Fortinet 68 FortiWeb 5.0 Patch 6 Administration Guide
Figure 12 shows an example one-arm network topology for offline protection mode. A client
accesses two web servers over the Internet through a FortiWeb appliance. A firewall is installed
between the FortiWeb appliance and the Internet to regulate non-HTTP/HTTPS traffic. Port1 is
connected to the administrator’s computer. Port2 is connected to the firewall, and thereby to a
switch, which is connected to the web servers. The FortiWeb appliance provides detection, but
does not load-balance, block, or otherwise modify traffic to or from the two web servers.
Topologies for high availability (HA) clusteringValid HA topologies vary by whether you use either:
•FortiWeb HA
• an external HA/load balancer
Figure 13 shows another network topology for reverse proxy mode, except that the single
FortiWeb appliance has been replaced with two of them operating together as an
active-passive (high availability (HA) pair. If the active appliance fails, the standby appliance
assumes the IP addresses and load of the failed appliance.
To carry heartbeat and synchronization traffic between the HA pair, the heartbeat interface on
both HA appliances must be connected through crossover cables or through switches.
If you select offline protection mode, you can configure Blocking Port to select the port from
which TCP RST (reset) commands are sent to block traffic that violates a policy.
Alternatively, you could connect a FortiWeb appliance operating in offline protection mode to
the SPAN port of a switch.