Hi all :) We are trying to replace our Kemp LBs with FortiWeb + FortiADC and already have a Fortigate currently. Just wondering what the right way to do the setup would be to have the Fortiweb handle scanning the incoming web traffic as our WAF and the ADC performing as the load balancer. I know there are several methods of connecting these 3 devices in tandem but wondering if anyone is doing that now, and what your setup looks like so I can get an idea of what might work for us. Much of the confusion for me stems from how the traffic is handed off between the units and what makes sense in terms of how they communicate based on what they do. We have met with Fortinet SE's a couple of times and really haven't gotten the explanation we wanted. Much appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
You may want to check a typical topology shown here https://www.fortinet.com/solutions/enterprise-midsize-business/protect-web-apps that includes a FortiDDoS and FortiSandbox in addition.
Best regards,
Jin
Created on 04-18-2022 01:55 AM
Hello fluis,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Fortinet Community Team
Hi @fluis Apart from the physical set-up that @ mentioned, I would like to add a small design suggestion to make FADC see the Client IP address at Layer 3. On Fortiweb, by enabling 'Client Real IP' option in the server policy, you can have it keep the client IP address in the back end communication when it forwards clean HTTP requests received from clients to the FADC Virtual IP
And with 'rt-cache-reverse' enabled in the router setting on FADC (this is enabled by default)The return traffic from the FADC will be sent out of the same interface (VIP interface) where it received the packets from the Fortiweb and the destination MAC set to the Source MAC seen in the received packet from the Fortiweb (should be MAC address of the Fortiweb facing FADC)
With this configuration, you can avoid configuring X-Forwarded-for on Fortiweb and FADC can see the Client IP address at the Layer 3
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.