Configuration
The System Configuration page includes the following sections. Click on the link to go to the corresponding section to learn more:
To go to the documentation for the previous section of System, see Clustering . To go to the documentation for next subsection in the System section, see Information.
To access the Configuration page in the WAF management interface, on the left panel, under System, click Configuration.
To save configuration changes or edits you make to any features and options, you must click Save on the lower-right of the section or page where you are making changes. Click apply changes on the upper-left corner of the page, and then click OK. Your changes will not be stored if you do not properly save your changes.
Basic network configuration is performed in this section. Any changes made to this section are applied and saved by clicking on the Save" button.
| Hostname
Input field |
Domain name of the Web Security Manager Alert Logic Managed Web Application Firewall (WAF).
|
| Nickname
Input field |
The nickname to use when listing WAF instance in the Fortra console.
|
| SMTP server
Input field |
SMTP server hostname or IP address. SMTP server is used for sending alert emails to the contact email address specified. SMTP server is not required.
|
| NTP server(s)
Input field |
IP address or domain name of the NTP server(s).
|
Network gateways for IPv4 and IPv6.
| IPv4 (default)
Input field |
IP address of the default IPv4 gateway.
|
| Default Gateway
Input field |
IP address of the default IPv6 gateway.
|
Configure name resolution.
Fortra WAF supports DNSSEC and DNS over TLS (DoT) to support requirements for encrypted and/or validated name resolution.
DNSSEC
DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and prevent spoofing, but does not encrypt queries.
When DNSSEC is enabled, DNS servers that are not DNSSEC-enabled or cannot be validated are not configurable. Name resolution is handled by a local, recursively validating DNSSEC resolver.
DNS over TLS (DoT)
Encrypts DNS queries and responses using TLS over TCP (port 853), preventing eavesdropping and tampering. Improves privacy and integrity compared to traditional plaintext DNS.
When enabled, DNS queries are encrypted.
| DNS Server(s)
Input field |
IP address of one or more DNS servers.
|
Define static routes.
Click and enter route information for each route you want to add.
When routes are entered click in lower button bar to save.
| Destination
Input field |
The route destination. Enter first IP address of destination network.
|
| Subnet
Input field |
Network mask of the destination IP address.
|
| Gateway
Input field |
IP address of the gateway through which the destination can be reached.
|
The examples above would result in:
-
Access to IP addresses
192.168.5.0-255(192.168.5.0/24) is routed through the gateway192.168.0.4. -
Access to IP addresses
192.168.6.8-16(192.168.6.8/29) is routed through the gateway192.168.0.5. -
Access to IP address
192.168.7.10(192.168.7.10/32) is routed through the gateway192.168.0.6.
This section is used to configure time synchronization via NTP (Network Time Protocol).
It is strongly advised to configure an NTP server to have the correct date and time set on the system.
It is recommended to configure an internal NTP interface. If one is not available, a well-known NTP server can be used (time.nist.gov).
| Timezone
Drop-down list |
Timezone information. Selects the system's timezone from the drop-down list.
|
| Date format
Drop-down list |
Display dates in logs and reports in Month-Day-Year or Day-Month-Year format. Select the date format from the drop-down list.
|
Logs in System > Logs can be sent to an external syslog server.
| Enable logging to external syslog
Checkbox |
Enable or disable logging to an external syslog server. |
| Syslog port
Input field |
External syslog server listen port. |
| Syslog protocol
Drop-down list |
Protocol for sending logs to the remote syslog server. Select a protocol from the drop-down list.
|
| Threshold
Drop-down list |
Define what logs get sent by syslog level. Select syslog level from the drop-down list.
|
Export deny logs to AWS S3.
When enabled, deny logs are written every 60 seconds to the configured S3 destination.
| Export deny logs to S3
Checkbox |
Enable or disable exporting deny logs to S3. |
| Format
Drop-down list |
Logs can be written as JSON or JSON lines. Select the formation from the drop-down list.
|
| Bucket
Input field |
S3 bucket to write to. Bucket must exist and be writeable by the role or key as specified in AWS credentials. |
| Region
Input field |
AWS region |
| Prefix
Input field |
S3 prefix ("folder") to store files |
Configure authentication method and credentials for accessing AWS environment. This is required for functionality like DDoS protection and writing data to S3.
Delegated IAM role and static credentials (key-based access) are supported.
| Use delegated IAM role
Checkbox |
When enabled, the WAF will use the delegated IAM role specified in the AWS instance profile. IAM role and key-based access are mutually exclusive. Selecting this checkbox will disable the AWS access key ID and AWS secret access key input fields. |
| AWS access key ID
Input field |
AWS access key |
| AWS secret access key
Input field |
AWS access key secret |
| Subscription ID
Input field |
The Subscription ID is the unique identifier of an Azure subscription, represented as a GUID. It specifies which subscription the configuration or service will operate in. Example: 12345678-90ab-cdef-1234-567890abcdef. |
| Tenant ID
Input field |
The Tenant ID is the unique identifier of the Azure Active Directory (AAD) tenant. It identifies the directory where the service principal is registered. Example: abcdef12-3456-7890-abcd-ef1234567890. |
| Application ID
Input field |
The Application ID, also referred to as the Client ID, is the identifier of the Service Principal (the app registration in AAD). It specifies which application is used for authentication. Example: fedcba98-7654-3210-fedc-ba9876543210. |
| Secret
Input field |
The Secret, also known as the Client Secret, functions like a password for the Service Principal. It is used together with the Application ID to authenticate and obtain an OAuth token. |
Fortra WAF supports integration with third-party CAPTCHA services as an alternative to its built-in CAPTCHA functionality.
To enable this integration, specific credentials must be provided to authenticate and authorize the WAF with the chosen CAPTCHA service.
Google reCAPTCHA v2 (checkbox)
| Site key
Input field |
The Site Key is a public key used on the client side (in the HTML or JavaScript) to render the CAPTCHA widget and validate user interaction. |
| Secret key
Input field |
The Secret Key is a private key used on the server side to verify the CAPTCHA response with Google’s API. |
hCaptcha (checkbox)
| Site key
Input field |
The Site Key is a public key used on the client side to display the hCaptcha widget and collect user responses. |
| Secret key
Input field |
The Secret Key is a private key used on the server side to validate the CAPTCHA response with the hCaptcha verification endpoint. |
Configure threshold level and address of external Syslog server.
| Enable SNMP queries
Checkbox |
Enable or disable SNMP daemon. If checked, Web Security Manager will accept SNMP queries on the first of the IP addresses to which management is bound. |
| Public community
Input field |
Public community password. The read-only community password.
|
| System location
Input field |
Information about the system.
|
| Listening on
Read only |
If SNMP is enabled will display the IP address the SNMP daemon is listening on. |
Update notifications, attack alerts and system errors can be sent by email to the admin contact email address.
| Contact
Input field |
Email address of the administrative contact. All alert emails and notifications are sent to this address. You need to define an SMTP server before any emails are sent.
|
| Sender domain
Input field |
The email address domain. If not configured it will be extracted from the contact email.
|
Critical events or conditions are logged both locally and to external syslog server (if enabled). However if an external syslog server is not available (or is not monitored) a subset of (potentially) critical alerts can be sent to the designated admin contact email.
| Email system error messages to admin contact
Checkbox |
Enable or disable sending of error messages altogether. If checked, selected alert types will be sent. |
| Disk and memory
Checkbox |
If checked, disk and memory related errors at log level ERROR and CRITICAL will be sent. |
| Cluster interface events
Checkbox |
If checked, cluster interface related errors at log level ERROR and CRITICAL will be sent. The most common cluster interface event is STATE TRANSITION which, when sent by the worker node in a cluster, indicates that the master node is either down (backup > master) or has resumed operation (master > backup). When the nodes in a cluster are powered on/off or rebooted state transition messages are also logged to the syslog error log and may generate email alerts. |
| Administrative daemons
Checkbox |
If checked, any error at log level ERROR and CRITICAL from administrative daemons will be sent. |
Configure forward proxy to be used by the update system when connecting to the update server.
| Use proxy for outbound HTTP
Checkbox |
Enable or disable the configured forward proxy. |
| Proxy address
Input field |
The address of the forward proxy
|
| Proxy port
Input field |
Proxy port number
|
| Forward proxy authentication required
Checkbox |
Enable if forward proxy requires authentication. |
| Username
Input field |
User name used for authenticating to the Proxy.
|
| password
Input field |
Password to authenticate the proxy user. |
This section is used to configure an FTP/SCP server used for automated configuration backup/restore of Web Security Manager configuration.
| FTP server
Input field |
FTP hostname or IP address.
|
| FTP port
Input field |
FTP server port number
|
| Login
Input field |
Username used for login. FTP account used must be able to store files on the remote FTP server.
|
| Password
Input field |
Password used for SCP login.
|
| Remote directory
Input field |
Full path to directory on FTP server used for storing Web Security Manager related files.
|
| SCP server
Input field |
SCP hostname or IP address.
|
| SCP port
Input field |
SCP server port number
|
| Login
Input field |
Username used for login. SCP account used must be able to store files on the remote SCP server.
|
| SCP key
Button |
Click to download key used for authentication. Make sure to add this key to the authorized keys list on the remote server. |
| Remote directory
Input field |
Full path to directory on SCP server used for storing Web Security Manager related files.
|
Auto-backup, if enabled, is performed daily at 03:00 AM based on your current timezone settings.
Access logs and configurations can be backed up to an external source. Configurations, which includes certificates and other secrets, can only be backed up if one or both SCP options are selected.
| Enable FTP HTTP access logs auto-backup
Checkbox |
Enable or disable FTP auto-backup of access logs. |
| Enable SCP HTTP access logs auto-backup
Checkbox |
Enable or disable SCP auto-backup of access logs. |
| Enable SCP configuration auto-backup
Checkbox |
Enable or disable SCP auto-backup of system and proxy (website security profiles) configurations. |
Manage password requirements, session and login restrictions, and SSL certificate.
Defaults depend on if the WAF instance is locked down to StateRAMP mode.
| Minimum length
Input field |
Minimum password length in number of characters
|
| Letter characters required
Checkbox |
Require one or more letter characters, a-z + international.
|
| One or more digits (0-9) required
Checkbox |
Require one or more digits.
|
| Combination of upper and lower case required
Checkbox |
Require a combination of uppercase and lowercase characters.
|
| Non alphanumeric characters required
Checkbox |
Require one or more special (non-alphanumeric) characters.
|
Data anonymization ensures that client-related log data is irreversibly obfuscated before being written to disk. This applies to all data, whether it is classified as Personally Identifiable Information (PII) or Protected Health Information (PHI), with specific exceptions.
To protect the feature from accidental disabling, its configuration can be permanently locked.
By complying with GDPR de-identification standards, the anonymization process fulfills some of the strictest global regulations for data protection. This ensures robust compliance and extends to jurisdictions with similar requirements.
The anonymization process is designed to render data completely and irreversibly anonymous. This removes it from the scope of GDPR, as outlined in Recital 26, ensuring that anonymized data is no longer tied to identifiable individuals.
For more information, see Fortra WAF Data Anonymization.
| Enable Data Anonymization
Checkbox |
Check to enable data anonymization. When enabled, log data will be irreversibly obfuscated before being written to disk. |
| Source IP Masking
Drop-down list |
Source IPs are anonymized by applying a netmask.
|
| Exceptions
Input fields |
By default, all input elements that contain information specific to the client request are anonymized, regardless of whether information is confidential or not. To preserve the semantic structure of the request and not sacrifice exploit or attack-related information, header and input parameter names, URL path, and violation specific strings are exempt from anonymization (see Fortra WAF Data Anonymization and Obfuscation method for more information). If additional named request elements need to be exempt from anonymization, add them as exceptions in the Exceptions table.
|
| Log Data Export
Checkbox |
Allow unredacted log data export. When enabled, log data will be exported (e.g., S3 log exports) in its original form and prior to anonymization. |
Fortra WAF supports Single Sign-On (SSO) and delegated authentication for the local WAF user interface by integrating with an external OAuth 2.0 provider. Authentication is delegated to the external identity system, but users must also exist in the WAF instance’s local user database with the same user ID to ensure proper authorization.
Configuration
| Client ID
Input field |
A unique identifier issued by the OAuth2 provider when the WAF is registered as a client application. Used to identify the WAF during the authentication process. |
| Client Secret
Input field |
A confidential key provided by the OAuth2 provider. Acts like a password for the WAF to authenticate itself to the provider. |
| Redirect URI
Input fields |
The callback URL where the OAuth2 provider sends the authorization code after the user logs in. Must match the URI registered with the provider |
| Authorization Server
Input field |
The endpoint URL of the OAuth2 provider responsible for issuing tokens and handling authorization requests. |
Typical integration workflow
- Register the WAF as an application with your identity provider (e.g., Azure AD, Okta).
- Obtain the Client ID and Client Secret.
- Configure the Redirect URI to point back to the WAF.
- Enter the Authorization Server URL (often something like https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize).
- Create required corresponding user IDs in the WAF UI (System > Users)
Anti-malware scanning and integrity checking
The anti-malware and integrity checking controls enable regular scanning of the WAF instances for the presence of malware or unauthorized changes to the system or supporting software configuration.
The controls are required for StateRAMP requirements compliance.
Anti-malware scanning
The anti-malware scanning control helps satisfy NIST 800-53 SI-3 requirements by implementing malicious code protection at system entry and exit points through periodic scans of the WAF instances’ file system.
- WAF Manager and workers file systems are scanned every 24 hours
- Malware definitions are updated prior to each scan
- Malware detection alerts are escalated to the Fortra SOC immediately after scan completion when malicious code is detected
To fully meet the requirements of NIST 800-53 SI-3, file upload scanning must also be enabled in Policy > Protocol restrictions > File uploads allowed which in turn requires the Advanced Signatures engine to be enabled in Policy > Website global policy > Attack signatures usage.
Integrity checking
The integrity checking control helps satisfy the NIST 800-53 SI-7 requirements by running integrity verification tools to detect unauthorized changes to the system configuration as specified in the Oracle Linux 8 Security Technical Implementation Guide – MAC-2 Sensitive (as defined by the US Department of Defense).
- Integrity scans run every 24 hours
- Baseline is updated for every authorized change
- Unauthorized changes are escalated to the Fortra SOC immediately after scan completion
StateRAMP Lockdown configuration
StateRAMP Lockdown ensures that the Fortra WAF managed service operates in full alignment with StateRAMP security requirements for environments handling state, local, and education (SLED) government data. This mode applies stricter configuration controls, enhanced monitoring, and compliance enforcement based on NIST SP 80053 Rev. 5 standards, including:
- Malicious Code Protection (SI3) – Real-time and periodic scanning, signature updates, and alerting.
- Configured in System > Configuration > Anti-malware scanning and integrity checking.
- Integrity Verification (SI7) – Automated checks for unauthorised changes, runtime page integrity, and cryptographic protections.
- Configured in System > Configuration > Anti-malware scanning and integrity checking.
- DNS Security
- DNS over TLS (DoT) and DNSSEC to protect DNS queries and responses (SC20, SC21, SC22).
- Configured in System > Configuration > Anti-malware scanning and integrity checking > Domain Name System (DNS).
- Multi-Factor Authentication (MFA)
- Mandatory MFA for all user authentication to the WAF interface (IA2(1), IA2(2)).
- Configured in System > Users.
- FIPS 140-2 Validated Mode
- Operation in cryptographic modules validated to FIPS 140-2 standards for encryption and key management (SC12, SC13, SC28).
- Configured in System > Configuration > FIPS 140-2 validated mode.
Lockdown mode guarantees that all WAF policies, logging, and integrated services meet or exceed StateRAMP authorization requirements, providing a secure and auditable environment for regulated data.
Except for DNS Security, the WAF cannot be locked down to StateRAMP until all required configurations are complete.
Exception option: NIST 800-53 SC-21 DNS resolution
If it is not possible to require DNSSEC for a specific WAF deployment, a justified exception can be made for this requirement.
In some deployment configurations, such as AWS autoscaling, requiring DNSSEC may be unenforceable (as DHCP provides the DNS server) or prevent the WAF deployment from working correctly since resolving IP domain names that are internal to the VPC does not support DNSSEC.
Furthermore, when DNSSEC is required, name servers that do not support DNSSEC cannot be configured. However, unsigned name server responses are still accepted because the WAF may need to resolve domain names for which the authoritative DNS server does not support DNSSEC.
System updates configuration
This configuration controls the timing and scheduling of operating system and supporting software updates for the WAF instance.
Delay
- Function – Specifies the interval between update availability and installation.
- Behavior
- No delay > Updates install immediately when available.
- Configured delay (in days) > Updates are deferred for the defined duration before installation begins.
- Use Case – Delay can be applied to observe stability of updates before deployment.
Restrict Update Window
- Function – Enables time-based constraints for update execution.
- Configuration Parameters
- Restrict update window checkbox activates scheduling logic.
- Per-day configuration table:
- Enable – Boolean flag for each day (Sunday–Saturday).
- Start Time / End Time – Defines permissible update execution window for the selected day.
- Behavior – Updates execute only within defined windows after the delay period expires. If no windows are configured, updates occur immediately after delay completion.
- Execution Logic
- Update becomes available.
- Delay timer starts (if configured).
- After delay expires:
- If update windows are defined, installation occurs during next valid window.
- If no windows are defined, installation occurs immediately.
Metrics configuration
Fortra WAF can publish host-level CPU, memory, and disk utilisation metrics to Amazon CloudWatch. These metrics enable customers to monitor resource consumption and configure alarms or dashboards for auto-scaling environments.
- Namespace
- AlertLogic/System
- Metrics Exported:
- CPU Utilization (%)
- Memory Utilization (%)
- Disk Utilization (%)
Metrics include standard CloudWatch dimensions, such as InstanceId, and, where applicable, AutoScalingGroupName.
Manage session timeout and how failed login attempts are handled.
Defaults depend on if the WAF instance is locked down to StateRAMP mode.
| Idle timeout
Input field |
Number of seconds the management GUI can be idle before the user is logged out.
|
| Failed login delay
Input field |
Number of seconds to wait after a failed login attempt before a new attempt can be made.
|
| Failed logins limit
Input field |
Number of failed login attempts allowed before the failed login action is taken.
|
| Failed logins action
Drop-down list |
What to do if a user exceeds the failed attempted login limit.
|
|
Lockout duration
|
Duration of account lockout after failed login attempts limit is exceeded
|
| Notify user on lockout and suspend
Checkbox |
If enabled, user will receive an error message in the login page if the account has been locked or suspended.
|
| Suspend inactive accounts
Checkbox |
Enable suspending of accounts that have not been active for a specified duration.
|
| Account inactivity threshold
Input field |
Number of days a user account can be inactive before it is automatically suspended.
|
Management GUI SSL certificates can either be self signed or imported certificates.
In the SSL certificate section the current SSL certificate in use is displayed. To upload a new certificate click the button.
To generate a self signed certificate, enter the certificate information in the input fields.
Click in the lower button pane.
If the certificate is in the PKCS12 format follow the guidelines below:
-
Enter the path to the certificate file in the PKCS12 file input field.
-
Enter Passphrase in the Passphrase input field.
-
Click in the lower button pane.
If Validate certificate chain is enabled Web Security Manager will validate and order the chain certificates.
If the certificate is in the PEM format follow the guidelines below:
-
Open the .PEM file in a text-editor. Copy the public certificate section of the certificate.
The public key/certificate is the section of the certificate file between (and including) the certificate start and end tags. Example:
-----BEGIN CERTIFICATE----- Certificate characters -----END CERTIFICATE-----
-
Select Import SSL certificate In the Web Security Manager management interface
Paste the SSL public key/certificate into the SSL-certificate field.
-
Now copy the (SSL) private key section of the certificate. The (SSL) private key is the section of the certificate file between (and including) the private key start and end tags. Example:
-----BEGIN RSA PRIVATE KEY----- Private key characters -----END RSA PRIVATE KEY-----
-
Enter the passphrase for the private key in the passphrase field (if the original private key was encrypted).
-
If a certificate authority chain is provided with your certificate enter the entire list of certificates (more than one certificate may be provided) in the SSL authority certificate(s) chain field
If Validate certificate chain is enabled WAF will validate and order the chain certificates.
WAF provides the option for the appliance in the customer environment to be locked down to only run the OpenSSL FIPS Object Module in FIPS 140-2 validated mode (FIPS 140-2 certificate #4215).
The lockdown to FIPS 140-2 mode, including validation of the integrity of the FIPS validated crypto modules, is automated, irreversible, and locks down the operating system (Oracle Linux 8) to run in FIPS 140-2 validated mode as originally specified in the OS provider’s FIPS 140-2 certificate.
When the option is selected, the applicable package and libraries are converted to FIPS mode, library pre-linking is disabled, and the WAF appliance reboots. After the appliance has rebooted, all communication occurs using only the FIPS-validated algorithms and the appliance will only accept and use FIPS validated encryption for all inbound and outbound communication to and from all services on the appliance. This includes the WAF HTTP proxy service, the appliance’s HTTPS web based UI, and SSH services used to remotely access the underlying appliance.
The FIPS 1402 validation certificate number for the Oracle Linux 8 OpenSSL Cryptographic Module is:
Certificate #4215
- Module Name - Oracle Linux 8 OpenSSL Cryptographic Module
- Standard - FIPS 1402
- Validation Level - Level 1
- Status - Active (sunset date: 21 September 2026)
- Tested Configuration - Oracle Linux 8.4 (64-bit) on multiple Oracle Server platforms
- Reference - NIST CMVP Certificate #4215
When the WSM appliance is using only FIPS-validated encryption modules, the WSM User Interface running on the appliance displays the label FIPS mode. The FIPS mode label reflects the value of
/proc/sys/crypto/fips_enabled If the self test validation at startup fails the system and crypto modules are not running as required for FIPS validated mode and the FIPS mode label is not displayed in the appliance UI.
When enabling FIPS mode:
- The appliance is converted and locked down irreversibly to run in FIPS mode.
- Depending on the disk size the conversion process will take between 2-10 minutes.
- When the conversion process is finished the appliance will reboot.
- During the process proxy services will be available and website availability will not be affected until the appliance reboots.
To enable FIPS 140-2 validated mode
- Select Enable FIPS mode
- Click . The system will now display a confirmation dialog that outlines the conversion process.
- Confirm that the appliance is irreversibly converted to FIPS mode. The conversion process begins.
- Log out of the UI and log in again to have the FIPS mode validation label displayed.
The FIPS mode validation flag that is displayed in the appliance user interface is stored in the currently logged in session in the UI layer so to have the mode validation label displayed immediately after conversion is necessary to log in again to read the setting from
/proc/sys/crypto/fips_enabled.In Amazon Web Services Auto-Scaling deployments, the FIPS mode is embedded in the AMI that the auto-scaling stack is built from. Consequently, the user interface option to convert the appliance to FIPS validated mode is not available. The configuration of FIPS validated mode and self-test at startup is to provide validation, and is no different from non-auto scaling WSM deployments.