Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiDAST 23.4.0 User Guide
    23.4.0
    24.3.a
    24.3.0
    24.2.0
    24.1.0
    23.4.0
    23.3.a
    23.3.0
    23.2.0
    23.1.a
    23.1.0

    FortiDAST Proxy Server

    FortiDAST Proxy Server

    You can use proxy servers with FortiDAST to scan internal web applications that are are not exposed to the internet. This is particularly useful in scanning applications-in-development, internal corporate applications, integrating FortiDAST as a DAST scanner in DevOps pipelines, and so on. Deploy the proxy server in your environment as a Docker container, and it runs with minimum manual intervention.

    The FortiDAST Proxy server supports two modes of deployment.

    • Autonomous - The proxy server (Docker container) creates a reverse secure tunnel to the FortiDAST cloud and waits for commands. This is useful if you want to scan the application manually from the FortiDAST GUI or through the FortiDAST cloud APIs. This mode supports the following configurations.
      • Exit after scan - The container exits after completing the scan; re-install the proxy server to rescan the asset.
      • Daemon - This is a one-time installation mode wherein, the container always runs in the background until you stop it. This configuration minimizes manual intervention.
    • DevOps - This automates the scanning process along with a secure tunnel framework, and enables DAST scanning of web applications by integrating into CI/CD pipelines. When the container is invoked with the required configurations, it interacts with the FortiDAST cloud through REST APIs, and begins the scanning process automatically. This involves authorizing the asset, initiating the scan, waiting for the scan to complete, and stopping the container after the scan is complete.
    Configuring the Proxy Server

    This section describes the pre-requisites, recommendations, and set-up procedure for configuring a proxy server in your environment.

    Pre-requisites
    • Minimum system requirements are 4 GB RAM and 4 core CPU for running 10 proxy server Docker containers.
    • Ensure that the VM hosting the proxy server container has internet connectivity through a NIC, this is required to fetch commands from the FortiDAST cloud and scan the application. Also, the VM must be able to reach the target web server through internal network.
    • Ensure that the target machine is not reachable from FortiDAST through a public IP address and is accessible only from the proxy server.
    • You can meet the aforementioned requirements either through a dedicated NIC or by configuring routing entries.

    • Ensure that the SSH service is enabled and the firewall allows the communication between the proxy server and FortiDAST cloud (IP: 34.72.80.123 and Port: 22).

    Recommendations
    • Using Linux OS for configuring the proxy server, Windows OS is NOT supported.
    • Do not run the proxy server Docker container and the target web server on the same machine.
    • Whenever you generate new API keys, copy the updated Docker-compose file from the FortiDAST GUI, and bring up the proxy server again using the new compose file.

    Note: Only IPv4 networking is supported for proxy servers. IPv6 is NOT supported.

    1. Install a Linux version (Ubuntu or Centos) in a virtual machine or physical server.
    2. Install the latest version of Docker engine and the Docker compose.
      sudo apt install docker.io
      sudo apt install docker-compose
    3. Copy the Docker compose file (docker-compose.yml) from the FortiDAST Proxy tab of the scan configuration page in the GUI. See FortiDAST Proxy.
    4. Bring up the proxy server container and run the command, sudo docker-compose -f <docker-compose.yml> up –d.

    You can view the status of the FortiDAST - proxy server feature in the Scans Policy page. The green icon indicates that communication is established between the proxy server container and the FortiDAST cloud service. Initially, the status is indicated by a red icon, that implies a lack of communication. Hover over the icon to view the port over which the communication is established.

    Ensure that the status of the FortiDAST proxy status is green before initiating the scan for the target.

    Note: When newer version of the FortiDAST becomes available, you must remove the existing FortiDAST proxy docker image from your virtual machine and pull the latest version.

    • To remove existing FortiDAST proxy docker image run docker rmi registry.fortidast.com/fptproxyserver command.
    • To pull the latest docker image run docker pull registry.fortidast.forticloud.com/dastproxy command.
    • Also, ensure that you copy the latest Docker compose file (docker-compose.yml) from the FortiDAST Proxy tab of the scan configuration page in the GUI. See FortiDAST Proxy.

    Previous
    Next

    FortiDAST Proxy Server

    FortiDAST Proxy Server

    You can use proxy servers with FortiDAST to scan internal web applications that are are not exposed to the internet. This is particularly useful in scanning applications-in-development, internal corporate applications, integrating FortiDAST as a DAST scanner in DevOps pipelines, and so on. Deploy the proxy server in your environment as a Docker container, and it runs with minimum manual intervention.

    The FortiDAST Proxy server supports two modes of deployment.

    • Autonomous - The proxy server (Docker container) creates a reverse secure tunnel to the FortiDAST cloud and waits for commands. This is useful if you want to scan the application manually from the FortiDAST GUI or through the FortiDAST cloud APIs. This mode supports the following configurations.
      • Exit after scan - The container exits after completing the scan; re-install the proxy server to rescan the asset.
      • Daemon - This is a one-time installation mode wherein, the container always runs in the background until you stop it. This configuration minimizes manual intervention.
    • DevOps - This automates the scanning process along with a secure tunnel framework, and enables DAST scanning of web applications by integrating into CI/CD pipelines. When the container is invoked with the required configurations, it interacts with the FortiDAST cloud through REST APIs, and begins the scanning process automatically. This involves authorizing the asset, initiating the scan, waiting for the scan to complete, and stopping the container after the scan is complete.
    Configuring the Proxy Server

    This section describes the pre-requisites, recommendations, and set-up procedure for configuring a proxy server in your environment.

    Pre-requisites
    • Minimum system requirements are 4 GB RAM and 4 core CPU for running 10 proxy server Docker containers.
    • Ensure that the VM hosting the proxy server container has internet connectivity through a NIC, this is required to fetch commands from the FortiDAST cloud and scan the application. Also, the VM must be able to reach the target web server through internal network.
    • Ensure that the target machine is not reachable from FortiDAST through a public IP address and is accessible only from the proxy server.
    • You can meet the aforementioned requirements either through a dedicated NIC or by configuring routing entries.

    • Ensure that the SSH service is enabled and the firewall allows the communication between the proxy server and FortiDAST cloud (IP: 34.72.80.123 and Port: 22).

    Recommendations
    • Using Linux OS for configuring the proxy server, Windows OS is NOT supported.
    • Do not run the proxy server Docker container and the target web server on the same machine.
    • Whenever you generate new API keys, copy the updated Docker-compose file from the FortiDAST GUI, and bring up the proxy server again using the new compose file.

    Note: Only IPv4 networking is supported for proxy servers. IPv6 is NOT supported.

    1. Install a Linux version (Ubuntu or Centos) in a virtual machine or physical server.
    2. Install the latest version of Docker engine and the Docker compose.
      sudo apt install docker.io
      sudo apt install docker-compose
    3. Copy the Docker compose file (docker-compose.yml) from the FortiDAST Proxy tab of the scan configuration page in the GUI. See FortiDAST Proxy.
    4. Bring up the proxy server container and run the command, sudo docker-compose -f <docker-compose.yml> up –d.

    You can view the status of the FortiDAST - proxy server feature in the Scans Policy page. The green icon indicates that communication is established between the proxy server container and the FortiDAST cloud service. Initially, the status is indicated by a red icon, that implies a lack of communication. Hover over the icon to view the port over which the communication is established.

    Ensure that the status of the FortiDAST proxy status is green before initiating the scan for the target.

    Note: When newer version of the FortiDAST becomes available, you must remove the existing FortiDAST proxy docker image from your virtual machine and pull the latest version.

    • To remove existing FortiDAST proxy docker image run docker rmi registry.fortidast.com/fptproxyserver command.
    • To pull the latest docker image run docker pull registry.fortidast.forticloud.com/dastproxy command.
    • Also, ensure that you copy the latest Docker compose file (docker-compose.yml) from the FortiDAST Proxy tab of the scan configuration page in the GUI. See FortiDAST Proxy.

    Previous
    Next