Fortinet 5.0 Patch 6

Fortinet 64 FortiWeb 5.0 Patch 6 Administration Guide

Requests are destined for a virtual server’s network interface and IP address on the FortiWeb

appliance, not a web server directly. FortiWeb applies full NAT.

Figure 10:Example network topology: reverse proxy mode

FortiWeb applies the first applicable policy, then forwards permitted traffic to a web server.

FortiWeb logs, blocks, or modifies violations according to the matching policy.

Figure 10 shows an example network topology for reverse proxy mode. A client accesses two

web servers over the Internet through a FortiWeb appliance. A firewall is installed between

FortiWeb and the Internet to regulate non-HTTP/HTTPS traffic. Port1 is connected to the

administrator’s computer. Port2 is connected to the firewall. Port3 is connected to a switch,

DNS A record changes may be required in reverse proxy mode due to NAT. Also, servers will

see the IP of FortiWeb, not the source IP of clients, so verify that the server does not apply

source IP-based features such as rate limiting or geographical analysis.

If you want to deploy without any IP and DNS changes to the existing network, consider either

of the transparent modes instead.

In reverse proxy mode, by default, the appliance will not forward non-HTTP/HTTPS traffic to

from virtual servers to your protected back-end servers. (IP-based forwarding/routing of

unscanned protocols is disabled.)

If you must forward FTP, SSH, or other protocols to your back-end servers, Fortinet

recommends that you do not deploy FortiWeb inline. Instead, use FortiGate VIP port forwarding

to scan then send FTP, SSH, etc. protocols directly to the servers, bypassing FortiWeb. Deploy

FortiWeb in a one-arm topology where it receives only HTTP/HTTPS from the FortiGate

VIP/port forwarding, then relays it to your web servers. Carefully test to verify that only

firewalled traffic reaches your web servers.

If this is not possible, and you require FortiWeb to route non-HTTP protocols at the TCP layer or

higher, you may be able to use the config router setting command in the

FortiWeb CLI Reference. For security and performance reasons, this is not recommended.