Hello Fortinet Community,
We are in the process of configuring FortiWeb 7.4.3 as a reverse proxy for our on-premises web servers. Our FortiWeb deployment is VM-based. Alongside hosting a web service, these servers are also involved in IP-Sec tunnels established on our core firewall (FortiGate) with various financial institutions.
Our objective is to bypass traffic destined for these IP-Sec tunnels through FortiWeb, excluding HTTPS/HTTP traffic directed towards the web servers (HTTP/HTTPS Traffic should be inspected in FortiWeb)
We seek clarification on the following points:
IP-Sec Tunnel Bypass: How can we ensure that traffic intended for the IP-Sec tunnels bypasses FortiWeb? Are there specific configurations or policies within FortiWeb that we should implement to achieve this seamlessly?
Impact on Financial Institutes' Settings: Will configuring our servers behind the WAF (Web Application Firewall) necessitate any changes at the end of the financial institutes regarding their IP-Sec tunnel settings? Are there any considerations such as altering IP addresses or other parameters that we should communicate to them?
Downtime Considerations: Lastly, we need to ascertain if implementing these changes will require any downtime for our services or disruptions to the established IP-Sec tunnels.
We appreciate any insights, best practices, or guidance from the community or Fortinet experts regarding the above queries.
#FortiWeb #WAF #Fortinet
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 05-10-2024 03:38 AM Edited on 05-10-2024 04:04 AM
Hi Ali
I hope I have understand your concern a little bit better.
Here in your design I guess FortiWeb is the default gateway for your back-end servers, right?
Usually when I install FortiWeb on an existing environment I leave the servers with their original default gateway (usually FortiGate or another router). In that case it is simple, at firewall level we deny direct HTTP(S) access to the back-end server, and wllow it only through FWB. This will allow you direct access to backend servers with other services.
But in your case if the backend servers have FWB default gateway then you can fix this by enabling IP forward at FWB level, and add a route on your FG to reach the back-end servers through route 10.200.200.2, just like if FWB was a router (actually firewall).
Hi Sheeraz
If I understand well your requirements, you have to do as follows:
So:
Hope it helps.
Hi Fortinet Community,
To clarify my question, i have designed diagram for this deployment for my client, His query is to bypass that IPSec Tunnel Traffic (terminating at FortiGate) through fortiweb without inspection to its destined server but the issue is that on the same server there is another web service running that should be inspected in fortiweb. Current scenerio is defined below with diagram (along with Fake IP Addresses, to clarify). Is there any way to do this, if avaiable then share please.
Diagram Description:
1- Public IPs of Servers is being NATed at FortiGate into Virtual IPs of Virtual Servers , created on FortiWeb.
2- Some of the Servers have FTP Services (Non HTTP/HTTPS) running on them along with Web Services for some remote servers located at Financial Institues.
3- That IP-Sec tunnel traffic (Non-HTTP/HTTPS) should not be inspected at FortiWeb even it passes through FortiWeb.
4- If there is any way to do this, then should we make changes at Financial Insitues Infrastures End, in configuration manner or any other. (If we need to change anything, then we have to inform them Financial Institutes Teams to aware of this during deployment. Kindly confirm about it.
Note: We have already researched on it and found that using ip-forward feature enable and configuring SNAT Policy on FortiWeb, we can forward Non-HTTP/HTTPS traffic through FortiWeb. If it is suitable for this scenerio, then kindly confirm.
Created on 05-10-2024 03:38 AM Edited on 05-10-2024 04:04 AM
Hi Ali
I hope I have understand your concern a little bit better.
Here in your design I guess FortiWeb is the default gateway for your back-end servers, right?
Usually when I install FortiWeb on an existing environment I leave the servers with their original default gateway (usually FortiGate or another router). In that case it is simple, at firewall level we deny direct HTTP(S) access to the back-end server, and wllow it only through FWB. This will allow you direct access to backend servers with other services.
But in your case if the backend servers have FWB default gateway then you can fix this by enabling IP forward at FWB level, and add a route on your FG to reach the back-end servers through route 10.200.200.2, just like if FWB was a router (actually firewall).
Thanks AEK,
Yes, our back-end servers have default gateway of FortiWeb. So it is clear now that we have only one option to do this just by enabling ip-forward option at FWB and by adding a route in FG.
Thanks for it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.