- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Reverse Proxy vs One-Arm Reverse Proxy
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reverse Proxy vs One-Arm Reverse Proxy
I am reading over the documentation https://help.fortinet.com/fweb/561/Content/FortiWeb/fortiweb-admin/planning_topology.htm and I need the benefits of Reverse Proxy; however, I do not understand how the One-Arm reverse proxy works. If everything is on the same network segment, then layer 2 frame will just forward out the interface it was seen from. However, there is some warnings about Inline Reverse Proxy, and non HTTP/HTTPS traffic. Does the One-Arm Reverse proxy works when protect servers will be on a different subnet. I imagined this would be installed In-line and create rules that ignore the policy engine when (a)specific server was in destination with (b)specific traffic port. The latter would be no different then forwarding traffic around the unit, but the link to documentation says something about Performance and security.
The One-Arm deployment seems like a number policy routes or virtual port forwarding would need to be created. Again, just even sure what the default gateway of servers and the inbound route direction of a One-Arm deployment would look like.
What or how have you folks deployed and can you offer any suggestions in deploying Reverse Proxy mode.
Thank you
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They (Fortinet) over-complicated this topology by naming it separately - there is no "one arm with reverse proxy" mode of functioning for the FWB. It is just usual Proxy mode with a side-note that the real servers are located on the same network the FWB accepts incoming connections on. FWB hides the real servers from the client, never mind them being on the same network, by doing Source NAT - this way real servers see clients' connections coming with source IP of the FWB, and are configured to return traffic to the FWB as well and not via some router as default gateway.
E.g.
FWB listens on 10.10.10.1
Real servers are on: 10.10.10.2, 10.10.10.3
Admins publish the website example.com A record as 10.10.10.1
Client (IP of 10.10.10.10.100) enters example.com in the browser, her DNS resolves to 10.10.10.1 and FWB receives the client's request with the source IP of 10.10.10.100. Next, the FWB does source NAT replacing source IP of the request 10.10.10.100 with its own IP 10.10.10.1 and then sends it to servers 10.10.10.2/3, which reply accordingly to FWB to 10.10.10.1. On receiving the reply, FWB sends it to the client with the source IP of 10.10.10.1, everyone is happy.
Usually, when vendors speak of "one arm" topologies, they mean that the device is NOT actively participating in the clients' traffic. In FWB this is called Offline mode. IMO they just named it inappropriately in the docs.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
They (Fortinet) over-complicated this topology by naming it separately - there is no "one arm with reverse proxy" mode of functioning for the FWB. It is just usual Proxy mode with a side-note that the real servers are located on the same network the FWB accepts incoming connections on. FWB hides the real servers from the client, never mind them being on the same network, by doing Source NAT - this way real servers see clients' connections coming with source IP of the FWB, and are configured to return traffic to the FWB as well and not via some router as default gateway.
E.g.
FWB listens on 10.10.10.1
Real servers are on: 10.10.10.2, 10.10.10.3
Admins publish the website example.com A record as 10.10.10.1
Client (IP of 10.10.10.10.100) enters example.com in the browser, her DNS resolves to 10.10.10.1 and FWB receives the client's request with the source IP of 10.10.10.100. Next, the FWB does source NAT replacing source IP of the request 10.10.10.100 with its own IP 10.10.10.1 and then sends it to servers 10.10.10.2/3, which reply accordingly to FWB to 10.10.10.1. On receiving the reply, FWB sends it to the client with the source IP of 10.10.10.1, everyone is happy.
Usually, when vendors speak of "one arm" topologies, they mean that the device is NOT actively participating in the clients' traffic. In FWB this is called Offline mode. IMO they just named it inappropriately in the docs.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I did not answer sooner, I was on 'lock down' due to C19. This is great news and appreciate your insight.
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know that One-Arm does not always work the same with all proxy servers. In this respect, it is not stable enough. I also had problems with proxy server feedback. But they resolved themselves when I decided to switch from free or penny-cost VPN services to soax.com. Subscription to it, of course, is also not worth a lot of money, but it is good, given the quality of the service. It is also supported in almost every country globally, which allows the user to work from anywhere in the world. It is with this service I have no problems with feedback to One-Arm.
Related Posts
- SSL-OffLoading (HTTP --> HTTPS) 362 Views
- Fortigate with Mikrotik Site to site... 386 Views
- reverse proxy values available on the... 237 Views
- VPN intermittent traffic lost, found reverse... 844 Views
- Fortigate reverse proxcy with folder 122 Views
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.