we just bought a fortiweb and in my network, most of our servers dont use http and https ports but instead they use ports like udp and tcp 3500 , 3501 and so on. My question is the following: is fortiweb used to protect servers that don't use HTTP or HTTPS? like how described in my environment? or it is exclusively used for http and https access? because the idea to place all my services that use tcp and udp ports behind a fortiweb? because when im checking config guides on fortiweb it shows the policy configuration is always showing a http and https profiles, while many of my servers don't use http and https and use other ports for other applications like GPS and so on
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
FortiWeb is a security device to protect and manage HTTP/HTTPS (and FTP) traffic.
You're mixing ports with protocols .
If you're sending traffic HTTPS/HTTP traffic using non-standard ports ( 8081 or 7001 for instance) you could send use custom service to match that HTTP traffic and Fortiweb can proxy and protect it.
But if your traffic under those 3501 TCP ports is not HTTP/HTTPS, Fortiweb has no business being there
regards
/ Abel
@bzh87 By using the following configuration, you can achieve basic load balancing of TCP port traffic between real servers.
1. Create a custom TCP service port for TCP port 3500 and call it as an HTTP service in the server policy.
2. Turn off HTTP parsing in the server policy in CLI by enabling 'noparse' setting (basically Fortiweb stops parsing the TCP data with noparse enabled)
But please note that Persistence doesn't work and System doesn't generate traffic logs, so it adds a little value (persistence + traffic logs for tshooting/future reference) compared to what typical Load Balancers do.
UDP load balancing is not possible on Fortiweb as it can't listen for UDP port traffic.
Hello,
FortiWeb is a security device to protect and manage HTTP/HTTPS (and FTP) traffic.
You're mixing ports with protocols .
If you're sending traffic HTTPS/HTTP traffic using non-standard ports ( 8081 or 7001 for instance) you could send use custom service to match that HTTP traffic and Fortiweb can proxy and protect it.
But if your traffic under those 3501 TCP ports is not HTTP/HTTPS, Fortiweb has no business being there
regards
/ Abel
so fortiweb is mainly used for web pages on browsers nothing else?
Q: "so fortiweb is mainly used for web pages on browsers nothing else?"
A:
FortiWeb is basically Web application proxy.
It can do a lot of things from request/response sanity checks, flow redirects and manipulation, in-flow injects like enhancing web access with Two-Factor/Multi-Factor authentication, handling Single Sign-On (SSO) .. and more.
But it does so for web based applications.
So it has nothing to do with for example protection for custom, proprietary, -protocol based applications.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
so fortiweb cant be used to load balance services coming to udp and tcp ports? only http and https? what other device can I use to load balance those ports to my servers?
@bzh87 You can use FADC Load Balancer product to load balance the traffic based on Layer4 (TCP/UDP ports)
Created on 03-14-2022 04:10 AM Edited on 03-14-2022 04:50 AM
No my issue is that we already bought fweb , so my main concern now is whether it can load balance tcp and udp ports or not for other non http / https applications.
I need a definitive answer that the fortiweb wont work and it needs to be replaced
@bzh87 By using the following configuration, you can achieve basic load balancing of TCP port traffic between real servers.
1. Create a custom TCP service port for TCP port 3500 and call it as an HTTP service in the server policy.
2. Turn off HTTP parsing in the server policy in CLI by enabling 'noparse' setting (basically Fortiweb stops parsing the TCP data with noparse enabled)
But please note that Persistence doesn't work and System doesn't generate traffic logs, so it adds a little value (persistence + traffic logs for tshooting/future reference) compared to what typical Load Balancers do.
UDP load balancing is not possible on Fortiweb as it can't listen for UDP port traffic.
thanks so much
You're welcome :)
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.