Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
timothyd
New Contributor II

Multiple HTTP/S ingress on a single Public IP

I have a WAN connection with a single public IP. Behind the FortiGate appliance, I have an HAProxy server which farms out the HTTP requests to the relevant backends based on the HTTP `Host` header. 

 

At the moment, I have two port forwards on the FortiGate appliance, which forward all HTTP/S requests to HAProxy. From there, I use ACLs within HAProxy to control which IPs are authorised to use each backend. I would like to remove those HAProxy ACLs and manage ALCs in FortiGate.

 

Like what I've done in HAProxy, each backend has a unique set of IPs that are authorised to send HTTP/S requests. There are a few instances where some of the backends are open to the public and other instances where the backends are restricted to specific IPs. All of these backends share the same public port (i.e. 80/443) so the FortiGate ACL needs to be defined using the `Host` header.

 

How would I go about doing this?

Timothy
Timothy
3 REPLIES 3
gfleming
Staff
Staff

You would most likely need FortiWeb WAF to accomplish this. Is there a reason you don't want to continue using HAProxy for ACL?

 

Fortigate supports host-based server load balancing (like what HAProxy is doing) but there is no way to restrict access to each individual real server. The policy would reference the server load balancer VIP which would be a catch-all for all real servers:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-up-a-VIP-load-balance-with-HTTP-ho...

 

 

 

Cheers,
Graham
timothyd
New Contributor II

The main reason is that I'm trying to get more exposure and understanding of Fortinet products and their capabilities. I have a few backends where the source IP list is dynamic, and I was planning on using the External Blocklist Policy feature (click here) to manage the ACLs.

 

It seems like this is also possible with HAProxy (click here). Haven't tested this, but it looks promising. Will report back with my findings.

Timothy
Timothy
gfleming

Ya the blocklist policy is a good feature and can be applied to any firewall policy. Unfortunately you would only have one firewall policy pointing to your HAProxy (or Load-Balanced servers if using FortiGate VIP) so there's no way to be granular in your ACL for internal real servers when using FortiGate.


FortiWeb WAF would be able to do this. Or ForitADC.

Cheers,
Graham
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors