Onboarding WAF applications

Onboarding an application to FortiAppSec Cloud's Web Application Firewall (WAF) activates protection features that defend against a variety of attacks. You can customize this protection by enabling or disabling specific WAF modules.

FortiAppSec Cloud intercepts and processes traffic to your application, where the WAF analyzes requests to detect and mitigate threats. Once onboarding is complete, the traffic flow should resemble the diagram below.

To onboard applications by DevOps tools, see DevOps tools.

Onboarding steps

1. Add the following IPs to the allowlist on your application server's firewall to enable FortiAppSec Cloud to access your application.
   • 3.123.68.65
   • 3.226.2.163
2. Go to appsec.fortinet.com and log in with your FortiCloud account credentials.
3. Navigate to WAF > Applications
4. Click Add Application near the top right corner of the page. The Web Application Configuration wizard will open.
5. Web Application Configuration

   

   1. Web Application Name: Enter a name for this application that will make it easy for you to identify within the FortiAppSec Cloud UI.

   2. Wildcard entries are allowed for all domains in the list except the first one. Ensure that domain name entries don't overlap; for instance, you can't add both "www.example.com" and "*.example.com" together.

      Wildcards only match strings at the same domain level; for example, "a.example.com" matches "*.example.com," but "a.a.example.com" does not.

      You can later go to Network > Endpoints to change or add domains.
      If you have multiple applications with different root domain names but sharing the same IP address, it requires special configurations. See Multiple domains sharing the same IP address.

6. Network Settings

   Configurations in this section ensure proper traffic routing and security protection.

   
   

   1. Select the services allowed on your application and their corresponding ports. FortiAppSec Cloud listen for HTTP and/or HTTPS traffic on the selected ports to allow only legitimate traffic to pass through.

      The default port number for HTTP is 80, and for HTTPS is 443. You can change it to a value between 1-65 535 (inclusive). Make sure the port numbers for HTTP and HTTPS are not duplicate.

      If the port number you want to use is not in the drop-down list, please contact FortiAppSec Cloud Support or your sales engineer to customize the port number. Please note that not all non-standard ports can be used. For details on port and traffic configurations, seeEndpoints.
      If you would like to use additional ports on the same domain, please see Adding additional HTTP or HTTPS ports to your domain.
   2. Select the IP address/FQDN for your web application. FortiAppSec Cloud will direct traffic to the specified IP address.
      FortiAppSec Cloud automatically fetches and displays available IP addresses and/or FQDNs associated with your entered domain, using port 443 as the default. FortiAppSec Cloud keeps this information up to date.
      You can also choose Customize to enter a different IP address/FQDN and port number.
      If there are multiple origin servers hosting your web application, you can add them later in Network > Origin Servers.
   3. Under Server Protocol, you can configure the connection between FortiAppSec Cloud and the origin server. If you want to redirect HTTP traffic to HTTPS, ensure that you have selected HTTPS.
   4. Ensure FortiAppSec Cloud service IPs from Step 1 are successfully added to your application's firewall before proceeding to the next step.
   5. Click Test Origin Server to ensure that FortiAppSec Cloud can connect to the origin server. By default, FortiAppSec Cloud sends request to the URL path "/" to test responsiveness of the server, then populates the response code received from the server in the Response Code field of the load balancing rule in Network > Origin Servers.

7. Application Location

   The settings in this section define how your application data is handled, including caching, cloud environment, and scrubbing center location for threat mitigation.

   

   • Content Delivery Network (CDN)

     If you enable CDN, the data on your origin servers can be cached in FortiAppSec Cloud scrubbing centers distributed around the world. When users visit your application, they can be directed to the nearest scrubbing center and rendered with the requested data.

     With CDN enabled, you will be asked to select a specific continent or Global, which means your data will be cached on the scrubbing centers within a specific continent or around the world. Selecting a continent may reduce your traffic expense as data transfer is restricted within a continent rather than globally. For the impact on traffic expense when CDN is enabled, see CDN for more information.

     By default, CDN is not enabled. This keeps your traffic bill to a minimum. Moreover, keeping traffic within the same region can help address compliance concerns.

     However, if user experience is your top concern, we recommend enabling CDN.

     If you can't decide now, you can revisit this option in WAF > Applications after this application is onboarded.

   • Cloud Platform and scrubbing center

     To make this selection, you must enable Preferred Platform under WAF > System Settings > Settings.

     By default, Preferred Platform is disabled, and FortiAppSec Cloud automatically selects a scrubbing center based on your application server's cloud platform (AWS, Azure, or Google Cloud).

     Cloud Platform	Specify the cloud platform for onboarding applications. Supported platforms include AWS, Azure, and GCP. After onboarding, you cannot change an application's cloud platform. To switch platforms, you must delete the existing application and create a new one with the desired platform.
     Scrubbing Center	The scrubbing center region within the chosen cloud platform. To change the scrubbing center after onboarding, navigate to WAF > Applications.

8. Settings

   
   

   • When Block mode is enabled, FortiAppSec Cloud blocks requests if they trigger a violation. It's recommended to leave it disabled at the first week. During this period you can observe the attack logs and fine-tune the web protection configurations.
     You can later enable the Block Mode in Dashboard when you are confident that the traffic flow is stable and the legitimate traffic is not falsely blocked as attacks.

9. DNS configuration

   This section displays configuration instructions for settings managed outside FortiAppSec Cloud. Changing your DNS record according to the instructions below ensures that your application traffic is routed through FortiAppSec Cloud, where it is filtered for security before reaching your application servers.

   

   Go to your DNS provider, update your DNS record, and create a new record for the Automatic Certificate challenge as recommended. This ensures that traffic to your application can be correctly directed to FortiAppSec Cloud.

   If there are multiple DNS records corresponding to the domain name, make sure to change all the records using the provided . Otherwise, users may encounter error when visiting your application. If the traffic to your application server should be first forwarded to a Content Distribution Service such as AWS CloudFront, before flowing to FortiAppSec Cloud for threat detection, refer to Using WAF behind a Content Distribution Service.
   Please note that FortiAppSec Cloud cannot get the DNS status if you use CloudFront, so the DNS status will always be "Unknown" whether or not you have added the DNS record. Here we provide an example to show how to change the DNS record: Example: Changing DNS records on AWS Route 53

   Note: You cannot directly access your website with the provided CNAME if you have not added the CNAME record in your DNS server. If you want to test it before changing the DNS record, follow steps below.

   1. Run ping or nslookup command to get the IP address of CNAME.
   2. Modify the hosts file on your Windows or Linux by adding your application's domain name (for example, www.<domain_name>.com) and mapping it to the IP address obtained from Step a.
   3. Access the domain name with the browser to test it.
10. To access the application you just onboarded, navigate to WAF > Applications and click the name of the application.
    
    
11. The application security modules will appear in the navigation pane. FortiAppSec Cloud automatically assigns a security policy with the most basic web protection rules enabled. You can select additional protection rules using the Modules tab. See Add and Remove Modules.
12. To ensure your application only receives traffic vetted by FortiAppSec Cloud, you must restrict traffic to only FortiAppSec Cloud IPs. Additionally, to prevent FortiAppSec Cloud from being flagged as a DDoS attack source, ensure you allow FortiAppSec Cloud IPs in your firewall. For instructions on doing this, please refer to Restricting direct traffic & allowing FortiAppSec Cloud IP addresses.

Adding additional HTTP or HTTPS ports to your domain

You can host multiple applications on the same domain and origin server, each distinguished by a different port. For example:

• app1 – www.example.com:443/app1

• app2 – www.example.com:8443/app2

To manage traffic across multiple HTTP or HTTPS ports, create multi-port applications by repeating the Onboarding steps, using the same domain but specifying different ports each time.

The following directions highlight the necessary configurations to consider when establishing multi-port applications.

1. Follow Onboarding steps to create the first application for your domain, ensuring to enter your root domain as the first domain in the Web Application Configuration step. An example of a root domain is fortinet.com, whereas shop.fortinet.com would be considered a subdomain.

   Before creating your first multi-port application, please note the following: If you need to onboard multiple ports using the same protocol (e.g., HTTPS port 443 and HTTPS port 8443) for the same domain, you must onboard each port as a separate application. You cannot change the region/CDN while multi-port is enabled. If you need to make edits to region/CDN on your application, we recommend doing this before adding any multi-port applications. To switch regions or CDNs, delete all multi-port applications of a domain, leaving only the original application. After changing the region, you will need to manually recreate the multi-port applications to resume traffic from other ports. If you need to use a custom certificate on an application, please re-input the certificate for each multi-port. When managing sub-domains with different port requirements, it is best to create them as separate applications. This approach ensures each sub-domain can independently manage its specific port settings without overlapping configurations.

2. Return to WAF > Applications to add your first multi-port application.

3. Click Add Application.

4. In the Web Application Configuration step, ensure the root domain you used to create the first application for this domain is listed as the first entry under Domain Name. For more details on the configuration options on this page, see above.

5. Under Network Settings, select the HTTP and/or HTTPS ports you would like to add to your application.
   1. Since we are configuring a multi-port application, be sure to select Customize and manually enter the origin server.
   2. On the same page, click Test Origin Server. If FortiAppSec Cloud detects multiple applications with the same domain, you will encounter a message in the top-right corner of your window that indicates you are creating a multi-port application.
6. On the CDN step, you will be unable to change the settings on this page due to multiport being enabled. Click Next to move onto the next step.

   • To switch regions or CDNs, delete all multi-port applications of a domain, leaving only the original application. After changing the region, you will need to manually recreate the multi-port applications to resume traffic from other ports.

7. On the Setting step, configure Block mode and Template for your multiport application. For details on these configuration options, see above.

8. The Change DNS step provides the same instructions as when you first created your application's initial instance. If you have already completed these steps, you can simply click Close to exit the wizard, as there is no need to repeat them.