Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiAppSec Cloud User Guide

    Network

    Network

    What public cloud regions are currently supported?

    For a complete list of supported regions, please see Restricting direct traffic & allowing FortiAppSec Cloud IP addresses.

    How do I request support for additional Public Cloud regions?

    Please contact your local sales engineer for the latest roadmap on adding additional regions.

    Can one account protect applications in multiple regions?

    Yes, the WAF module allows each application to be assigned a region during onboarding, so customers are not restricted to a single region. Additionally, the GSLB module enables load balancing across multiple locations and regions.

    Can FortiAppSec Cloud WAF protect applications that are not hosted on a public cloud?

    Yes, FortiAppSec Cloud WAF is not limited to applications hosted on a specific public cloud.

    Can FortiAppSec Cloud WAF protect applications that are hosted on non-standard ports?

    Yes, predefined non-standard ports are available for selection during the onboarding process. If you need support for a different port, please contact support.

    Can FortiAppSec Cloud WAF protect multiple web applications on the same account?

    Yes, please review License & Contract for information on usage limits for different license options.

    Does FortiAppSec Cloud WAF offer a Content Delivery Network (CDN) service?

    Yes, you can enable Global CDN at no additional cost. For more details, please refer to the CDN section.

    When using the WAF service for my application, what do I need to implement outside of the FortiAppSec Cloud web portal?

    To implement the WAF service's WAF service, please make the following changes outside of the FortiAppSec Cloud platform:

    • DNS Update: Modify the DNS entry of your web application to point to FortiAppSec Cloud WAF.

    • Traffic Forwarding Configuration: Configure FortiAppSec Cloud with the original web application IP to forward traffic accordingly.

    • Client Traffic Flow: With this setup, traffic from clients will first reach FortiAppSec Cloud and then be forwarded to your web application.

    FortiAppSec Cloud WAF's onboarding wizard will guide you through these steps for seamless implementation.

    How can I add applications running on non-standard port?

    FortiAppSec Cloud by default uses port 80 for HTTP protocol and 443 for HTTPS protocol. Non-standard ports are also available. You can select them when you onboard applications. Please note if non-standard port is selected for HTTPS, you will not be allowed to configure HTTPS redirection.

    If you need to use different ports, please contact FortiAppSec Cloud Support or your sales engineer for further help. Notice not all non-standard ports can be used, and HTTP and HTTPS services must use different ports.

    When onboarding an application, do all domains need to be part of the same root domain?

    Yes, all the domains should belong to the same root domain, such as www.example.com and mail.example.com.

    After the application is onboarded, you can go to Network > Endpoints to change or add domains, but you are not allowed to change the first domain in the list. Highly recommend to use root domain as the first domain.

    Up to how many origin servers can I add for one application?

    You can add at most 128 origin servers to the server pool of an application.

    What is an Automatic Certificate?

    WAF automatically obtains an SSL certificate on your behalf from Let’s Encrypt within two minutes of the DNS CNAMEA record change. It will be used in HTTPS connections to encrypt or decrypt the traffic. If FortiAppSec Cloud fails to obtain the certificate, it will try again 12 minutes later.

    Thirty days before your certificate expires, WAF verifies again that your DNS CNAMEA record is still correct. If it is, FortiAppSec Cloud renews your certificate for another 90 days, so it never expires. For more information, see Automatic Certificate.

    What do I need to pay attention to if I use automatic certificates?

    FortiAppSec Cloud WAF automatically retrieves SSL certificates from the Certificate Authority Let's Encrypt. See Automatic Certificate for the things you should pay attention to if automatic certificate is used.

    What’s a Certification Authority Authorization (CAA) record and do I need to use it? How does it affect automatic certificate?

    DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.

    If you have configured a CAA record at your DNS service and want to use automatic certificate in FortiAppSec Cloud, make sure to add "letsencrypt.org" in the CAA value. This allows Let's Encrypt to issue certificates for your domain name.

    What TLS versions are supported?

    FortiAppSec Cloud supports TLS 1.1, 1.2, and 1.3.

    What do I need to check if I still see “connection is not secure” in my browser?

    Check the following if “connection is not secure” displays in the browser when users visit your application:

    How to check network connectivity when traffic does not go through?

    To troubleshoot network connectivity when traffic doesn't go through, follow these steps:

    1. Ensure that you are using a supported web browser. FortiAppSec Cloud WAF supports Mozilla Firefox version 59 or higher, and Google Chrome version 65 or higher. While other browsers may also display well but we cannot guarantee compatibility.
    2. Check the error message displayed. If it shows server connectivity issue, perform either one of the following actions:
      1. Modify the local host file on your computer to map your application's domain name to the IP address of the origin server. Then, enter the domain name of your application in the browser to verify the traffic can go through when FortiAppSec Cloud WAF is bypassed.
      2. If there are more than one origin servers, FortiAppSec Cloud WAF performs health check and displays the server status in the Server Status widget on Dashboard page, as well as in the Server Status column of the Origin Server page. Make sure the Health Check option is turned on and the URL Path on the Origin Server page is configured correctly, as FortiAppSec Cloud relies on it to verify server responsiveness.
        3. If the origin server is accessible, proceed to the following steps to identify the specific configuration on FortiAppSec Cloud causing the error.
        If the origin server is not accessible, it suggests that the connectivity issue is unrelated to FortiAppSec Cloud WAF and you should troubleshoot the origin server.
    3. Verify the SSL Encryption Level configuration on the Origin Server page and ensure that your origin server supports the specified SSL Encryption Level.
    4. Disable HTTP/2 on the Origin Server page and check if the traffic goes through. If it does, it indicates that your origin server doesn't support HTTP/2, and therefore, the HTTP/2 option on FortiAppSec Cloud WAF should be disabled.
    5. Analyze attack logs in Threat Analytics > Attack Logs to identify any WAF modules that may be blocking traffic.
    How to get notified if an origin server fails?

    FortiAppSec Cloud WAF supports sending logs to your syslog or ElasticSearch server to notify the origin server status change.

    1. Enable Health Check for the origin server in the Load Balancing rule in Network > Origin Server. Please note this setting is only available when the Server Balance is turned on.
    2. Refer to Audit logs for instructions on exporting logs to your syslog server.
    How can I use FortiAppSec Cloud WAF with AWS ALB/ELB?

    When using FortiAppSec Cloud WAF, the client's requests from the Internet are forwarded to WAF first before they reach the ALB/ELB.

    When you onboard an application, for Origin Server settings in Step 2- Network, select Customize, then enter the ALB/ELB's domain name in IP Address or FQDN. Make sure to enter the domain name, not the IP address.

    I entered a dynamic domain name for my origin server's address in Network Settings. How frequently does the WAF service update the IP address paired with this domain name?

    In the DNS record that pairs the dynamic domain name and IP address, you will find a TTL (Time to Live) value. The WAF service updates the IP address according to this TTL value. If the TTL indicates the IP address expires, WAF will resolve the domain name to obtain the latest IP address.

    The IP addresses of my origin servers keep changing. How can I configure FortiAppSec Cloud to automatically obtain the latest IP addresses?

    You can use Cloud Connectors to obtain the IP addresses if your origin servers are deployed on AWS, Azure, or GCP.

    1. Create a Cloud Connector to authorize FortiAppSec Cloud WAF to access the resources in your public cloud account. See Cloud Connectors.
    2. In Network > Origin Servers, select Dynamic for Server Type, then configure Cloud Connector and Filter as instructed in Origin Servers.
    How should I configure the network settings if my application offers different content through HTTP and HTTPS?

    See Network settings for applications serving different content over HTTP and HTTPS for more information.

    How can I get notified of newly added WAF IP addresses?

    • Check the inbox of your account email. Search for keywords "new WAF cluster" from "noreply@appsec.fortinet.com".

    • Check out the What's New.

    • Use the following APIs to retrieve the IP lists:

      • IPv4: https://appsec.fortinet.com/ips-v4

      • IPv6: https://appsec.fortinet.com/ips-v6

    You can find the full list of WAF IP addresses at Restricting direct traffic & allowing FortiAppSec Cloud IP addresses.

    Previous
    Next

    Network

    Network

    What public cloud regions are currently supported?

    For a complete list of supported regions, please see Restricting direct traffic & allowing FortiAppSec Cloud IP addresses.

    How do I request support for additional Public Cloud regions?

    Please contact your local sales engineer for the latest roadmap on adding additional regions.

    Can one account protect applications in multiple regions?

    Yes, the WAF module allows each application to be assigned a region during onboarding, so customers are not restricted to a single region. Additionally, the GSLB module enables load balancing across multiple locations and regions.

    Can FortiAppSec Cloud WAF protect applications that are not hosted on a public cloud?

    Yes, FortiAppSec Cloud WAF is not limited to applications hosted on a specific public cloud.

    Can FortiAppSec Cloud WAF protect applications that are hosted on non-standard ports?

    Yes, predefined non-standard ports are available for selection during the onboarding process. If you need support for a different port, please contact support.

    Can FortiAppSec Cloud WAF protect multiple web applications on the same account?

    Yes, please review License & Contract for information on usage limits for different license options.

    Does FortiAppSec Cloud WAF offer a Content Delivery Network (CDN) service?

    Yes, you can enable Global CDN at no additional cost. For more details, please refer to the CDN section.

    When using the WAF service for my application, what do I need to implement outside of the FortiAppSec Cloud web portal?

    To implement the WAF service's WAF service, please make the following changes outside of the FortiAppSec Cloud platform:

    • DNS Update: Modify the DNS entry of your web application to point to FortiAppSec Cloud WAF.

    • Traffic Forwarding Configuration: Configure FortiAppSec Cloud with the original web application IP to forward traffic accordingly.

    • Client Traffic Flow: With this setup, traffic from clients will first reach FortiAppSec Cloud and then be forwarded to your web application.

    FortiAppSec Cloud WAF's onboarding wizard will guide you through these steps for seamless implementation.

    How can I add applications running on non-standard port?

    FortiAppSec Cloud by default uses port 80 for HTTP protocol and 443 for HTTPS protocol. Non-standard ports are also available. You can select them when you onboard applications. Please note if non-standard port is selected for HTTPS, you will not be allowed to configure HTTPS redirection.

    If you need to use different ports, please contact FortiAppSec Cloud Support or your sales engineer for further help. Notice not all non-standard ports can be used, and HTTP and HTTPS services must use different ports.

    When onboarding an application, do all domains need to be part of the same root domain?

    Yes, all the domains should belong to the same root domain, such as www.example.com and mail.example.com.

    After the application is onboarded, you can go to Network > Endpoints to change or add domains, but you are not allowed to change the first domain in the list. Highly recommend to use root domain as the first domain.

    Up to how many origin servers can I add for one application?

    You can add at most 128 origin servers to the server pool of an application.

    What is an Automatic Certificate?

    WAF automatically obtains an SSL certificate on your behalf from Let’s Encrypt within two minutes of the DNS CNAMEA record change. It will be used in HTTPS connections to encrypt or decrypt the traffic. If FortiAppSec Cloud fails to obtain the certificate, it will try again 12 minutes later.

    Thirty days before your certificate expires, WAF verifies again that your DNS CNAMEA record is still correct. If it is, FortiAppSec Cloud renews your certificate for another 90 days, so it never expires. For more information, see Automatic Certificate.

    What do I need to pay attention to if I use automatic certificates?

    FortiAppSec Cloud WAF automatically retrieves SSL certificates from the Certificate Authority Let's Encrypt. See Automatic Certificate for the things you should pay attention to if automatic certificate is used.

    What’s a Certification Authority Authorization (CAA) record and do I need to use it? How does it affect automatic certificate?

    DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.

    If you have configured a CAA record at your DNS service and want to use automatic certificate in FortiAppSec Cloud, make sure to add "letsencrypt.org" in the CAA value. This allows Let's Encrypt to issue certificates for your domain name.

    What TLS versions are supported?

    FortiAppSec Cloud supports TLS 1.1, 1.2, and 1.3.

    What do I need to check if I still see “connection is not secure” in my browser?

    Check the following if “connection is not secure” displays in the browser when users visit your application:

    How to check network connectivity when traffic does not go through?

    To troubleshoot network connectivity when traffic doesn't go through, follow these steps:

    1. Ensure that you are using a supported web browser. FortiAppSec Cloud WAF supports Mozilla Firefox version 59 or higher, and Google Chrome version 65 or higher. While other browsers may also display well but we cannot guarantee compatibility.
    2. Check the error message displayed. If it shows server connectivity issue, perform either one of the following actions:
      1. Modify the local host file on your computer to map your application's domain name to the IP address of the origin server. Then, enter the domain name of your application in the browser to verify the traffic can go through when FortiAppSec Cloud WAF is bypassed.
      2. If there are more than one origin servers, FortiAppSec Cloud WAF performs health check and displays the server status in the Server Status widget on Dashboard page, as well as in the Server Status column of the Origin Server page. Make sure the Health Check option is turned on and the URL Path on the Origin Server page is configured correctly, as FortiAppSec Cloud relies on it to verify server responsiveness.
        3. If the origin server is accessible, proceed to the following steps to identify the specific configuration on FortiAppSec Cloud causing the error.
        If the origin server is not accessible, it suggests that the connectivity issue is unrelated to FortiAppSec Cloud WAF and you should troubleshoot the origin server.
    3. Verify the SSL Encryption Level configuration on the Origin Server page and ensure that your origin server supports the specified SSL Encryption Level.
    4. Disable HTTP/2 on the Origin Server page and check if the traffic goes through. If it does, it indicates that your origin server doesn't support HTTP/2, and therefore, the HTTP/2 option on FortiAppSec Cloud WAF should be disabled.
    5. Analyze attack logs in Threat Analytics > Attack Logs to identify any WAF modules that may be blocking traffic.
    How to get notified if an origin server fails?

    FortiAppSec Cloud WAF supports sending logs to your syslog or ElasticSearch server to notify the origin server status change.

    1. Enable Health Check for the origin server in the Load Balancing rule in Network > Origin Server. Please note this setting is only available when the Server Balance is turned on.
    2. Refer to Audit logs for instructions on exporting logs to your syslog server.
    How can I use FortiAppSec Cloud WAF with AWS ALB/ELB?

    When using FortiAppSec Cloud WAF, the client's requests from the Internet are forwarded to WAF first before they reach the ALB/ELB.

    When you onboard an application, for Origin Server settings in Step 2- Network, select Customize, then enter the ALB/ELB's domain name in IP Address or FQDN. Make sure to enter the domain name, not the IP address.

    I entered a dynamic domain name for my origin server's address in Network Settings. How frequently does the WAF service update the IP address paired with this domain name?

    In the DNS record that pairs the dynamic domain name and IP address, you will find a TTL (Time to Live) value. The WAF service updates the IP address according to this TTL value. If the TTL indicates the IP address expires, WAF will resolve the domain name to obtain the latest IP address.

    The IP addresses of my origin servers keep changing. How can I configure FortiAppSec Cloud to automatically obtain the latest IP addresses?

    You can use Cloud Connectors to obtain the IP addresses if your origin servers are deployed on AWS, Azure, or GCP.

    1. Create a Cloud Connector to authorize FortiAppSec Cloud WAF to access the resources in your public cloud account. See Cloud Connectors.
    2. In Network > Origin Servers, select Dynamic for Server Type, then configure Cloud Connector and Filter as instructed in Origin Servers.
    How should I configure the network settings if my application offers different content through HTTP and HTTPS?

    See Network settings for applications serving different content over HTTP and HTTPS for more information.

    How can I get notified of newly added WAF IP addresses?

    • Check the inbox of your account email. Search for keywords "new WAF cluster" from "noreply@appsec.fortinet.com".

    • Check out the What's New.

    • Use the following APIs to retrieve the IP lists:

      • IPv4: https://appsec.fortinet.com/ips-v4

      • IPv6: https://appsec.fortinet.com/ips-v6

    You can find the full list of WAF IP addresses at Restricting direct traffic & allowing FortiAppSec Cloud IP addresses.

    Previous
    Next