Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sheerazali
New Contributor II

Assistance Required for FortiWeb in (Reverse Proxy)

Hello Fortinet Community,

 

We are in the process of configuring FortiWeb 7.4.3 as a reverse proxy for our on-premises web servers. Our FortiWeb deployment is VM-based. Alongside hosting a web service, these servers are also involved in IP-Sec tunnels established on our core firewall (FortiGate) with various financial institutions.

Our objective is to bypass traffic destined for these IP-Sec tunnels through FortiWeb, excluding HTTPS/HTTP traffic directed towards the web servers (HTTP/HTTPS Traffic should be inspected in FortiWeb)

We seek clarification on the following points:

  1. IP-Sec Tunnel Bypass: How can we ensure that traffic intended for the IP-Sec tunnels bypasses FortiWeb? Are there specific configurations or policies within FortiWeb that we should implement to achieve this seamlessly?

  2. Impact on Financial Institutes' Settings: Will configuring our servers behind the WAF (Web Application Firewall) necessitate any changes at the end of the financial institutes regarding their IP-Sec tunnel settings? Are there any considerations such as altering IP addresses or other parameters that we should communicate to them?

  3. Downtime Considerations: Lastly, we need to ascertain if implementing these changes will require any downtime for our services or disruptions to the established IP-Sec tunnels.

We appreciate any insights, best practices, or guidance from the community or Fortinet experts regarding the above queries.
#FortiWeb #WAF #Fortinet 

Sheeraz Ali
Sheeraz Ali
1 Solution
AEK

Hi Ali

I hope I have understand your concern a little bit better.

Here in your design I guess FortiWeb is the default gateway for your back-end servers, right?

Usually when I install FortiWeb on an existing environment I leave the servers with their original default gateway (usually FortiGate or another router). In that case it is simple, at firewall level we deny direct HTTP(S) access to the back-end server, and wllow it only through FWB. This will allow you direct access to backend servers with other services.

But in your case if the backend servers have FWB default gateway then you can fix this by enabling IP forward at FWB level, and add a route on your FG to reach the back-end servers through route 10.200.200.2, just like if FWB was a router (actually firewall).

https://community.fortinet.com/t5/FortiWeb/Technical-Tip-Provide-Internet-access-to-a-server-behind-...

AEK

View solution in original post

AEK
5 REPLIES 5
drakegho
New Contributor

No experience with other WAF’s, but I find FortiWeb to be feature-rich. It does get a bit of time to get used to working with it though, and you’ll obviously need to know quite a bit about HTTP/TLS to actually know what you’ll be configuring.

omegle xender
AEK
SuperUser
SuperUser

Hi Sheeraz

If I understand well your requirements, you have to do as follows:

  • Forward HTTP/HTTPS traffic to FortiWeb (using VIP on your Firewall)
  • Forward other traffic from IPsec directly to the back-end server (do not forward to FWB)

So:

  1. IPsec tunnel bypass: No need to forward to FortiWeb, your IPsec clients should address directly the back-end servers
  2. Impact on financial institutes' settings: No impact. When installing FortiWeb in reverse proxy in most cases there is no changes on back end servers, on your IPsec settings (since it will not cross the WAF), or on your existing IP addresses
  3. As per my experience there may be one downtime on HTTP(S) service only (not other service), very short (few seconds or minutes), when you cut-over from the old traffic path (without WAF) to the new traffic path (through WAF).

Hope it helps.

AEK
AEK
sheerazali
New Contributor II

Hi Fortinet Community,

 

To clarify my question, i have designed diagram for this deployment for my client, His query is to bypass that IPSec Tunnel Traffic (terminating at FortiGate) through fortiweb without inspection to its destined server but the issue is that on the same server there is another web service running that should be inspected in fortiweb. Current scenerio is defined below with diagram (along with Fake IP Addresses, to clarify). Is there any way to do this, if avaiable then share please.

 

FG - Fortinet.png

Diagram Description: 
1- Public IPs of Servers is being NATed at FortiGate into Virtual IPs of Virtual Servers , created on FortiWeb.
2- Some of the Servers have FTP Services (Non HTTP/HTTPS) running on them along with Web Services for some remote servers located at Financial Institues.
3- That IP-Sec tunnel traffic (Non-HTTP/HTTPS) should not be inspected at FortiWeb even it passes through FortiWeb.
4- If there is any way to do this, then should we make changes at Financial Insitues Infrastures End, in configuration manner or any other. (If we need to change anything, then we have to inform them Financial Institutes Teams to aware of this during deployment. Kindly confirm about it.



Note: We have already researched on it and found that using ip-forward feature enable and configuring SNAT Policy on FortiWeb, we can forward Non-HTTP/HTTPS traffic through FortiWeb. If it is suitable for this scenerio, then kindly confirm.

Sheeraz Ali
Sheeraz Ali
AEK

Hi Ali

I hope I have understand your concern a little bit better.

Here in your design I guess FortiWeb is the default gateway for your back-end servers, right?

Usually when I install FortiWeb on an existing environment I leave the servers with their original default gateway (usually FortiGate or another router). In that case it is simple, at firewall level we deny direct HTTP(S) access to the back-end server, and wllow it only through FWB. This will allow you direct access to backend servers with other services.

But in your case if the backend servers have FWB default gateway then you can fix this by enabling IP forward at FWB level, and add a route on your FG to reach the back-end servers through route 10.200.200.2, just like if FWB was a router (actually firewall).

https://community.fortinet.com/t5/FortiWeb/Technical-Tip-Provide-Internet-access-to-a-server-behind-...

AEK
AEK
sheerazali
New Contributor II

Thanks AEK,

Yes, our back-end servers have default gateway of FortiWeb. So it is clear now that we have only one option to do this just by enabling ip-forward option at FWB and by adding a route in FG.

Thanks for it.

Sheeraz Ali
Sheeraz Ali
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors