Fortinet 61 FortiWeb 5.0 Patch 6 Administration Guide
Planning the network topology
To receive traffic intended for web servers that your FortiWeb appliance will protect, you usually
must install the FortiWeb appliance between the web servers and all clients that access them.
The network configuration should make sure that all network traffic destined for the web servers
must first pass to or through the FortiWeb appliance (depending on your operation mode).
Usually, clients access web servers from the Internet through a firewall such as a FortiGate, so
the FortiWeb appliance should be installed between the web servers and the firewall.
Other topology details and features vary by the mode in which the FortiWeb appliance will
operate. For example, FortiWeb appliances operating in offline protection mode or either of the
transparent modes cannot do network address translation (NAT) or load-balancing; FortiWeb
appliances operating in reverse proxy mode can.

How to choose the operation mode

Many things, including:
supported FortiWeb features
• required network topology
positive/negative security model
web server configuration
vary by the operation mode. Choose the mode that best matches what you and your
customers need. Considerations are discussed in “Supported features in each operation
mode” and “Matching topology with operation mode & HA mode” on page 63.
Install a general purpose firewall such as FortiGate in addition to the FortiWeb appliance.
Failure to do so could leave your web servers vulnerable to attacks that are not
HTTP/HTTPS-based. FortiWeb appliances are not general-purpose firewalls, and, if you enable
IP-based forwarding, will allow non-HTTP/HTTPS traffic to pass through without inspection.
Ideally, control and protection measures should only allow web traffic to reach the FortiWeb
appliance and your web servers. FortiWeb and FortiGate complement each other to improve
security.