Fortinet 464 FortiWeb 5.0 Patch 6 Administration Guide
When determining which policy to apply to a connection, FortiWeb matching behavior varies by
operation mode. The FortiWeb appliance will apply only one policy to each connection.
If a TCP connection does not match any of the policies, the FortiWeb appliance will either refuse
the connection (if operating in reverse proxy mode) or deny the connection (if operating in other
operation modes). Even if the TCP connection has a matching policy and is allowed,
subsequently, if the HTTP/HTTPS request is not allowed by the policy’s profiles, it is considered
to be in violation of the policy, and the client may be blocked at the application (request) level or
connection level, depending on the Action that you configure.
Policies are not applied while they are disabled. See “Enabling or disabling a policy” on
page 497.
Configuring the global object white listServer Objects > Global > Predefined Global White List displays a predefined list of common
Internet entities, such as:
• the FortiWeb session cookie named cookiesession1
• Google Analytics cookies such as __utma
• the URL icon /favicon.ico
• AJAX parameters such as __LASTFOCUS
that your FortiWeb appliance can ignore when it enforces your policies. FortiGuard FortiWeb
Security Service service updates the predefined global white list. However, you can also
SSL Certificate used to
offload SSL from the
servers to FortiWeb; can
optionally re-encrypt
before forwarding to the
destination server.
Certificate used to
decrypt and scan only;
does not act as an SSL
origin or terminator.
Certificate used to
decrypt and scan
only; does not act
as an SSL origin or
terminator.
Certificate used to
decrypt and scan only;
does not act as an
SSL origin or
terminator.
Forwarding • Forwards to a single
web server or
member of a server
farm using the port
number where it
listens; similar to a
network address
translation (NAT)
policy on a
general-purpose
firewall.
• Can load balance or
route connections to
a specific server
based upon HTTP
content.
Lets the traffic pass
through to a member of
a server farm, but does
not load-balance.
Forwards to a
member of a
server farm (but
allowing to pass
through, without
actively
redistributing
connections) using
the port number
where it listens.
Lets the traffic pass
through to a member
of a server farm, but
does not load balance.
Table 42:Policy behavior by operation mode
Operation mode
Reverse Proxy Offline Protection True Transparent
Proxy
Transparent
Inspection