Fortinet 248 FortiWeb 5.0 Patch 6 Administration Guide
Defining your web servers & load balancersTo apply policies correctly and log accurately, it is important that FortiWeb is aware of certain
other points on your network.
In order to scan traffic for your web servers, first FortiWeb must know which IP addresses and
HTTP Host: names to protect. If there are proxies and load balancers in the network stream
between your client and your FortiWeb, you will also want to define them. Likewise, if your web
servers have features that operate using the source IP address of a client, you may also need to
configure FortiWeb to pass that information to your web servers.
Without these definitions, FortiWeb will not know many things, such as requests are for invalid
host names, which source IP addresses are external load balancers instead of clients, and
which headers it should use to transmit the client’s original source IP address to your web
servers. This can cause problems with logging, reports, other FortiWeb features, and
server-side features that require the client’s IP address.
Protected web servers vs. protected/allowed host names
If you have virtual hosts on your web server, multiple web sites with different domain names
(e.g. example.com, example.co.uk, example.ru, example.edu) may coexist on the same
physical computer with a single web server daemon. The computer could have a single IP
address, with multiple DNS names resolving to its IP address, or the computer could have
multiple IP addresses and multiple NICs, with different sets of domain names resolving to
separate NICs.
Just as there could be multiple host names per web server, there could also be the inverse:
multiple web servers per host name. (This could be the case for distributed computing clusters
and server farms.)
When configuring FortiWeb, a web server is a single IP at the network layer, but a protected host
group should contain all network IPs, virtual IPs, and domain names that clients use to access
the web server at the HTTP layer.
For example, clients often access a web server via a public network such as the Internet.
Therefore, the protected host group contains public domain names, IP addresses and virtual
IPs on a network edge router or firewall, such as:
• www.example.com and
• www.example.co.uk and
•example.de
But the physical or domain server is only the IP address or domain name that the FortiWeb
appliance uses to forward traffic to the server and, therefore, is often a private network address
(unless the FortiWeb appliance is operating in offline protection or either of the transparent
modes):
• 192.168.1.10 or
•exa
mple.local