Fortinet 5.0 Patch 6

Fortinet 66 FortiWeb 5.0 Patch 6 Administration Guide

Figure 11:Example network topology: transparent modes

Figure 11 shows one example of network topology for either true transparent proxy or

transparent inspection mode. A client accesses a web server over the Internet through a

FortiWeb appliance. A firewall is installed between the FortiWeb appliance and the Internet to

regulate non-HTTP/HTTPS traffic. Port1 is connected to the administrator’s computer. Port3 is

connected to the firewall. Port4 is connected to the web servers. Port3 and port4 have no IP

address of their own, and act as a V-zone (bridge). Because port3 and port4 have hardware

support for fail-to-wire, this topology also gives you the option of configuring fail-open behavior

in the event of FortiWeb power loss.

True transparent proxy mode and transparent inspection mode are the same in topology aspect,

but due to differences in the mode of interception, they do have a few important behavioral

differences:

•True transparent proxy — FortiWeb transparently proxies the traffic arriving on a network

port that belongs to a Layer 2 bridge, applies the first applicable policy, and lets permitted

traffic pass through. FortiWeb logs, blocks, or modifies violations according to the matching

policy and its protection profile. This mode supports user authentication via HTTP but not

HTTPS.

•Transparent inspection — FortiWeb asynchronously inspects traffic arriving on a network

port that belongs to a Layer 2 bridge, applies the first applicable policy, and lets permitted

traffic pass through. (Because it is asynchronous, it minimizes latency.) FortiWeb logs or

blocks traffic according to the matching policy and its protection profile, but does not

otherwise modify it. (It cannot, for example, offload SSL, load-balance connections, or

support user authentication.

Unlike in reverse proxy mode or true transparent proxy mode, actions other than Alert cannot

be guaranteed to be successful in transparent inspection mode. The FortiWeb appliance will

attempt to block traffic that violates the policy. However, due to the nature of asynchronous

inspection, the client or server may have already received the traffic that violated the policy.