Fortinet 5.0 Patch 6 Planning the network topology

Fortinet 61 FortiWeb 5.0 Patch 6 Administration Guide

Planning the network topology

To receive traffic intended for web servers that your FortiWeb appliance will protect, you usually

must install the FortiWeb appliance between the web servers and all clients that access them.

The network configuration should make sure that all network traffic destined for the web servers

must first pass to or through the FortiWeb appliance (depending on your operation mode).

Usually, clients access web servers from the Internet through a firewall such as a FortiGate, so

the FortiWeb appliance should be installed between the web servers and the firewall.

Other topology details and features vary by the mode in which the FortiWeb appliance will

operate. For example, FortiWeb appliances operating in offline protection mode or either of the

transparent modes cannot do network address translation (NAT) or load-balancing; FortiWeb

appliances operating in reverse proxy mode can.

Many things, including:

• supported FortiWeb features

• required network topology

• positive/negative security model

• web server configuration

vary by the operation mode. Choose the mode that best matches what you and your

customers need. Considerations are discussed in “Supported features in each operation

mode” and “Matching topology with operation mode & HA mode” on page 63.

Install a general purpose firewall such as FortiGate in addition to the FortiWeb appliance.

Failure to do so could leave your web servers vulnerable to attacks that are not

HTTP/HTTPS-based. FortiWeb appliances are not general-purpose firewalls, and, if you enable

IP-based forwarding, will allow non-HTTP/HTTPS traffic to pass through without inspection.

Ideally, control and protection measures should only allow web traffic to reach the FortiWeb

appliance and your web servers. FortiWeb and FortiGate complement each other to improve

security.