_Policy

Action High: Deny
Action Medium: Alert
Action Low: Alert

You will see all the Rules and policies created based on the vulnerabilities
reported by Acunetix Vulnerability Scanner.

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com
 Check where are configured the policies in the Web Protection Profile.

Final: Shutting Down Everything

To erase all labs and shutdown the servers correctly, follow these steps:

Enter the SET-Linux VM console

Execute sudo /root/scripts/RestartESXLab.sh
Wait until it finishes
Execute init 0
At the ESX management GUI, check that SET-Linux is the only VM and that
it is turned off;
Right click the Host and select Shutdown

899 Kifer Road

Sunnyvale, CA 94086
Tel: +1-408-235-7700
Fax: +1-408-235-7737 www.fortinet.com