Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

LuisHida1
New Contributor

Is it recommended to use True Transparent Proxy mode in FortiWeb?

Hi guys!

I have a client to whom I indicated that the best way to have security is with the Reverse Proxy option, however, when reviewing the information on the True Transparent Proxy, it indicates that this is the best option.

I have some deployments in True Transparent Proxy and I can't block security events that occur in SSL.

Do you recommend the True Transparent Proxy?

5 REPLIES 5
BuraYalc
Staff
Staff

Hi Luis,

In Turkey most of the enterprise customer deployments were done in TTP mode as they have been using ADC and they wanted to keep the existing network topology. I haven't faced such kind of issue until now. Maybe Transparent Mode (not True Transparent Mode) misses some attacks as it does best effort on the flowing traffic.

On the other hand, the important thing you might have to be carreful in TTP mode is that FWB can cause mac address loops in the switching layer if there is a HA cluster loadbalancer in the picture. To prevent it there is "use-interface-macs" parameter under V-Zone configuration, you can use it.

Here is the CLI guide: https://docs.fortinet.com/document/fortiweb/6.3.7/cli-reference/752086/system-v-zone

Best Regards,
LuisHida1

Dear Burak:

In a end customer for the public information of the internet and to ensure communication to its servers due to the unavailability of the FWEB, requested to implement it in TTP, however there is no possibility of loading the certificates or analyzing the encrypted payloads.

There is the inconvenience that will occur when an SQLi attack appears in an encrypted way, the FWEB will not be able to do anything.

Thank you very much for the recommendation of the HA scenarios

jwhite_FTNT
Staff
Staff

Hi Luis,

The quick answer: Reverse Proxy is the best security options for deploying FortiWeb WAF. 

The choice between a transparent deployment vs. reverse proxy is usually determined based on latency sensitive.  In cases where any increases in latency are critical decision factors, you will want to choose a transparent mode (selecting performance over security), of which True Transparent Proxy offers  better security as it does a better job buffering the traffic during the inspection phase.

When security is the primary concern, I strongly recommend reverse proxy (RP) as the default deployment method.  RP guarantees full payload inspection and provides the maximum set of features available to meet all of our WAF requirements.   

LuisHida1

Dear Jim:

But I still have the doubt because in a TTP environment it did not give me the possibility of doing something with SSL. In HTTP there is no problem, but in HTTPS, which is the most common nowadays, I think that the most recommended is definitely the reverse proxy. Thank you very much for the reply

Idan_Soen_FTNT

Luis,

You either doing something wrong or confusing between True Transparent Proxy(TTP) and Transparent Inspection (TI).
TTP is a full proxy deployed as a bridge. It's got almost the same capabilities as RP including full visibility into SSL/TLS. TI is a sniffer like deployment deployed as a bridge in which case TLS using ciphers that do not support man in the middle (DH for example) cannot be inspected. 

Read more here - https://docs.fortinet.com/document/fortiweb/7.0.0/administration-guide/211763/planning-the-network-topology
Idan