Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
amr_ali1
New Contributor

FortiWEB design

Dears,

 

I come from an F5 background and have one key question: how can we deploy FortiWeb in a one-arm in reverse proxy mode, and how can we enable source NAT to avoid asymmetric routing issues as Fortweb will not the gateway of the application server, or will not in inline between the public and App server 

4 REPLIES 4
atakannatak
Contributor II

Hi @amr_ali1 ,

 

Deploy FortiWeb on a single interface / VLAN in a DMZ and use the upstream firewall (FortiGate, router, or etc.) to DNAT only HTTP/HTTPS traffic to FortiWeb’s virtual-server IP. FortiWeb then proxies the request to the real server, using its own interface IP as the source, so replies automatically return through the WAF—no extra routing tricks are needed. Keep the firewall configured to block all direct access to the back-end server IPs; otherwise a savvy client could bypass the WAF, a risk Fortinet highlights for one-arm topologies

 

Because the server now sees FortiWeb’s IP, enable X-Forwarded-For so FortiWeb adds the real client address to an HTTP header; most web servers can log or trust that header. FortiWeb can also use the same header for its own enforcement and logging, keeping security events tied to the true user IP.

 

In short: forward only web ports to FortiWeb, let its built-in SNAT keep the path symmetric, insert an X-Forwarded-For header so the application still knows who the client is, and rely on the firewall to prevent any protocol or port that shouldn’t touch the servers from sneaking around the WAF.

 

NOTE: Fortinet’s own documentation stresses that you must rely on an upstream firewall to steer only web traffic to FortiWeb and block every bypass path. For environments that can’t tolerate those caveats, Fortinet recommends switching to a multi-arm (inline) design instead.

 

https://docs.fortinet.com/document/fortiweb/7.6.4/administration-guide/211763/planning-the-network-t...

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak
Atakan Atak
amr_ali1

Dear @atakannatak 

Thank you very much for clarifying these points. I just have one more question: how can I configure FortiWeb to perform source NAT? I'm specifically referring to the steps required to apply source NAT within the system

atakannatak

Hi @amr_ali1 ,

 

Nothing extra—SNAT is automatic; FortiWeb already uses its own interface IP when it proxies the request to the back-end. If you need FortiWeb to use a different source IP, consult the three official guides below: first enable the Firewall feature, then create an SNAT policy that specifies the address FortiWeb should use when forwarding traffic.

 

https://docs.fortinet.com/document/fortiweb/7.4.2/cli-reference/689359/system-feature-visibility

 

https://docs.fortinet.com/document/fortiweb/7.4.1/cli-reference/296078/system-firewall-snat-policy

https://docs.fortinet.com/document/fortiweb/7.6.4/administration-guide/238735/network-address-transl...

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak
Atakan Atak
filiaks1

Isn't it better to use nat policy Network address translation (NAT) | FortiWeb 7.6.4 | Fortinet Document Library as if one ip address is used on the server side (the fortiweb interface IP) it could trigger port exastion ?

Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors