bzh87
New Contributor II

fortiweb uses?

we just bought a fortiweb and in my network, most of our servers dont use http and https ports but instead they use ports like udp and tcp 3500  , 3501 and so on. My question is the following: is fortiweb used to protect servers that don't use HTTP or HTTPS? like how described in my environment? or it is exclusively used for http and https access? because the idea to place all my services that use tcp and udp ports behind a fortiweb? because when im checking config guides on fortiweb it shows the policy configuration is always showing a http and https profiles, while many of my servers don't use http and https and use other ports for other applications like GPS and so on

2 Solutions
abelio
Valued Contributor

Hello,
FortiWeb is a security device to protect and manage HTTP/HTTPS (and FTP) traffic.
You're mixing ports with protocols .

If you're sending traffic HTTPS/HTTP traffic using non-standard ports ( 8081 or 7001 for instance) you could send use custom service to match that HTTP traffic and Fortiweb can proxy and protect it.


But if your traffic under those 3501 TCP ports is not HTTP/HTTPS, Fortiweb has no business being there

 

regards


__ Abel

View solution in original post

ddsouza_FTNT
Staff
Staff

@bzh87  By using the following configuration, you can achieve basic load balancing of TCP port traffic between real servers.

1. Create a custom TCP service port for TCP port 3500 and call it as an HTTP service in the server policy.

ddsouza_FTNT_1-1647260330615.png

 

2. Turn off HTTP parsing in the server policy in CLI by enabling 'noparse' setting (basically Fortiweb stops parsing the TCP data with noparse enabled)

 

ddsouza_FTNT_0-1647260254768.png

 

But please note that Persistence doesn't work and System doesn't generate traffic logs, so it adds a little value  (persistence + traffic logs for tshooting/future reference) compared to what typical Load Balancers do.

 

UDP load balancing is not possible on Fortiweb as it can't listen for UDP port traffic. 

Denzil Dsouza

View solution in original post

9 REPLIES 9
abelio
Valued Contributor

Hello,
FortiWeb is a security device to protect and manage HTTP/HTTPS (and FTP) traffic.
You're mixing ports with protocols .

If you're sending traffic HTTPS/HTTP traffic using non-standard ports ( 8081 or 7001 for instance) you could send use custom service to match that HTTP traffic and Fortiweb can proxy and protect it.


But if your traffic under those 3501 TCP ports is not HTTP/HTTPS, Fortiweb has no business being there

 

regards


__ Abel

B_net
New Contributor

so fortiweb is mainly used for web pages on browsers nothing else?

 

xsilver_FTNT

Q: "so fortiweb is mainly used for web pages on browsers nothing else?"

 

A:

FortiWeb is basically Web application proxy.
It can do a lot of things from request/response sanity checks, flow redirects and manipulation, in-flow injects like enhancing web access with Two-Factor/Multi-Factor authentication, handling Single Sign-On (SSO) .. and more.
But it does so for web based applications.

So it has nothing to do with for example protection for custom, proprietary, -protocol based applications.

Tom xSilver, planet Earth, over and out!

bzh87
New Contributor II

so fortiweb cant be used to load balance services coming to udp and tcp ports? only http and https? what other device can I use to load balance those ports to my servers?

ddsouza_FTNT

@bzh87 You can use FADC Load Balancer product to load balance the traffic based on  Layer4 (TCP/UDP ports) 

Denzil Dsouza
bzh87
New Contributor II

No my issue is that we already bought fweb , so my main concern now is whether it can load balance tcp and udp ports or not for other non http / https applications.

 

I need a definitive answer that the fortiweb wont work and it needs to be replaced

ddsouza_FTNT
Staff
Staff

@bzh87  By using the following configuration, you can achieve basic load balancing of TCP port traffic between real servers.

1. Create a custom TCP service port for TCP port 3500 and call it as an HTTP service in the server policy.

ddsouza_FTNT_1-1647260330615.png

 

2. Turn off HTTP parsing in the server policy in CLI by enabling 'noparse' setting (basically Fortiweb stops parsing the TCP data with noparse enabled)

 

ddsouza_FTNT_0-1647260254768.png

 

But please note that Persistence doesn't work and System doesn't generate traffic logs, so it adds a little value  (persistence + traffic logs for tshooting/future reference) compared to what typical Load Balancers do.

 

UDP load balancing is not possible on Fortiweb as it can't listen for UDP port traffic. 

Denzil Dsouza
bzh87
New Contributor II

thanks so much 

ddsouza_FTNT

You're welcome :)

Denzil Dsouza