Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Created on ‎12-19-2023 02:21 AM

Protecting Web Server app

Hello to all,

I would like to get some best practices for securing web server that we are exposing to internet.

I will use Interface with DMZ role, disable everything (ping, http, https...). 
Will create VIP object and map it to our external IP address.
From inside network I will allow only ssh to the server and for external access to the server I will leave only https and dns.

Will use default Web Application Firewall security profile.
Now the question is what else could I do to secure it more, to add some other Security Profiles like IPS etc?

Labels:
1610
0 Kudos
5 REPLIES 5
msolanki
Staff
Staff

Created on ‎12-19-2023 02:45 AM

You can use the other profile and other way is you can use virtual server option which will give additional certificate inspection layer to add more security posture 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-configuration-for-HTTPS-Virtua...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-multiple-certificates-for-in...

1602
Infotech22
Contributor
In response to msolanki

Created on ‎12-19-2023 04:14 AM

Hello,

This is not so clear for me at the moment so I will skip this part.
We need it today so I will consider this a little bit later when I grasp it.

Thank you

1583
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎12-19-2023 03:59 AM Edited on ‎12-19-2023 03:59 AM

Hello

In addition to @msolanki post I'd add the following.

  • Add IPS (protect-web-server profile)
  • Adding restricted App Ctrl may add security (e.g.: HTTPS.BROWSER)
  • Block bad IP (as client) at policy level (CLI only)
  • Allow connections from specific region if needed (GeoIP)
  • Is there any reason to allow DNS access from outside?
AEK
AEK
1592
Infotech22
Contributor
In response to AEK

Created on ‎12-19-2023 04:13 AM

Hello,

1. I created web-server profile with next config:

  • Severity: High, Critical
  • Target: Server
  • Protocol: HTTPS
  • Action to BLOCK

2. Web Application Firewall Profile with default settings
3. Certificate Inspection

Disabled NAT, All Sesions, Inspection mode set to Proxy.
Service: HTTPS, DNS

To be honest for DNS I'm not sure, what would be the best case for that?

1584
0 Kudos
AEK
SuperUser
SuperUser
In response to Infotech22

Created on ‎12-19-2023 05:55 AM

Hi

You don't need to open DNS access from external unless you have a DNS server to publish.

AEK
AEK
1570
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.