Fortinet 5.0 Patch 6 Defining your web servers & load balancers

Fortinet 248 FortiWeb 5.0 Patch 6 Administration Guide

Defining your web servers & load balancers

To apply policies correctly and log accurately, it is important that FortiWeb is aware of certain

other points on your network.

In order to scan traffic for your web servers, first FortiWeb must know which IP addresses and

HTTP Host: names to protect. If there are proxies and load balancers in the network stream

between your client and your FortiWeb, you will also want to define them. Likewise, if your web

servers have features that operate using the source IP address of a client, you may also need to

configure FortiWeb to pass that information to your web servers.

Without these definitions, FortiWeb will not know many things, such as requests are for invalid

host names, which source IP addresses are external load balancers instead of clients, and

which headers it should use to transmit the client’s original source IP address to your web

servers. This can cause problems with logging, reports, other FortiWeb features, and

server-side features that require the client’s IP address.

If you have virtual hosts on your web server, multiple web sites with different domain names

(e.g. example.com, example.co.uk, example.ru, example.edu) may coexist on the same

physical computer with a single web server daemon. The computer could have a single IP

address, with multiple DNS names resolving to its IP address, or the computer could have

multiple IP addresses and multiple NICs, with different sets of domain names resolving to

separate NICs.

Just as there could be multiple host names per web server, there could also be the inverse:

multiple web servers per host name. (This could be the case for distributed computing clusters

and server farms.)

When configuring FortiWeb, a web server is a single IP at the network layer, but a protected host

group should contain all network IPs, virtual IPs, and domain names that clients use to access

the web server at the HTTP layer.

For example, clients often access a web server via a public network such as the Internet.

Therefore, the protected host group contains public domain names, IP addresses and virtual

IPs on a network edge router or firewall, such as:

• www.example.com and

• www.example.co.uk and

•example.de

But the physical or domain server is only the IP address or domain name that the FortiWeb

appliance uses to forward traffic to the server and, therefore, is often a private network address

(unless the FortiWeb appliance is operating in offline protection or either of the transparent

modes):

• 192.168.1.10 or

•exa

mple.local