Per-Application TLS Cipher Suite & Protocol Enforcement in FortiWeb (Reverse Proxy Mode)
Current Limitation Observed
In FortiWeb 7.4.11 deployment operating in reverse proxy mode, TLS protocol and cipher suite configuration appears to be global across all protected applications.
Operational Challenge
Our goal is to enforce strong TLS protocols and cipher suites on a per-application basis, following a phased rollout approach:
- Apply strong TLS and cipher suites to one application
- Validate client compatibility and application behavior
- If no issues are observed, roll out the same controls to additional applications
However, because TLS cipher and protocol enforcement is global, any change immediately impacts all applications protected by FortiWeb. This prevents us from safely testing TLS hardening on a single application before expanding enforcement.
This is especially challenging in environments where:
- Multiple applications have different legacy dependencies
- Some applications cannot immediately support modern TLS
- A global change introduces risk of unintended service disruption
Clarification Request
Is there any supported way in FortiWeb to:
Enforce TLS protocols and cipher suites per application in reverse proxy mode?
If this capability does not exist today:
- Is this a known product limitation?
- Is there any planned enhancement in upcoming FortiWeb releases to support per-application TLS enforcement?
Why This Capability Is Important
- Per-application TLS control would allow:
- Safe, phased security hardening
- Reduced blast radius when tightening cryptographic settings