WEB应用防护系统说明书

深信服虚拟化Web应用防火墙云WAF 用户手册产品版本8.0.28文档版本 01发布日期2021-03-12深信服科技股份有限公司版权所有©深信服科技股份有限公司 2020。

保留一切权利。

除非深信服科技股份有限公司（以下简称“深信服公司”）另行声明或授权，否则本文件及本文件的相关内容所包含或涉及的文字、图像、图片、照片、音频、视频、图表、色彩、版面设计等的所有知识产权（包括但不限于版权、商标权、专利权、商业秘密等）及相关权利，均归深信服公司或其关联公司所有。

未经深信服公司书面许可，任何人不得擅自对本文件及其内容进行使用（包括但不限于复制、转载、摘编、修改、或以其他方式展示、传播等）。

注意您购买的产品、服务或特性等应受深信服科技股份有限公司商业合同和条款的约束，本文档中描述的全部或部分产品、服务或特性可能不在您的购买或使用范围之内。

除非合同另有约定，深信服科技股份有限公司对本文档内容不做任何明示或默示的声明或保证。

由于产品版本升级或其他原因，本文档内容会不定期进行更新。

除非另有约定，本文档仅作为使用指导，本文档中的所有陈述、信息和建议不构成任何明示或暗示的担保。

前言关于本文档本文档针对深信服虚拟化Web应用防火墙产品，介绍了云WAF的架构、特性、安装和运维管理。

产品版本本文档以下列产品版本为基准写作。

后续版本有配置内容变更时，本文档随之更新发布。

读者对象本手册建议适用于以下对象：⚫网络设计工程师⚫运维人员符号约定在本文中可能出现下列标志，它们所代表的含义如下。

在本文中会出现图形界面格式，它们所代表的含义如下。

修订记录修订记录累积了每次文档更新的说明。

最新版本的文档包含以前所有文档版本的更新内容。

资料获取您可以通过深信服官方网站获取产品的最新资讯：获取安装/配置资料、软件版本及升级包、常用工具地址如下：深信服科技深信服技术服务技术支持用户支持邮箱：*******************.cn技术支持热线电话：400-630-6430（手机、固话均可拨打）深信服科技服务商及服务有效期查询：https:///plugin.php?id=service:query意见反馈如果您在使用过程中发现任何产品资料的问题，可以通过以下方式联系我们。

雷池（SafeLine）Web应用防火墙用户操作手册版本2.1目录1产品概述 (7)1.1产品介绍 (7)1.2核心优势 (7)1.2.1智能语义分析技术 (7)1.2.2 0day漏洞防护能力 (7)1.2.3高度自定义的扩展能力 (8)1.2.4上手简单、管理高效 (8)2登录 (9)2.1上传许可证 (9)2.2登录雷池管理后台 (10)2.2.1密码认证 (10)2.2.2证书认证 (10)3统计信息 (12)3.1防护状态总览 (12)3.1.1防护状态总览查看 (12)3.1.2数据展示详情介绍 (12)3.2防护报告导出 (20)3.2.1定时报告任务 (20)3.2.2防护报告 (22)3.3实时访问监控 (27)3.4攻击检测统计 (28)3.5实时大屏 (28)3.5.1大屏信息 (29)3.5.2大屏配置 (29)4网络管理 (31)4.1网络接口配置 (31)4.1.1网络接口管理 (31)4.1.2工作组管理 (34)4.1.3 19.09版本透明桥/流量镜像模式配置更新说明 (38)4.2管理服务配置 (39)4.2.1 SSH 管理 (40)4.2.2 SNMP 管理 (41)4.2.3 Web 管理 (45)4.2.4 PING 管理 (46)4.2.5管理时间配置 (46)4.3高可用配置 (48)4.3.1高可用配置 (49)4.3.2高可用状态 (49)4.4域名解析配置 (49)4.5路由管理 (51)4.5.1默认网关配置 (51)4.5.2路由表管理 (51)4.6网络诊断工具 (52)5网站防护 (56)5.1防护站点管理 (56)5.1.1防护站点详情 (59)5.1.2防护站点配置 (61)5.2防护策略管理 (69)5.2.1配置说明 (71)5.2.2攻击检测模块说明 (72)5.2.3防护策略管理常用操作指南 (82)5.3自定义规则 (83)5.3.1自定义规则检测说明 (84)5.3.2自定义规则配置说明 (85)5.3.3自定义规则高级选项配置 (89)5.3.4自定义规则操作说明 (90)5.3.5自定义规则的导入导出 (91)5.4访问频率控制 (92)5.4.1访问频率限制规则 (92)5.4.2不限制这些用户 (97)5.5SSL 证书管理 (99)5.6IP组管理 (101)5.6.1添加IP组 (101)5.6.2删除IP组 (102)5.6.3 IP组筛选 (103)5.7扩展插件管理 (104)5.8情报模块 (105)5.8.1情报同步配置 (106)5.8.2情报同步状态 (107)5.8.3情报同步信息 (107)5.8.4威胁情报-自定义规则 (108)6日志管理 (110)6.1攻击检测日志 (110)6.2频率访问日志 (119)6.3扩展插件日志 (120)6.4系统操作日志 (120)6.5日志归档管理 (120)6.5.1攻击检测日志归档 (120)6.5.2访问频率控制日志归档 (123)6.5.3扩展插件日志归档 (123)6.5.4系统操作日志归档 (123)7系统设置 (124)7.1告警收信配置 (124)7.1.1设置告警人接收人 (124)7.1.2设置SYSLOG发信格式 (126)7.1.3告警阈值配置 (132)7.1.4邮件发信配置 (134)7.2系统用户设置 (135)7.2.1查看和编辑用户信息 (135)7.2.2添加一个新用户 (137)7.2.3删除用户 (140)7.2.4用户管理配置 (141)7.3配置备份还原 (145)7.3.1查看及新建备份 (145)7.3.2下载及删除备份 (146)7.3.3还原备份 (147)7.4其他系统设置 (148)7.4.1上传及更新HTTPS证书 (148)7.4.2配置管理后端用户IP的获取方式 (149)7.4.3系统时间设置 (150)7.4.4数据重置 (151)8系统信息 (153)8.1节点状态 (153)8.1.1负载状态 (153)8.1.2网络状态 (153)8.1.3检测状态 (153)8.1.4转发状态 (153)8.1.5磁盘状态 (153)8.1.6历史数据查询 (154)8.2系统固件信息 (155)8.2.1当前固件版本 (155)8.2.2固件升级 (155)8.3许可证信息 (156)8.3.1当前许可证信息版本 (156)8.3.2许可证更新 (156)8.4关于产品 (156)9个人中心 (157)9.1个人信息 (157)9.2使用偏好 (157)9.3OPEN API (158)9.3.1查看和编辑OPEN API TOKEN (158)9.3.2添加OPEN API TOKEN (159)9.3.3删除OPEN API TOKEN (162)1产品概述1.1产品介绍雷池（SafeLine）是由长亭科技自主研发的全球首款基于智能语义分析技术的下一代Web 应用防护产品，曾入围Gartner 2018 《Web应用防火墙魔力象限报告亚太版》。

Version2.8.3版本说明本手册包含了WAF_2.5版本以及后续版本的版本说明，主要介绍了各版本的新增功能、已知问题等内容。

l WAF2.8.3l WAF2.8l WAF_2.7.3l WAF_2.7.1l WAF_2.7l WAF_2.6.5l WAF_2.6l WAF_2.5.1l WAF_2.5WAF2.8.3发布日期：2021年11月19日本次发布主要支持如下功能：l新增WAF国产平台型号SG-6000-W5160-GC，采用飞腾8核处理器，性能更加强大。

l支持识别、转发非HTTP协议流量（HTTP站点）和非SSL协议流量（HTTPS站点），可精准防护HTTP协议流量，同时识别、转发非HTTP协议流量，兼顾用户的安全需求和业务需求。

l基于ARM架构的vWAF以及SG-6000-W5160-GC和SG-6000-W3060-GC支持漏洞扫描功能。

版本发布相关信息：https:///show_bug.cgi?id=25662平台和系统文件新增功能已解决问题已知问题浏览器兼容性以下浏览器通过了WebUI测试，推荐用户使用：l IE11l Chrome获得帮助Hillstone Web应用防火墙设备配有以下手册：请访问https://进行下载。

l《Web应用防火墙_WebUI用户手册》l《Web应用防火墙_CLI命令行手册》l《Web应用防火墙_硬件参考指南》l《Web应用防火墙典型配置案例手册》l《Web应用防火墙日志信息参考指南》l《Web应用防火墙SNMP私有MIB信息参考指南》l《vWAF_WebUI用户手册》l《vWAF_部署手册》l《WAF国产系列_硬件参考指南》服务热线：400-828-6655官方网址：https://WAF2.8发布日期：2021年9月17日本次发布主要支持如下功能：l vWAF支持部署在基于鲲鹏和飞腾架构的虚拟化平台上。

l支持多虚拟路由器模式，站点可通过绑定不同的虚拟路由器对Web网站进行精细化防护。

While web applications are now an integral part of every company’s core business infrastructure, they also provide a high profile target for malicious activities. These malicious activities can range from simple defacement attacks to more damaging denial of service attacks or data harvesting attacks. The more serious malicious activity can result in damage to customer confidence and loyalty, brand reputation, and corporate credibility. Mandated by the Payment Card and Industry Data Security Standard (PCI DSS) regulatory framework, the protection of web applications are a tremendous challenge that traditional security tools are unable to solve.The FortiWeb-1000B appliance protects web applications and web services from attacks and data loss. Using advanced techniques to protect against SQL injection, Cross site scripting and a range of other attacks, FortiWeb appliances help to prevent identity theft, financial fraud, and corporate espionage that can result in significant damage to a corporation’s bottom-line. With Web Application Firewall, XML Firewall, Web Traffic Acceleration, and Application Traffic Balancer capabilities built into one hardware accelerated platform, the FortiWeb-1000B appliance meets data security standards, reduces deployment effort, and offers cost-effective web application security for any medium or large enterprise.FortiWeb ™-1000BMedium Enterprise Large EnterpriseCombined Web Application and XML Firewall••••••••••••••••••Datasheet••••••••••••••••••Inline Reverse Proxy, Transparent, and Offline Deployment ModesAuto-Learning Security ProfilesFortiWeb-1000B (FWB-1000B)FLEXIBLE DEPLOYMENT OPTIONSFortiWeb supports inline reverse proxy, transparent, and offline deployment modes. It provides a totally flexible solution to introduce FortiWeb into existing network implementations without the need for a network-level redesign. The offline mode and transparent mode can monitor and analyze real time web traffic, without requiring changes to the existing web application or network infrastructure.Copyright© 2009 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions. Network variables, different network environments and other conditions may affect performance results, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding contract with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Certain Fortinet products are licensed under U.S. Patent No. 5,623,600.FWB1000B-DAT-R1-0909GLOBAL HEADQUARTERS Fortinet Incorporated1090 Kifer Road, Sunnyvale, CA 94086 USA Tel +1-408-235-7700 Fax +/sales EMEA SALES OFFICE-FRANCE Fortinet Incorporated 120 rue Albert Caquot06560, Sophia Antipolis, France Tel +33-4-8987-0510 Fax +33-4-8987-0501APAC SALES OFFICE-SINGAPORE Fortinet Incorporated 61 Robinson Road#09-04 Robinson Centre Singapore 068893Tel: +65-6513-3730Fax: +65-6223-6784。

Executive SummaryFortiWeb Cloud Web Application Firewall-as-a-Service (WAFaaS) deliversfull-featured, cost-effective security for web applications with a minimumof configuration and management. Delivered through major cloud platforms, including AWS, Azure, Google Cloud, and Oracle Cloud, FortiWeb Cloud features a high level of scalability as well as on-demand pricing. While FortiWeb Cloud can protect applications deployed in the data center or in the cloud, customers who host their applications on these public clouds can achieve benefits such as reduced latency, simplified compliance, and lower bandwidth costs. Securing Web ApplicationsCloud service providers and application owners share the responsibility for securing web applications deployed to the cloud. This arrangement has advantages in that providers typically deploy robust security for the platform itself, removing that burden from the application owner. However, securing the application itself rests squarely with the owner, a stipulation that AWS1 and other providers make clear in their service agreements.Best practices for web application security include the deployment of a WAF as the cornerstone of a comprehensive security solution. WAFs use a combination of rules, threat intelligence, and heuristic analysis of traffic to ensure that malicious traffic is detected and blocked before reaching web applications.The task of protecting on-premises application software typically falls to a security architect or other security professional within the CIO or CISO organization.In contrast, the DevOps team often fills this role for cloud-based applications, consistent with DevOps principles of end-to-end responsibility and cross-functional, autonomous teams. As a result, DevOps teams need the right tools to embed effective security controls into their process—simply repurposing traditional workflows and processes will not do the job. Also, the additional workload of managing WAFs consumes valuable time on the part of DevOps teams and can elongate time-to-release cycles and inhibit continuous improvement efforts.FortiWeb Cloud Features nn Advanced protection against OWASP Top 10 threats, zero-day threats, and morenn Purchasing flexibility—buy directly through a cloud marketplace or your preferred resellernn Easy deployment with a setup wizard and predefined policiesnn Streamlined management with an intuitive dashboard for end-to-end security visibility and managementnn Delivered on public cloud, including AWS, Azure, Google Cloud, and Oracle Cloud, which offers low latencyand unmatched elasticity and scalabilityCloud-native Solution for Web Application Security: FortiWeb Cloud WAF-as-a-Service for AWS, Azure, Google Cloud, and Oracle Cloud SOLUTION BRIEFThe Expanding Attack SurfaceThe threat landscape today can be daunting for organizations considering a move to the cloud. More than three-quarters of successful attacks are motivated by financial gain,2 which can take the form of ransomware, exfiltration of valuable personal information, or compromised intellectual property. Furthermore, breaches happen fast—87% take place in just minutes 3—and most go undiscovered for months or more (Figure 1).4Internet-facing web applications pose unique security challenges compared to traditional solutions deployed within theorganization’s network perimeter. Every time a company deploys a new internet-facing web application, the attack surface grows. As DevOps teams accelerate the rate of development and new releases, the attack surface evolves more rapidly than ever. This expanded attack surface challenges traditional approaches to application security.Enhanced Protection With FortiWebTo address the diverse needs of organizations for web application security, Fortinet offers the FortiWeb family of solutions.FortiWeb WAF provides advanced features that defend web applications from known and zero-day threats. Using an advanced multilayered and correlated approach, FortiWeb delivers complete security for external and internal web-based applications from the OWASP Top 10 and many other threats. At the heart of FortiWeb are its dual-layer artificial intelligence (AI)-based detection engines that intelligently detect threats with nearly no false-positive detections.FortiWeb Cloud WAF-as-a-ServiceDesigned for web applications that demand the highest level of protection, FortiWeb Cloud provides robust security that is simple to deploy, easy to manage, and cost effective. With FortiWeb Cloud, DevOps teams and security architects alike have access to the same proven detection techniques used in other FortiWeb form factors without the need for costly capitalinvestments. Unlike solutions that simply spin up virtual machines for each customer and increase the management workload, FortiWeb Cloud delivers a true Software-as-a-Service (SaaS) solution that leverages public cloud to offer highly scalable and low-latency application security.FortiWeb VMFortiWeb VM is an enterprise-class offering that provides the FortiWeb functionality in a virtual form factor. Designed forhybrid environments, the virtual version of FortiWeb includes protection for container-based applications. FortiWeb VM can be deployed in VMware, Microsoft Hyper-V, Citrix XenServer, Open Source Xen, VirtualBox, KVM, and Docker platforms.of breaches are financially removed.76%of compromise take minutes or less.87%30JAN of threats go undiscovered for a month or more.68%Figure 1: Threat statistics from recent published studies.uses machine learning (ML)-enabled technology to minimize false positives while accurately identifying real threats.Figure 3: FortiWeb Cloud dashboard.Attacks/ThreatsApplication C o r r e l a t i o n U s e r /D e v i c e T h r e a t S c o r i n gFigure 2: Common attack vectors and remediation techniques.Easy to Deploy and Manage FortiWeb Cloud enables rapid application deployments in the public cloud while addressing compliance standards and protecting business-critical web applications. To facilitate use by nonsecurity professionals, FortiWeb Cloud comes with a setup wizard and a default configuration that can be easily modified to meet individual requirements. FortiWeb Cloud delivers cloud-native application security that can be deployed in minutes. After going through the setup wizard, simply update your DNS setting and your web application is protected.Busy DevOps staff have no time for extensive WAF training. To address this issue, FortiWeb Cloud features an intuitive real-time dashboard that allows DevOps staff and other nonsecurity professionals to see and understand quickly the security status of their web applications (Figure 3).Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet , FortiGate , FortiCare and FortiGuard , and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.April 6, 2021 11:46 PMInternet Data transfer fees included in FortiWeb subscription Intra-region data transfer feesCost-effective SecurityAs a cloud-native SaaS solution, FortiWeb Cloud features lower capital expenditures (CapEx) and operational expenditures (OpEx) compared to on-premises solutions. AWS, Azure, Google Cloud, and Oracle Cloud provide the hardware and software components of the infrastructure, virtually eliminating the need for capital investments as well as the operating costs associated with platform maintenance. By removing the burden of maintaining and upgrading the platform, customers can focus on improving the application and delivering business value to their organizations.The SaaS business model—pay only for what you use—gives customers flexibility in managing their security budgets as well as the ability to institute chargebacks and other cost-control measures. Customers who host their applications on these clouds can reduce costs significantly because they must only pay data transfer fees for traffic from the application to the WAF—as the data transfer costs for outbound traffic are included in the FortiWeb subscription (Figure 4).Figure 4: Data transfer fees for applications hosted on public clouds.Conclusion Utilizing a comprehensive, correlated, multilayer approach to web application security, FortiWeb Cloud protects web-based applications from all of the Top 10 OWASP security risks and many more. Unique among WAFs on the market, FortiWeb Cloud leverages ML capabilities to detect both known and unknown exploits targeting web applications with almost no false positives. Delivered via public cloud providers including AWS, Azure, Google Cloud, and Oracle Cloud, FortiWeb Cloud features low latency and high elasticity and can easily and quickly scale to accommodate changes in traffic. Further, FortiWeb Cloud keeps web applications safe from vulnerability exploits, bots, malware uploads, DDoS attacks, APTs, and zero-day attacks.1 “Shared Responsibility Model ,” AWS, accessed June 20, 2019.2 “2018 Data Breach Investigations Report ,” Verizon, accessed June 18, 2019.3Ibid.4 Ibid.5 “OWASP Top 10-2017: The Ten Most Critical Web Application Security Risks ,” OWASP, accessed May 25, 2018.。

H3C SecPath Web应用防火墙安全手册杭州华三通信技术有限公司资料版本：APW100-20150612Copyright © 2015 杭州华三通信技术有限公司及其许可者 版权所有，保留一切权利。

未经本公司书面许可，任何单位和个人不得擅自摘抄、复制本书内容的部分或全部，并不得以任何形式传播。

H3C 、、H3CS 、H3CIE 、H3CNE 、Aolynk 、、H 3Care 、、IRF 、NetPilot 、Netflow 、SecEngine 、SecPath 、SecCenter 、SecBlade 、Comware 、ITCMM 、HUASAN 、华三均为杭州华三通信技术有限公司的商标。

对于本手册中出现的其它公司的商标、产品标识及商品名称，由各自权利人拥有。

由于产品版本升级或其他原因，本手册内容有可能变更。

H3C 保留在没有任何通知或者提示的情况下对本手册的内容进行修改的权利。

本手册仅作为使用指导，H3C 尽全力在本手册中提供准确的信息，但是H3C 并不确保手册内容完全没有错误，本手册中的所有陈述、信息和建议也不构成任何明示或暗示的担保。

技术支持用户支持邮箱：***************技术支持热线电话：400-810-0504（手机、固话均可拨打）网址：资料获取方式您可以通过H3C 网站（ ）获取最新的产品资料：H3C 网站与产品资料相关的主要栏目介绍如下：•[服务支持/文档中心]：可以获取硬件安装类、软件升级类、配置类或维护类等产品资料。

•[产品技术]：可以获取产品介绍和技术介绍的文档，包括产品相关介绍、技术介绍、技术白皮书等。

•[解决方案]：可以获取解决方案类资料。

• [服务支持/软件下载]：可以获取与软件版本配套的资料。

资料意见反馈如果您在使用过程中发现产品资料的任何问题，可以通过以下方式反馈：E-mail ：************感谢您的反馈，让我们做得更好！环境保护本产品符合关于环境保护方面的设计要求，产品的存放、使用和弃置应遵照相关国家法律、法规要求进行。

密级：限定发布南墙WEB应用防火墙使用手册V1.8“不撞南墙不回头”版权声明© 2005-2022，有安科技本文中出现的任何文字叙述、文档格式、插图、照片、方法、过程等内容，除另有特别注明，版权均属有安科技所有，受到有关产权及版权法保护。

任何个人、机构未经书面授权许可，不得以任何方式复制或引用本文件的任何片断。

目录1产品概述 (1)1.1产品介绍 (1)1.2技术优势 (2)1.2.1先进语义引擎 (2)1.2.2智能0day防御 (2)1.2.3高级规则引擎 (2)2使用介绍 (3)2.1登录管理 (3)2.1.1登录界面 (3)2.1.2安全态势 (4)2.2功能介绍 (5)2.2.1规则管理 (5)2.2.2攻击查询 (6)2.2.3站点管理 (7)2.2.4用户设置 (7)2.2.5系统信息 (8)3规则介绍 (9)3.1高级规则 (9)4关于我们 (16)4.1技术能力 (16)4.2团队力量 (17)1产品概述1.1产品介绍南墙WEB应用防火墙（简称：uuWAF）是有安科技推出的一款全方位网站防护产品。

通过有安科技专有的WEB入侵异常检测等技术，结合有安科技团队多年应用安全的攻防理论和应急响应实践经验积累的基础上自主研发而成。

协助各级政府、企/事业单位全面保护WEB应用安全，实现WEB服务器的全方位防护解决方案。

手册适合的对象:《南墙WEB应用防火墙使用手册》适用于希望了解本产品功能，并熟练掌握产品的配置及日常操作维护的运维人员。

公司联系方式 :用户可以通过如下的联系方式详细了解该产品：⚫市场销售：邮箱：***************⚫支持服务：邮箱：***************⚫官方站点：网址：1.2技术优势1.2.1先进语义引擎南墙采用业界领先的SQL、XSS、RCE、LFI 4种基于语义分析的检测引擎，结合多种深度解码引擎可对base64、json、form-data等HTTP内容真实还原，从而有效抵御各种绕过WAF的攻击方式，并且相比传统正则匹配具备准确率高、误报率低、效率高等特点，管理员无需维护庞杂的规则库，即可拦截多种攻击类型。

网站防护体系说明书随着IT技术的革新，各种病毒层出不穷，服务器和网站受到的攻击方式也越来越多。

为了确保“XXXX”网站的安全运行，在维护时主要从网站源码、防火墙设置、安全软件等方面来加强网站的安全性和自主防御能力。

一、网站源码自身防御体系网站的防御需要从源码开始做起，在代码开发时，开发人员要根据常见的Web攻击原理，在源码中添加有针对性的防御代码，做好网站防御体系的最后一道防线。

（一）、SQL注入防护措施：1.对用户的输入进行校验，可以通过正则表达式，或限制长度；对单引号和双"-"进行转换等。

2.尽量少使用动态拼装sql语句，可以使用参数化的sql或者直接使用存储过程进行数据查询存取。

3.不要直接使用管理员权限的数据库连接，为每个应用使用单独的权限有限的数据库连接。

4.不要把机密信息直接存放，加密存放密码和敏感的信息。

5.应用的异常信息应该给出尽可能少的提示，最好使用自定义的错误信息对原始错误信息进行包装6.sql注入的检测方法一般采取辅助软件或网站平台来检测，比如MDCSOFTSCAN等。

使用国产服务器安全软件“服务器安全狗”可以有效的防御SQL 注入。

（二）、跨站脚本攻击(XSS)防护措施：1.对信息进行过滤和验证对用户提交的数据进行有效性验证，仅接受指定长度范围内并符合我们期望格式的的内容提交，阻止或者忽略除此外的其他任何数据。

比如：电话号码必须是数字和中划线组成，而且要设定长度上限。

过滤一些些常见的敏感字符，例如：<>‘“&#\javascriptexpression"onclick=""onfocus"；过滤或移除特殊的Html 标签，例如:<script>，<iframe>，&lt;for<，&gt;for>，&quotfor；过滤JavaScript事件的标签，例如"onclick="，"onfocus"等。

Version2.8.3Copyright2021Hillstone Networks.All rights reserved.Information in this document is subject to change without notice.The software described in this doc-ument is furnished under a license agreement or nondisclosure agreement.The software may be used or copied only in accordance with the terms of those agreements.No part of this publication may be reproduced,stored in a retrieval system,or transmitted in any form or any means electronic or mechanical,including photocopying and recording for any purpose other than the purchaser's per-sonal use without the written permission ofHillstone Networks.Hillstone Networks本文档禁止用于任何商业用途。

联系信息北京苏州地址：北京市海淀区宝盛南路1号院20号楼5层地址：苏州市高新区科技城景润路181号邮编：100192邮编：215000联系我们：https:///about/contact_Hillstone.html关于本手册本手册介绍山石网科的WAF产品的使用方法。

获得更多的文档资料，请访问：https://针对本文档的反馈，请发送邮件到：*************************山石网科https://TWNO:TW-WUG-WAF-2.8.3-CN-V1.0-11/19/2021目录目录1欢迎1入门指南3访问WebUI界面3安装向导4配置部署方式/接口5默认站点配置5配置DNS6配置系统时间6初始配置7安装许可证7创建系统管理员8创建可信主机9升级系统版本10特征库升级11恢复出厂配置12部署模式13串联模式15串联模式的网络拓扑15准备工作15配置步骤16常见问题Q&A20反向代理模式22反向代理模式的网络拓扑22准备工作22配置步骤23常见问题Q&A29单臂模式30单臂模式的网络拓扑30准备工作30配置步骤31常见问题Q&A37牵引模式38牵引模式的网络拓扑38准备工作38配置步骤39常见问题Q&A45监听模式47监听模式的网络拓扑47准备工作48配置步骤48常见问题Q&A53附录53 SSL/TLS证书及密钥的格式要求及转换方法53格式要求53密钥格式转换方法54证书格式转换55一、Linux环境下56二、Windows环境下57首页69攻击严重程度69受攻击站点排名TOP1070攻击源70威胁事件类型71站点篡改告警72系统概览72 Web应用安全投屏模式73站点76站点配置76搜索站点76查看概览信息76查看威胁详情77查看网页变更历史78白名单78黑名单79例外规则80站点配置82查看自学习模型82查看机器流量分析报告82外链改写82新建/配置站点82配置更多站点防护功能90配置站点加速90使用静态资源缓存技术90使用连接复用技术92报文压缩配置92配置网页防篡改93开启健康状态检测96自定义错误提示页面97配置站点负载均衡97配置站点自学习功能98配置自学习功能99查看自学习模型100 URL详情100 Cookie详情101机器流量分析101配置机器流量分析服务102查看设备指纹信誉表103查看机器流量分析报告104外链改写104配置外链改写105站点全局配置107配置全局白名单107配置全局黑名单108站点自发现110配置站点自发现110策略114策略类型114防护规则115更新防护规则116 IP防护策略116创建IP防护策略117 IP查询120访问控制策略121创建访问控制策略121 API防护策略126创建API防护策略127导入OpenAPI文件130虚拟补丁策略131新建虚拟补丁策略131编辑虚拟补丁策略132安全策略133创建安全策略133自学习策略154创建自学习策略154用户会话跟踪策略155创建用户会话跟踪策略156内容改写策略158创建内容改写策略158防护规则162预定义规则162规则检索163用户定义规则165威胁防护166网络安全防护167 ICMP Flood和UDP Flood攻击167 ARP欺骗攻击167 SYN Flood攻击167 WinNuke攻击167 IP地址欺骗（IP Spoofing）攻击168地址扫描与端口扫描攻击168 Ping of Death攻击168 Teardrop攻击防护168 Smurf攻击168 Fraggle攻击168 Land攻击169 IP Fragment攻击169 IP Option攻击169 Huge ICMP包攻击169 TCP Flag异常攻击169 DNS Query Flood攻击169 TCP Split Handshake攻击169配置攻击防护170监控180热点威胁情报180热点威胁情报展示182报表184报表汇总185自定义任务186新建自定义任务186快捷任务188生成报表文件188日志189日志的严重等级189日志信息输出目的地190日志信息格式190事件日志192网络日志193配置日志194 NAT日志194 Web访问日志195网页事件日志195网页安全日志197日志197智能日志分析200日志分析报告201 IP防护日志202访问控制日志202 API防护日志203网络安全日志204防篡改日志205自学习模型违背日志205日志管理206配置日志信息206日志配置选项说明206日志服务器配置217新建日志服务器217 Web邮件配置219设备名称配置220手机短信配置220对象221服务薄221预定义服务及预定义服务组221自定义服务221自定义服务组222地址簿222新建地址簿条目223查看地址簿条目详情224配置服务薄225配置自定义服务225配置自定义服务组227查看服务条目详情228监测对象229新建监测对象229时间表232周期计划232绝对计划233创建时间表233网络连接235安全域236配置安全域236接口238配置接口239新建Virtual Forward接口239新建回环接口243新建集聚接口247新建以太网子接口/集聚子接口252编辑VSwitch接口256编辑以太网接口/HA接口260接口组265新建接口组265 MGT接口266配置MGT接口266新建Virtual Forward接口266 DNS268配置DNS服务器268解析配置268 Virtual Wire270配置Virtual Wire270虚拟路由器272创建虚拟路由器272虚拟路由器全局配置273配置多虚拟路由器273多虚拟路由器模式配置示例273虚拟交换机275新建虚拟交换机275配置目的路由277新建目的路由277全局网络参数278 Bypass配置280 NAT280 NAT的基本转换过程280设备的NAT功能281配置源NAT281启用/禁用NAT规则287复制/粘贴源NAT规则287调整优先级287命中数288命中数清零288命中数检测289配置目的NAT289配置IP映射类型的目的NAT289配置端口映射类型的目的NAT290配置NAT规则的高级配置292启用/禁用NAT规则295调整优先级295命中数296命中数清零296命中数检测296系统管理298系统信息299查看系统信息299全局配置301全局参数配置301自定义错误页面管理303 AAA服务器304配置Radius服务器304配置TACACS+服务器306设备管理308管理员308新建管理员308修改默认管理员密码310可信主机311新建可信主机311管理接口312系统时间314设置系统时间315设置NTP315 NTP密钥316新建NTP密钥316设置及操作317重启系统319系统调试信息320配置文件管理321备份/恢复配置文件321 SNMP323配置SNMP代理323新建SNMP主机324 Trap主机326 V3用户组326 V3用户328升级管理330版本升级330特征库升级331信息库升级332 WAF历史数据升级333许可证335申请许可证335安装许可证336配置邮件服务器337配置邮件服务器337短信发送参数339短信Modem设备状态339认证短信发送参数339短信测试339集中管理341 HSM应用场景341集中管理342 PKI344创建PKI密钥345创建信任域345导入导出信任域的信息347分析诊断348测试工具349 DNS查询349 Ping349Traceroute350 Curl350诊断抓包351配置诊断抓包351诊断文件351高可靠性352 HA基础概念352 HA簇352 HA组353 HA Node353 HA组接口和虚拟MAC353 HA选举353 HA同步353配置HA355扫描358扫描任务358新建扫描任务359开启/停止/删除扫描任务363扫描报告363扫描报告363外部导入报告364导入外部扫描报告364添加/编辑虚拟补丁策略364欢迎感谢您选择山石网科产品！以下内容可以帮助您了解如何操作山石网科的Web应用防火墙（WAF）产品：典型案例l Web应用防火墙配置案例手册（PDF下载）Web应用防火墙（WAF）l《Web应用防火墙_WebUI用户手册》（PDF下载）l《Web应用防火墙_CLI命令行手册》（PDF下载）l《Web应用防火墙_硬件参考指南》（PDF下载）l《Web应用防火墙日志信息参考指南》（PDF下载）l《Web应用防火墙SNMP私有MIB信息参考指南》（PDF下载）虚拟Web应用防火墙l《vWAF_WebUI用户手册》（PDF下载）l《vWAF_部署手册》（PDF下载）国产化-Web应用防火墙l《WAF国产型号_硬件参考指南》（PDF下载）l《WAF国产型号_扩展模块参考指南》（PDF下载）你可以在以下网站获得更多产品信息：l官方网站:l技术文档：l技术支持：400-828-6655入门指南本入门指南帮助用户快速完成设备的上线，主要包含以下内容:l访问WebUI界面l安装向导l初始配置l恢复出厂配置访问WebUI界面设备的ethernet0/0接口配有默认IP地址192.168.1.1/24，并且该接口的SSH、HTTPS管理功能均为开启状态。

Transparent Inspection orTrue Transparent ProxyOf lne Mode orReverse Proxy• Multiple deployment optionsTransparent Inspection and True Transparent Proxy, Reverse Proxy and Offline Allow you to fit FortiWeb into any environ-ment.• Auto-Learn Security ProfilingAutomatically and dynamically build a security model of protected applications by continuously monitoring real time user activity. Eliminate the need for manual con-figuration of security profiles.• Authentication OffloadOffload your web server authentication to the Forti-Web platform while supporting different authentication schemes such as Local, LDAP, NTLM and Radius.• Policy wizard and pre-defined policiesAllows for one click deployments and greatly eases the process of policies creation.• High AvailabilityThe high availability mode provides configuration syn-chronization and allows for a network-level fail- overin the event of unexpected outage events. Integratedbypass interfaces provide additional fail open capability for single box deployments.• VirtualizationProvides a Virtual Appliance for VMware ESX and ESXi3.5/4.0/4.1 platforms mitigating blind spots in virtualenvironments.• Application Layer Vulnerability ProtectionProvide out of the box protection for the most complex attacks such as SQL Injection, Cross Site Scripting,CSRF and many others. Together with the Auto Learn profiling system and advanced abilities, FortiWeb is able to create rules down to the single application element.• Data Leak PreventionExtended monitoring and protection for credit cardleakage and application information disclosure by tightly monitoring all outbound traffic. Allow customers tocreate their own granular signatures and DLP patterns together with predefined rules for any type of events.• Application SupportStreamlined monitoring and protection for well-known applications and protocols such as Microsoft Exchange, SharePoint, ActiveSync and RPC over HTTP.• Anti Web DefacementUnique capabilities for monitoring protected applications for any defacement and ability to automatically and quickly revert to stored version.• Vulnerability AssessmentsAutomatically scans and analyzes the protected webapplications and detects security weaknesses, potential application known and unknown vulnerabilities to com-plete a comprehensive solution for PCI DSS.• HTTP RFC Compliance ValidationFortiWeb blocks any attacks manipulating the HTTPprotocol by maintaining strict RFC standards to prevent attacks such as encoding attacks, buffer overflows and other application specific attacks.• AntivirusScan file uploads using Fortinet’s Antivirus engine with regular FortiGuard updates.• PCI DSS complianceFortiWeb is the only product that provides a Vulnerabil-ity Scanner module within the web application firewall that completes a comprehensive solution for PCI DSS requirement 6.6.• Protects against OWASP top 10Incorporating a positive and a negative security modulebased on bidirectional traffic analysis and an embeddedbehavioral based anomaly detection engine FortiWeb fully protects against the OWASP TOP 10.• FortiGuard LabsUtilizing Fortinet’s renowned FortiGuard service FortiWebcustomers get up to date dynamic protection from the Forti-net Global Security Research Team, which researches and develops protection against known and potential application security threats.• Application Aware Load BalancingIntelligent, application aware layer 7 load balancingeliminates performance bottlenecks, reduces deploy-ment complexity and provides seamless applicationintegration.• Data CompressionAllows efficient bandwidth utilization and response time to users by compressing data retrieved from servers.• SSL OffloadWith the integration of award winning FortiASIC™ tech-nology, FortiWeb is able to process tens of thousands of web transactions by providing hardware accelerated SSL offloading.Cross Site Scripting SQL Injection Session Hijacking Cookie Tampering /PoisoningCross Site Request Forgery Command injection Remote File InclusionForms TamperingHidden Field Manipulation Outbound Data Leakage HTTP Request Smuggling Remote File Inclusion Encoding AttacksBroken Access Control Forceful Browsing Directory Traversal Site Reconnaissance Search Engine Hacking Brute Force Login Access Rate Control Schema PoisoningXML Parameter Tampering XML Intrusion PreventionWSDL Scanning Recursive Payload External Entity Attack Buffer Overflows Denial of Service.FortiWeb Protects Against a Wide Range of AttacksThe Auto-Learn profiling capability is completely transparent and does not require any changes to the application or network architecture. FortiWeb does not scan the application in order to build the profile, but rather analyzes the traffic as it monitors it flowing to the application. By creating a comprehensive security model of the application FortiWeb can now protect against any known or unknown vulnerabilities, zero day attacks.FortiWeb Auto-Learn ProfilingAnalyze user geographic location and web site access based on Hit, Data and Attack vectors.Copyright© 2012 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, and FortiGuard®, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.GLOBAL HEADQUARTERSFortinet Incorporated1090 Kifer Road, Sunnyvale, CA 94086 USA Tel +1.408.235.7700 Fax +1.408.235.7737/salesEMEA SALES OFFICE – FRANCEFortinet Incorporated 120 rue Albert Caquot06560, Sophia Antipolis, France Tel +33.4.8987.0510Fax +33.4.8987.0501APAC SALES OFFICE – SINGAPOREFortinet Incorporated300 Beach Road 20-01, The Concourse Singapore 199555Tel: +65-6513-3734Fax: +65-6295-0015FWEB-DAT-R12-201206FST-PROD-DS-FWEBESXi 4.1 with 3GB of vRAM assigned to the 4 vCPU and 8 vCPU FortiWeb Virtual Appliance and 1GB of vRAM assigned to the 2 vCPU FortiWeb Virtual Appliance.。