Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fluis
New Contributor

Is anyone using a Fortigate + FortiADC + FortiWeb in combination?

Hi all :) We are trying to replace our Kemp LBs with FortiWeb + FortiADC and already have a Fortigate currently. Just wondering what the right way to do the setup would be to have the Fortiweb handle scanning the incoming web traffic as our WAF and the ADC performing as the load balancer. I know there are several methods of connecting these 3 devices in tandem but wondering if anyone is doing that now, and what your setup looks like so I can get an idea of what might work for us. Much of the confusion for me stems from how the traffic is handed off between the units and what makes sense in terms of how they communicate based on what they do. We have met with Fortinet SE's a couple of times and really haven't gotten the explanation we wanted. Much appreciated.

https://9apps.ooo/
3 REPLIES 3
jintrah_FTNT
Staff
Staff

Hello,

You may want to check a typical topology shown here https://www.fortinet.com/solutions/enterprise-midsize-business/protect-web-apps that includes a FortiDDoS and FortiSandbox in addition.

 

Best regards,

Jin

Anonymous
Not applicable

Hello fluis, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Fortinet Community Team

ddsouza_FTNT
Staff
Staff

Hi @fluis  Apart from the physical set-up that @   mentioned, I would like to add a small design suggestion to make FADC see the Client IP address at Layer 3.  On Fortiweb, by enabling 'Client Real IP' option in the server policy, you can have it keep the client IP address in the back end communication when it forwards clean HTTP requests received from clients to the FADC Virtual IP

ddsouza_FTNT_0-1650273996764.png

And with 'rt-cache-reverse' enabled in the router setting on FADC (this is enabled by default)The return traffic from the FADC will be sent out of the same interface (VIP interface) where it received the packets from the Fortiweb and the destination MAC set to the Source MAC seen in the received packet from the Fortiweb (should be MAC address of the Fortiweb facing FADC)

 

ddsouza_FTNT_1-1650274250920.png

With this configuration, you can avoid configuring X-Forwarded-for on Fortiweb and FADC can see the Client IP address at the Layer 3

Labels
Top Kudoed Authors