Categories Top Downloads
Login Register Upload

Student Guide FortiWeb 5.8.1

May 5, 2021 | Author: Anonymous | Category: N/A
Share Embed Donate
Report this link


Short Description

Download Student Guide FortiWeb 5.8.1...

Description

FortiWeb WAF Student Lab Guide FortiWeb 5.8.1

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Lab Exercises FortiWeb Contents Introduction ........................................................................................................... 3 Prerequisites ......................................................................................................... 3 Connectivity Diagram ............................................................................................ 6 Initial Setup ........................................................................................................... 7 Exercise 1: Configure Webservers .................................................................... 7 Exercise 2: Get the FortiGate IP address information ...... Error! Bookmark not defined. Exercise 3: Configuring Initial FortiWeb Device Settings ................................... 7 Exercise 3: Accessing the Web UI .................................................................... 9 Lab 2: Configuring FortiWeb Policies and Profiles ............................................ 9 Exercise 1: Configuring Application Load Balancing ....................................... 10 Exercise 2: Activating a Load Balancing Configuration ................................... 11 Exercise 3: SSL Offloading ............................................................................. 14 Lab 3: Cross-Site Scripting .............................................................................. 17 Exercise 1: Executing a XSS and SQL injection Attacks ................................. 17 Exercise 2: Detecting and Blocking XSS Attacks ............................................ 19 Lab 4: DoS ...................................................................................................... 23 Exercise 1: Executing a DoS Attack ................................................................ 23 Exercise 2: Configuring and Testing DoS Protection....................................... 25 Lab 5: Auto Learning ....................................................................................... 29 Exercise 1: Creating an Auto Learning Profile ................................................. 29 Exercise 2: Generating HTTP Traffic ............................................................... 32 Exercise 3: Analyzing the Auto Learn Results ................................................. 33 Lab 6: Web Vulnerability Scan ........................................................................ 37 Exercise 1: Creating a Scan Profile ................................................................. 37 Exercise 2: Performing the Scan and Analyzing Reports ................................ 38 Final: Shutting Down Everything ..................................................................... 42

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Introduction This document is intended to provide the SE with a tool to show to the Customers and Partners the main functionalities of the Fortinet devices with virtual machine. It has several step by step exercises to configure and setup all the devices and how to show it to the customer. This document includes FortiWeb.

Prerequisites Load the ESX-Labs package into your Fusion or VMWare Player/Workstation

Edit ESX-Labs adapter to be connected to a bridge vmnet

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Check the IP your ESXi server received from DHCP. This IP will be referred as “ESX-IP” in this document:

Open it from a Web Browser, login as root and password fortinet. Start the SET-Linux server, then connect to it with user fortinet and password fortinet. TIP: if you have any problem with the ESX web GUI, right click over the SET-Linux VM and select Console > Launch Remote Console.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Open the Linux Terminal and execute the following commands there: sudo su cd /root/scripts ./Deploy.sh ESX-IP fwb.conf Example: root@SET-Linux:# sudo su root@SET-Linux:# [sudo] password for fortinet: fortinet root@SET-Linux:# cd /root/scripts/ root@SET-Linux:# ./Deploy.sh 192.168.10.128 fwb.conf root@SET-Linux:# If this is the first installation, just select “y” for all options and wait for the deployment of all VMs, which can take some minutes. If for some reason you want to just reinstall one VM, delete that then run the same script again, but this time choosing “n” except for the VM you want to reinstall.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Connectivity Diagram

In our lab either the SET-Linux has 2 interfaces, one getting IP from DHCP and another locally defined. FortiWeb has 3 interfaces, port1 is the one connected to DHCP network just to allow administration access to the GUI. In case of the coincidence of your local DHCP network is also 10.0.2.0/24, just change the IPs indicated in the topology to another network from your choice, and remember that IPs while doing this lab.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Lab 1: Initial Setup Exercise 1: Configure Webservers From the ESXi interface, open the WebServer1 VM console with user root and password fortinet. Type the following commands: # ifconfig eth0 up 10.0.1.31 netmask 255.255.255.0 broadcast 10.0.1.255 # route add default gw 10.0.1.1

From the ESXi interface, open the WebServer2 VM console with user root and password fortinet. Type the following commands: # ifconfig eth0 up 10.0.1.32 netmask 255.255.255.0 broadcast 10.0.1.255 # route add default gw 10.0.1.1

Exercise 2: Configuring Initial FortiWeb Device Settings Turn on the FortiWeb01 if is not already on, At the CLI login prompt, log in with the default username of admin with no password. Enter the following command to display system status information for the FortiWeb device: #get sys status

The output displays the FortiWeb unit’s serial number, firmware build and additional settings. To configure a system hostname for the FortiWeb device enter the following commands: #config system global (global)#set hostname FWB01 (global)#end

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Verify the system interface configuration for port1 by entering the following command: #show system interface port1

You should notice that port1 is currently configured with the factory default IP setting of 192.168.1.99 . Change the port1 to get IP from DHCP, and configure static IP address for port2 to 10.0.2.1 and port3 to 10.0.1.1 by entering the commands below: config system interface edit port1 unset ip set mode dhcp set allowaccess ping http https ssh next edit port2 set ip 10.0.2.1/24 set allowaccess ping next edit port3 set ip 10.0.1.1/24 set allowaccess ping end

Check the FortiWeb port1 IP received from DHCP. We’ll refer for it as FWB-IP in this document:

To change the admin timeout default value (in minutes), execute the following CLI commands: # config system global

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

(global)# set admintimeout 480 (global)#end

Exercise 3: Accessing the Web UI The web UI on the FortiWeb unit can be accessed using a standard web browser. For proper rendering and display of the graphical user interface, cookies and Java script must be enabled. Open a web browser and enter the FortiWeb port1 IP (FWB-IP): Confirm any security warnings, which may be displayed. Log in with the default username of admin (all lowercase) with no password. Go to System -> Maintenance -> System Time and select the right time zone according with your geographical location:

Click ‘OK’ to save the change. You have now completed the initial system configuration of your FortiWeb unit. Explore the various menu items and screens available in the web UI to become familiar with the overall layout and organization of system components.

Lab 2: Configuring FortiWeb Policies and Profiles Objectives In the lab environment, the FortiWeb unit is deployed in Reverse Proxy mode. In the following exercises, you will configure a virtual server object on the FortiWeb unit to perform application load balancing between the two web servers.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Exercise 1: Configuring Application Load Balancing Go to Server Objects > Server > Virtual Server to define the Virtual IP address used by the FortiWeb unit to fulfill requests for the web application.

Click Create new and configure the following settings: Name: WebServer_VS IP Address: 10.0.2.105/24 Interface: port2 Next you will configure two real server entries and the server pool. Go to Server Objects> Server Pool and click Create New. Configure the following settings: Name: WebServer_Real Type: Reverse Proxy Single Server/Server Balance Server Balance Server Health Check HLTHCK_ICMP Load Balancing Alg. Round Robin Click OK. Next you will configure two real server entries. IP Address: 10.0.1.31 SSL Unchecked Port: 80 Weight: 1 Click OK to save the configuration.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Repeat the above step to create the second real server entry. Configure the following settings: IP Address: 10.0.1.32 SSL Unchecked Port: 80 Weight: 1 Click OK to save the configuration.

Exercise 2: Activating a Load Balancing Configuration In this exercise, you will activate the Load Balancing configuration performed in the previous exercise by selecting it within a Server Policy. Go to Policy > Server Policy and click Create New. Configure the new Server policy rule as follows: Policy Name: WebServer_LB_Policy Deployment Mode: Single Server/Server Pool Virtual Server: Webserver_VS Server Pool: WebServer_Real HTTP Service: HTTP Leave all other parameters at their default values and click OK.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

To test the load-balancing algorithm, open a web browser from the SET-Linux and connect several times from different browser’s windows to the Virtual IP: http://10.0.2.105 Your browser should sometimes connect to the WebServer1 and sometimes to WebServer2.

To enable traffic logs, go to Log&Report > Log Config > Other Log Settings and select Enable Traffic Log as shown below:

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Try to connect one more time HTTP to the virtual IP address. To track the path taken by the HTTP request, go to Log&Report > Log Access > Traffic. The following is displayed:

To verify the status of the real servers, go to System > Status > Policy Status and check the Server Status widget. If both real servers are active the following information should be displayed:

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Exercise 3: SSL Offloading With the load balance configuration now in place, the next goal is to offload SSL encryption/ decryption activities from the web servers to the FortiWeb unit. On the FortiWeb unit go to System > Certificates> Local and click to GENERATE certificate, then fill the information: Certificate Name: fwb_cert_yourname Subject Information: ID Type Host IP IP: 10.0.2.105 Download and give the file for the instructor to sign. Then click IMPORT and add the signed certificate:

Server Policy SSL offload In order to apply SSL offloading, go to Policy > Server Policy > Server Policy and make the following changes to the existing wg_LB policy: HTTPS Service: HTTPS Certificate: fwb_cert_yourname Click OK. The connection between the client and the FortiWeb unit is now secured. To confirm this, connect to the Virtual IP address of the web server: https://10.0.2.105 When the certificate warning message related to the certificate issuer (CA) is displayed, click “I Understand the Risks then click Add Exception…” and view the certificate provided. You should notice that it is issued to the Common Name (CN) of FortiWeb interface.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Click Close then click Confirm Security Exception to add a certificate exception entry for this certificate. You should now be able to display the page secured. Check that the connection to the real webserver is still using HTTP, since in Server Objects > Server > Server Pool there are only HTTP real servers:

You can change the servers to enable SSL (just check this option, we won’t test it in this laboratory):

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Now let’s simulate a server failure. First go to System > Status > Policy Status and check both servers are responding:

Go to ESX Management console and shutdown WebServer2:

Go to System > Status > Policy Status to see that WebServer2 is already considered down. Test access to http://10.0.2.105 and https:10.0.2.105 to check that the VIP still works but forwarding traffic to the online webserver only.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Lab 3: Cross-Site Scripting Objectives In this lab, you will execute a stored cross-site scripting (XSS) attack against the vulnerable web application. Until this moment FortiWeb was configured to NOT block attacks to the webserver. Afterwards, you will configure the FortiWeb device to detect and block the attack.

Exercise 1: Executing a XSS and SQL injection Attacks From SET-Linux, connect to the website by browsing to the following URL: http://10.0.2.105 To test the XSS Attack go to the “Guestbook” section, and under message field type the following text: Nome: Whatever Mensagem: alert('Not Secure')

Click again to the Guestbook menu. You’ll have a prompt like this:

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

We are executing the script inside the Web page This is an example of stored XSS. To test the SQL Injection, go to the “Acesso Cliente” Section and fill with the following ID: admin'or'x'='x

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Now you can see all available IDs on the database:

Exercise 2: Detecting and Blocking XSS Attacks Perform the steps below to use the FortiWeb unit to detect and block cross-site scripting attacks like the one you executed above. Server Protection Rule Perform the steps below to create a server protection rule that will prevent crosssite scripting. Go to Web Protection > Known Attacks > Signatures and click Create New. Configure the following settings: Name: xss Cross Site Scripting: Checked Action: Alert &Deny Severity: High Leave all other parameters at their default values and click OK.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

To create a protection profile, go to Policy >Web Protection Profile > Inline Protection Profile and click Create New. Configure the following settings: Name: xss_profile Known Attacks > Signatures: xss

Leave all other parameters at their default values then click OK. Server Policy Next go to Policy > Server Policy and edit the existing policy (WebServer_LB_Policy). Configure the settings below to identify the traffic you wish to protect against XSS: Deployment Mode: Single Server/Server Pool Virtual Server: WebServer_VS Physical Server: WebServer_Real HTTP Service: HTTP Web Protection Profile: xss_profile

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Click OK.

XSS Prevention Access the WebServer vulnerable web application by connecting to the following URL: http://10.0.2.105 Clear the WebServer database by going to Setup > Reset Database. This will delete the previously entries inserted by the XSS attack.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Repeat the steps performed in Exercise 1 to run another attack against the web page. Go to the “Guestbook” section, and type the following text: Name: Whatever Message: alert('Not Secure') The FortiWeb unit will block your access to the web page.

XSS Attack Log Observe the entry for this attack in the Attack log, and check the details:

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Test again the SQL Injection attack. Go to the “Acesso Cliente” Section and fill with the following values ID: admin'or'x'='x

Lab 4: DoS Objectives You will configure and test a DoS protection policy to block a DoS attack.

Exercise 1: Executing a DoS Attack In this exercise, you will bring down one of the web servers by executing a DoS attack against it. Go to Policy > Server Policy, edit the WebServer_LB_Policy rule and remove the Web Protection Profile configuration. We are doing this to see the results of the attack when no protection is applied by FortiWeb

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Connect to the SET-Linux and execute the following tool to generate a Slow POST attack against 10.0.2.105 - the virtual IP that points to servers: slowhttptest –c 40000 –r 200 –r 1000 –s 10000000 –x 1024 –u http://10.0.2.105

The Slow POST attack will start and you should see a new window showing increasing counters for the number of connections attempted, active connections and connections failed. A Slow-Post attack sends multiple posting of data while keeping all the connections alive. The connections are kept alive by sending partial posting data at regular times. This attack can eventually make a web service unresponsive by consuming all the available resources in the server. While the attack is running, try to connect several times to the web server using the http://10.0.2.105. At one point, connection attempts from your browser will start to fail because the attack has successfully brought down the web service.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Go to FortiWeb Status > Policy Status page to check the concurrent connections to the webserver:

Cancel the attack on the slowhttptest tool.

Exercise 2: Configuring and Testing DoS Protection In this exercise, you will configure a DoS Protection Policy. You will then perform the DoS attack again and verify that the source IP address of the attacker has been blocked by the FortiWeb. Create HTTP Access Limit rule Go to DoS Protection > Network > TCP Flood Prevention and click on Create New. Configure the setting below: Name: TCP_Flood TCP Connection Number Limit 10 Action Period Block Severity Medium Block Period 60 Click OK.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Create DoS Protection Policy Go to DoS Protection > DoS Protection Policy and click on Create New. Configure the setting below: Name: DoS_Policy HTTP Session Based Prevention: Unchecked HTTP DoS Prevention: Checked HTTP Access Limit: Please Select (not selected) TCP Flood Prevention: TCP_Flood Click OK.

Create the Web Protection Profile Go to Policy > Web Protection Profile > Inline Protection Profile and click on the existing profile with the name xss_profile. Enable Session Management and select DoS_Policy for the DoS Protection setting. Leave all other parameters at their default values, and then click OK.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Apply the Web Protection Profile to the Server Policy Go to Policy > Server Policy and edit the WebServer_LB_Policy Set the Web Protection Profile to xss_profile. Execute the same DoS attack again with slowhttptest. You should see a new window showing increasing counters for the number of connections attempted, active connections and connections failed. Also, while the attack is running, check you can still access the webserver from your laptop: http://10.0.2.105

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Wait until the tool finishes running. The statistics should be like below:

The tool attempted 4000 connections. Only the first 10 (the threshold defined in the rule) were allowed by the FortiWeb. The other 3950 attempts were blocked. Go to Log&Report > Monitor > Blocked IPs and check that the IP address has indeed been blacklisted by the FortiWeb:

The IP address will be blacklisted for 60 seconds (the Block Period) after the attack. During that time, any HTTP/S connection attempt from that IP address will be rejected. We can manually remove an IP address from the Blocked IPs list by clicking of the trash bin icon. Go to Log&Report > Log Access > Attack and check the log generated after the attack:

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Lab 5: Auto Learning Objectives In this lab, you will use the Auto Learn functionality to monitor HTTP sessions and create ad hoc profiles to protect the back-end web server.

Exercise 1: Creating an Auto Learning Profile Go to Policy > Web Protection Profile > Inline Protection Profile and edit the xss_profile. Verify that Session Management is enabled

Leave all other parameters at their actual values then click OK. To optimize the learning process, it is recommended to fine tune the default Data Type Group and Suspicious URL auto-learning settings. The steps included in the sections below will guide you through this process. Data Type Group Go to Auto Learn >Predefined Pattern > Data Type Group and select the check box for predefine-data-type-group. Click Clone and configure the following settings: Name: autolearn_data_type_group Click OK. Next, edit autolearn_data_type_group and uncheck the following: • US Zip Code. • US State Name and Abbrev. • Canadian Post Code.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

• CA Province Name and Abbrev. • Country Name and Abbrev. • China Post Code. • US Social Security Number. • Canadian Social Insurance Number .

Leave all other parameters at their default values then click OK. Suspicious URL Rule Go to Auto Learn> Predefined Pattern > Suspicious URL and select the checkbox for predefine-suspicious-url-rule. Click on Clone and configure the following settings: Name: autolearn_suspicious_url Server Type: All (sets all selected) Click OK. Next, edit the autolearn_suspicious_url and watch the server type selected. Leave all parameters at their default values and click OK.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Auto Learning Profile Next you will create an auto learn profile to group the new auto-learning objects created above. Go to Auto Learn > Auto Learn Profile and click Create New. Configure the following settings: Name: autolearn_profile Data Type Group: autolearn_data_type_group Suspicious URL: autolearn_suspicious_url_rule Leave all other parameters at their default values and click OK.

Server Policy Go to Policy >Server Policy >Server Policy and edit the policy called WebServer_LB_Policy Deployment Mode: Single server/Server Pool Virtual Server: WebServer_VS Server Pool: WebServer_Real HTTP Service: HTTP Web Protection Profile: xss_profile Auto Learn Profile: autolearn_profile

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Exercise 2: Generating HTTP Traffic From the SET-Linux, open a terminal. Run the installed nikto Perl script against the virtual IP address as indicated below: sudo su nikto -h 10.0.2.105 –C all The nikto script is an open source web server scanner, which performs network security assessment.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Exercise 3: Analyzing the Auto Learn Results Once the scan has completed, go to Auto Learn > Auto Learn Report. Select the checkbox for the WebServer_LB_Policy report and click View to analyze the report. Pay attention to the attacks counted. In a later exercise, we will see how the “learned” information can be used to configure protection settings against this type of attack.

Change the Action to “Alert and Deny” to Generic Attacks, Known Exploits and Bad Robot. Customizing Reports From the Auto Learn Report page the administrator can customize various fields including: • Protected Servers • Attacks (Server Protection Rules) • HTTP Methods • URL Access Rules • URL Start Page

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

This information will be used to generate the inline or offline protection profiles. Click Visits and scroll through the various settings described above.

Profile Generation To generate an Auto Learn Inline Protection Profile, click Generate Config and configure the following settings: Profile Name: auto-attack Profile Type: Inline Click OK.

Go to Web Protection > Known Attacks > Signatures and edit the auto-attack… entry. Change the Known Exploits, Generic Attacks and Bad Robot Actions to Alert & Deny

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Modify Server Rule To prevent those attacks, you will now modify the server policy to apply the web protection profile generated from the Auto Learn report. Go to Policy > Server Policy >Server Policy and edit the policy WebServer_LB_Policy. From the Web Protection Profile drop down select the automatically generated auto-attack… protection profile. Leave all other parameters at their default values and click OK.

Next go to Auto Learn > Auto Learn Report> Auto Learn Report. Select the checkbox for the existing report and click Clean Data to clear the auto learn report.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Generate Traffic Run the nikto test again against the configured virtual IP. nikto -h 10.0.2.105 –C all Analyze the Attacks section of the auto learning report. You should observe that there are no longer detected Known Exploits and Generic Attacks as indicated below:

They have all been blocked by the configured auto-attack web protection profile. PS: nikto tool can try different attacks every time you run it, which may cause new attacks to be shown in the report. You might want to repeat executing it multiple times to have better tests and consequently better reports.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Lab 6: Web Vulnerability Scan Objectives In this lab, you will perform a vulnerability assessment on the web server’s application to comply with PCI DSS A6. All software should be up to date, including all code libraries used by the application.

Exercise 1: Creating a Scan Profile Go to Web Vulnerability Scan > Web Vulnerability Scan Profile. Click Create New and configure the following parameters for your vulnerability assessment: Name: web_scan Hostname: http://10.0.1.31/dvwa Scan: select all Scan Mode: Enhanced Mode Request Timeout 30 Delay Between Each Request 0

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Scan Policy To define the Vulnerability Scan profile to use go to Web Vulnerability Scan > Web Vulnerability Scan Policy and click Create new. Define the type of scan and the format of the report as follows: Name: wscan_policy Type: Run Now Profile: web_scan Report Format: HTML, PDF Click OK.

Exercise 2: Performing the Scan and Analyzing Reports The scan should start automatically. However, if this is not the case, go to Web Vulnerability Scan > Web Vulnerability Scan Policy then click on Start to start it manually as indicated below:

Wait for the scan process to complete, then go to Web Vulnerability Scan > Scan History to view the generated vulnerability scan report.

Click on the link to display the report in HTML format and analyze the results.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Navigate through the various report items to analyze the vulnerability scan results.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Lab 7 Anti Defacement Create a Defacement Profile

It takes some minutes to connect to the server and get all files. Check the connection numbers of files copied.

Login to Webserver1 and delete one file from the path /var/www. Wait some seconds and verify that FortiWeb detects the action and restores the file. Click on the number under Total Changed:

Open a terminal in the WebServer1 and verify that the file was restored.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Lab 8 Virtual Patching For this Lab, you need to upload a XML file from a Third Party Vulnerability scanner provided by the instructor. Go to Web Vulnreability Scan>Scanner Integration and click on Scanner File Import. Select Acunetix and upload the XML File. Rule Name: Acunetix_Policy Action High: Deny Action Medium: Alert Action Low: Alert

You will see all the Rules and policies created based on the vulnerabilities reported by Acunetix Vulnerability Scanner.

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

Check where are configured the policies in the Web Protection Profile.

Final: Shutting Down Everything To erase all labs and shutdown the servers correctly, follow these steps:      

Enter the SET-Linux VM console Execute ‘sudo /root/scripts/RestartESXLab.sh’ Wait until it finishes Execute ‘init 0’ At the ESX management GUI, check that SET-Linux is the only VM and that it is turned off; Right click the Host and select Shutdown

899 Kifer Road Sunnyvale, CA 94086 Tel: +1-408-235-7700 Fax: +1-408-235-7737

www.fortinet.com

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF