Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
atifali681
New Contributor II

Created on ‎12-11-2025 12:55 AM

Deployment of FortWEB 600 in client Network Infrastructure

Hi , Fortinet Community, 

I want to install Fortiweb 600F in my Client Infra. 

I want to install it in Reverse Proxy Mode. Client Network design is this
1. Server->Distribution->Core Switches->FortiWeb->Fortigate FW-> ISP Internet + MPLS Links

 

Client has multiple branch offices in country hospital which run erp/web applications from remote locations which will be sitting behind Fortiweb. 

 

Please suggest me either reverse proxy mode is perfect for it?
And Suggest what will be network topology and subnets/VIPS.
Lets Suppose my server form is using 20.20.20.0/24 subnet and Fortigate firewall working as edge firewall running 10.10.10.0/24 subnet.

needs experts and seniors help. Kindly suggest better approach. 
Can be vips subnet different, how it will route , how other traffic will route, currently gateways of servers configured upon fortigate firewall 

FortiWEB Design.png

Atif
Atif
Labels:
106
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎12-11-2025 11:01 AM

Hi Atif

Here are some comments:

  • Reverse proxy more is the best choice in 99% of cases
  • In reverse proxy mode it is not required that FWB is on the  same subnet as the server
  • In your design I think there should be another link between FGT and Core switch, in order to forward only HTTP(S) to FortiWeb, and all other traffic will be sent to servers directly through Core-SW-1
  • Default GW of the FWB should be the FGT IP, while you will need add static routes to FWB in case the servers are in different subnets as FWB
AEK

View solution in original post

AEK
86
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎12-11-2025 11:01 AM

Hi Atif

Here are some comments:

  • Reverse proxy more is the best choice in 99% of cases
  • In reverse proxy mode it is not required that FWB is on the  same subnet as the server
  • In your design I think there should be another link between FGT and Core switch, in order to forward only HTTP(S) to FortiWeb, and all other traffic will be sent to servers directly through Core-SW-1
  • Default GW of the FWB should be the FGT IP, while you will need add static routes to FWB in case the servers are in different subnets as FWB
AEK
AEK
87
atifali681
New Contributor II
In response to AEK

Created on ‎12-23-2025 12:49 AM

Thanks AEK, 

If 1 more link not used from FGT to Core , servers traffic will be blocked? Is there any other traffic which will be need to pass except https/http if they work on web portals etc? 

Furthermore, You explained i can use different subnet on my fortiweb towards lan side which belongs to server Farm, if i am understanding its right, then let me know , we will perform diuble routing on wan side and lan side as well on FOrtiweb? 

Atif
Atif
26
0 Kudos
AEK
SuperUser
SuperUser
In response to atifali681

Created on ‎12-23-2025 05:24 AM

  1. You may need other traffic like ping, ssh for management, snmp and other. Actually this can transit through FWB but here you will need to enable the firewall component on FWB, and this is not a common use when we already have a separate firewall (FGT in your case)
  2. Yes you can put FWB in a subnet other than your back-end servers. Here you will need to add a static route to your FWB in order to reach the server subnet through the right gateway, in addition to the default gateway that is through the FortiGate (e.g. to reach internet). Regarding FGT, you configure a VIP on FGT and firewall rule to forward incoming HTTP/HTTPS traffic to FWB
AEK
AEK
8
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.