Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fluis
New Contributor

Created on ‎04-13-2022 09:14 AM

Is anyone using a Fortigate + FortiADC + FortiWeb in combination?

Hi all :) We are trying to replace our Kemp LBs with FortiWeb + FortiADC and already have a Fortigate currently. Just wondering what the right way to do the setup would be to have the Fortiweb handle scanning the incoming web traffic as our WAF and the ADC performing as the load balancer. I know there are several methods of connecting these 3 devices in tandem but wondering if anyone is doing that now, and what your setup looks like so I can get an idea of what might work for us. Much of the confusion for me stems from how the traffic is handed off between the units and what makes sense in terms of how they communicate based on what they do. We have met with Fortinet SE's a couple of times and really haven't gotten the explanation we wanted. Much appreciated.

https://9apps.ooo/
https://9apps.ooo/
Labels:
2785
0 Kudos
3 REPLIES 3
jintrah_FTNT
Staff
Staff

Created on ‎04-17-2022 11:30 PM

Hello,

You may want to check a typical topology shown here https://www.fortinet.com/solutions/enterprise-midsize-business/protect-web-apps that includes a FortiDDoS and FortiSandbox in addition.

 

Best regards,

Jin

2715
0 Kudos
Anonymous
Not applicable

Created on ‎04-18-2022 01:55 AM

Hello fluis, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Fortinet Community Team

2713
0 Kudos
ddsouza_FTNT
Staff
Staff

Created on ‎04-18-2022 02:37 AM Edited on ‎04-18-2022 02:46 AM

Hi @fluis  Apart from the physical set-up that @   mentioned, I would like to add a small design suggestion to make FADC see the Client IP address at Layer 3.  On Fortiweb, by enabling 'Client Real IP' option in the server policy, you can have it keep the client IP address in the back end communication when it forwards clean HTTP requests received from clients to the FADC Virtual IP

ddsouza_FTNT_0-1650273996764.png

And with 'rt-cache-reverse' enabled in the router setting on FADC (this is enabled by default)The return traffic from the FADC will be sent out of the same interface (VIP interface) where it received the packets from the Fortiweb and the destination MAC set to the Source MAC seen in the received packet from the Fortiweb (should be MAC address of the Fortiweb facing FADC)

 

ddsouza_FTNT_1-1650274250920.png

With this configuration, you can avoid configuring X-Forwarded-for on Fortiweb and FADC can see the Client IP address at the Layer 3

2710
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.