DOCUMENT LIBRARY

FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
Key Concepts and Features
- Server load balancing
- Link load balancing
- Global load balancing
- Security
- High availability
- Virtual Domain (VDOM) and Administrative Domain (ADOM)
FortiADC's role and placement in network topology
- Choosing the right deployment: Layer 2, Layer 4, and Layer 7 traffic processing
- Layer 2 deployment mode (Inline Transparent Deployment)
- Layer 4 Deployment modes
- Layer 7 deployment mode (Reverse Proxy Deployment)
Getting Started
- Step 1: Install the appliance
- Step 2: Configure the management interface
- Step 3: Configure basic network settings
- Step 4: Test connectivity to destination servers
- Step 5: Complete product registration, licensing, and upgrades
- Step 6: Configure a basic server load balancing policy
- Step 7: Test the deployment
- Step 8: Back up the configuration
FortiAI Assistant
- Enabling Administrator Access to FortiAI
- Using FortiAI
- Generating Lua Scripts with Text-to-Script
- FortiAI Tokens and Licensing
- FortiAI Data Privacy and Security
- FortiAI Example Tasks
Dashboard
- Widgets
- Dashboard management tools
Security Fabric
- Automation
- Fabric connectors
- External connectors
FortiView
- Logical Topology
- Server Load Balance
- Security
- System
  - Event Logs
  - Automation
- Global Load Balance
  - Host
  - Data Analytics
- Link Load Balance
  - Gateway
- ZTNA FortiClient endpoint
- AAG User Sessions
System
- Settings
- Cloud Auto Scaling
- Azure LB Backend
- Virtual Domain
- High Availability
- Traffic Group
- Administrator
- Global Resources
- WCCP
- SNMP
- Replacement Messages
- FortiGuard
- Debug
- Certificate
- Feature Visibility
Network
- Interface
- Routing
- NAT
  - Configuring source NAT
  - Configuring 1-to-1 NAT
- QoS
- Packet capture
Shared Resources
- Health Check
- Schedule Group
- Address
- Service
  - Creating service groups
  - Creating service objects
Server Load Balance
- Virtual Server
- Application Resources
- Application Optimization
- Real Server Pool
- Scripting
  - Using HTTP scripting
    - Waiting Room for virtual queuing
  - Using Stream scripting
- SSL-FP Resources
Link Load Balance
- Link Policy
- Link Group
- Virtual Tunnel
Global Load Balance
- GLB Wizard
- FQDN
- Zone Tools
- Global Object
Web Application Firewall
- OWASP TOP10
- WAF Profile
- Known Web Attacks
  - Configuring a Web Attack Signature policy
  - Using the Signature Creation Wizard
- Common Attacks Detection
- Sensitive Data Protection
  - Configuring a Cookie Security policy
  - Configuring an HTTP Header Security policy
- Data Loss Prevention
- Input Validation
- Access Protection
- CORS Protection
- API Protection
- Bot Mitigation
- Web Vulnerability Scanner
WAF Adaptive Learning
- Configuring an Adaptive Learning policy
- Viewing Adaptive Learning Analysis and Recommendation
- Practical Applications of Adaptive Learning
- Adaptive Learning troubleshooting and debugging
Advanced Bot Protection (ABP)
- Enabling the Advanced Bot Protection connector
- Obtaining the Application ID from the FortiGuard ABP User Portal
- Configuring an Advanced Bot Protection policy
- Advanced Bot Protection troubleshooting and debugging
Network Security
- Firewall
- Intrusion Prevention
- AntiVirus
- IP Reputation
- Geo IP Protection
- DoS Protection
Zero Trust Network Access (ZTNA)
- How device identity and trust context is established with FortiClient EMS
- Configuring FortiClient EMS Connector for ZTNA
- Verifying client certificate, FortiClient endpoint and ZTNA tag synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- ZTNA troubleshooting and debugging
Application Access Manager
- Access Policy
- Agentless Application Gateway (AAG)
- User Authentication
Log & Report
- Using the traffic log
- Using the security log
- Using the script log
- Log Setting
- Report Setting
AI Threat Analytics
- AI Threat Analytics troubleshooting and debugging
SSL Advanced Services
- SSL offloading
- SSL decryption by forward proxy
- SSL profile configurations
- Certificate guidelines
- SSL/TLS versions and cipher suites
- Exceptions list
- SSL traffic mirroring
- HSM Integration
Best Practices and Fine-tuning
- Regular backups
  - Rebooting, resetting, and shutting down the system
  - SCP support for configuration backup
- Security
- Performance tips
- High availability
FortiADC Use Cases
- DNS Load Balancing and DDoS Protection
- Global Server Load Balancing in Hybrid Environments
- Selecting the Optimal Mode: VDOM vs. ADOM
- SAP Application Integration
- Multi-Cloud Application Load Balancing
- Leveraging DevOps Tools (Ansible/Terraform) to Manage FortiADC
Troubleshooting
- Logs
- Tools
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
- Additional resources
Appendices
- Maximum Configuration Values
- Supported image versions for EOS models
Change Log

Home FortiADC 8.0.2 Administration Guide

8.0.2

Benefits and limitations of the DNAT mode

Key benefits

Client IP Preservation: Back-end servers see the original client IP address, as no source NAT is applied. This is ideal for environments where maintaining accurate client identity is important for logging, auditing, or security policies.
Back-End Server IP Protection: Clients interact only with the Virtual IP (VIP) configured on FortiADC, not the real IP addresses of the back-end servers. This setup prevents the exposure of internal server IPs to the Internet, effectively hiding the actual server infrastructure and reducing the attack surface.
Simpler Server Configuration: Unlike in Direct Routing (DR) mode, back-end servers do not need to be configured with the VIP. They operate using their own IP addresses, making deployment and maintenance simpler.

Benefits and limitations of the DNAT mode

Key benefits

Client IP Preservation: Back-end servers see the original client IP address, as no source NAT is applied. This is ideal for environments where maintaining accurate client identity is important for logging, auditing, or security policies.
Back-End Server IP Protection: Clients interact only with the Virtual IP (VIP) configured on FortiADC, not the real IP addresses of the back-end servers. This setup prevents the exposure of internal server IPs to the Internet, effectively hiding the actual server infrastructure and reducing the attack surface.
Simpler Server Configuration: Unlike in Direct Routing (DR) mode, back-end servers do not need to be configured with the VIP. They operate using their own IP addresses, making deployment and maintenance simpler.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

Administration Guide

Benefits and limitations of the DNAT mode

Benefits and limitations of the DNAT mode

Key benefits

Benefits and limitations of the DNAT mode

Benefits and limitations of the DNAT mode

Key benefits