Fortiweb asks for cors, fortigate does not! Why?

Kevinblac · ‎10-10-2023

We have a web app which when it goes through fortigate via normal port forward, it loads up well but when we configure the app to go through fortiweb we face a CORS error "No 'Access-Control-Allow-Origin' header is present on the requested resource." Tried configuring cors on the fortiweb policies or on the iis web server but the error persists.

Any idea why fortiweb is asking for cors while fortigate everything is okay?
The current setup is:
Internet -> Fortigate -> fortiweb -> app

spoojary · ‎10-10-2023

FortiWeb inspects traffic more granularly than Fortigate.
It might be stripping or altering the required CORS headers.
Ensure CORS settings in IIS are correctly configured.
Check if FortiWeb has policies that alter or block HTTP headers.
Whitelist the necessary CORS headers in FortiWeb.
Browsers enforce CORS for security against malicious cross-origin requests.
FortiWeb's deeper inspection can cause the headers to be dropped.
Debug using network tools to see headers sent/received.
Always ensure your web app's origin is properly set.
Adjust FortiWeb policies to align with the application's CORS requirements.

Siddhanth Poojary

Kevinblac · ‎10-11-2023

So was able to get around the cors error however it seems we cannot make a call to our db server which is hosted on another box. Getting 404 errors yet with fortigate we were to reach it with no problem. Tried to look at the logs but can really get anything out of it.

Any further ideas?

Attached is the error message.