FortiWeb - Basic Protect Webpage

Problem

FortiWeb is an excellent solution to protect web applications based on HTTP/HTTPS. 
The big question is how to configure the appliance for basic protection.

Solution

Szenario

An internal web server should be accessible from the Internet. However, this is located in the LAN zone and should therefore be protected by a FortiWeb from the outside.

Configuration Options

You have two different Configuration Options. Decide which one fits better for you:

Single Server/Server Load Balance

Generally, only one server policy can be created per Virtual IP. With this limitation this method is a kind of IP to IP connection.
Here you define a Virtual IP which is matched to a Server Pool. A Server Pool can have one or more Real Servers. 
This means that with the Server Load Balance variant the HTTP header cannot be distinguished and the policy decision is based on IP address.

Content Routing

This method decides which server pool to use based on the HTTP header host field.
This means that, for example, a different server pool can be addressed per URL or sub-URL.

Example:
web.example.com matched on 192.168.10.100
webapp.example.com matched on 192.168.10.101

The first thing to decide is which of the two variants you want to use!

Health Check

The FortiWeb comes with many predefined health checks. Check beforehand if you can use one of them.
Otherwise you have to define your own health check. Please refer to the documentation.

Server Pool

At the beginning the Real Servers have to be defined. These are defined under "Server Objects->Server->Server Pool".
The configuration is self-explanatory:

HTTP Content Routing

If you have decided on the second variant (content routing). Next, the matching between URL and server pool must be established. This is done via the entries in the HTTP content routing table.
If you have chosen the first variant, you can skip this step. 
Consult the documentation from Fortinet for more information: User Guide

Virtual IP

It is recommended to use a virtual IP address for the virtual servers.
This IP address is addressed by the clients.
Define this under "System->Network->Virtual IP".

Virtual Server

The last object needed is a Virtual Server.
This is defined under "Server Objects->Server->Virtual Server" and represents the link to the previously defined Virtual IP.

Server Policy

With all the defined objects, a policy for access can now be created.
A distinction is made whether the Content Routing or Server Balance method was selected.

Content Routing


  • Deployment Mode: Choose between Content Routing or Server Balance (see description above)
  • Virtual Server: Select the defined Virtual Servers and choose which virtual IP this policy should listen to.
  • HTTP Content Routing: Define the matching between Content Routing Policies and Server Pools.
  • Protected Hostnames: See documentation
  • HTTP Service: Select the predefined HTTP Service. Normally that fits. Otherwise read here.
  • HTTPS Service: The same as for the HTTP Service.
That are the important settings. All services are described in the documentation




Comments

  1. Anonymous05 December, 2022 13:51

    Their method makes these virtual video games play like live features. The home edge is with the zero and 00, as these numbers cannot be gained by the participant. The casino has a complicated cell casino which means you can to|you presumably can} sport with 24/7 customer support. The features are properly grouped, 1xbet korea making it easy to maneuver from one segment to a different.

    ReplyDelete

Post a Comment

Popular posts from this blog

FortiGate BGP dual-home with multiple ISP

Image
Problem Design with two ISPs and an RIPE Routed public IP Ranges. How to solve, that the public Range is available over both ISPs but without asymetric Routing and ISP-1 is the primary. Solution FortiGate Basic BGP configuration First start with basic BGP configuration config router bgp set as 65301 set router-id 100.200.100.254 set keepalive-timer 45 set holdtime-timer 120 set bestpath-med-missing-as-worst enable set graceful-restart enable     config redistribution connected          set status enable     end end bestpath-med-missing-as-worst :  The route without MED is automaticly the worst destination. gracefule-restart :  Advertise reboots to neighbors so they don't see the router as offline, wait before declaring them offline, and how long to wait when they reboot before advertising updates. These commands apply to neighbors and are part of the BGP capabilities. This prevents unneeded routing updates. holdtime-timer: How long the router will wait for
Read more

FortiGate as DNS Server or DNS Proxy

Image
 Problem Especially in small networks, sometimes you do not have a dedicated DNS server available. For this purpose, the FortiGate can be used as DNS server. For larger installations, all DNS queries should be proxied for security reasons. The FortiGate can also help here. Solution A detail documentation about the DNS Server functionality is in the offical documentation:  Fortinet Doc In this post I would like to clearly present the most important functions and configuration types of the DNS function. DNS-Server In the following example the FortiGate act as DNS Server: Enable DNS Feature Enable the DNS Feature in the GUI: CLI command: config system settings     set gui-dns-database enable end Configure DNS Server Enable the DNS Feature on the interface on which DNS requests should be answered: Select Network Select DNS Servers Select the listen Interface Select the DNS Server Mode (see delecration below) The same on the CLI: config system dns-server     edit DMZ2          set mode recu
Read more

FortiGate and Windows L2TP / IPsec with Split Tunneling

 Problem In some scenarios, the user does not want to install an additional VPN client on their device, but use the already built-in one from Windows. Thus, the FortiGate SSL VPN solution cannot be used. So that only systems behind the FortiGate unit are accessible, a split tunnel connection must be established. Solution The L2TP over IPsec VPN solution is used for this purpose. First an IPsec connection is established between the client and FortiGate and then an L2TP connection is established. This is authenticated via a PSK and L2TP via username and password. The following steps are necessary to implement this solution. IPsec Connection config vpn ipsec phase1-interface edit "Dialup" set type dynamic set interface " wan " set peertype any set net-device disable set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 2 set wizard-type dialup-windows set psksecret **** next end config vpn ipsec pha
Read more