Fortinet black logo

User Guide

Home FortiWeb Cloud User Guide

Endpoints

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:324694
Download PDF

Endpoints

Domain name

List the domains to protect. The protection policy configured for this application applies to all the domains.

  • You can add up to 10 domains. They should belong to the same root domain, such as www.example.com and mail.example.com.
  • Wildcard is supported except the first entry in the list. Make sure that the domain name entries do not overlap, for example, “www.example.com” can't be added together with “*.example.com” . The wildcard only matches with the string within the same domain level, for example, "a.example.com" matches with “*.example.com”, while "a.a.example.com" doesn't.
  • Once the application is onboarded, you are not allowed to change the first domain. Highly recommend to use root domain for the first domain, e.g. example.com or www.example.com.

Traffic Type

Select HTTP, HTTPS, HTTP/2, or IPv6 to define the traffic types allowed to arrive at the domains of your application.

HTTP

Select the port number for HTTP service.

HTTPS

If HTTPS is allowed, you will be required to configure the Local Certificate and SSL/TLS settings.

Notes:

  • With both HTTP and HTTPS enabled, selecting port 80 for HTTP will by default allow 443 for HTTPS, even if you select a different port number for HTTPS. For example, if you select 80 for HTTP and 7443 for HTTPS, the HTTPS connections can be transferred through either 443 or 7443.
  • If the port number for HTTPS service is not 443, FortiWeb Cloud can't redirect HTTP traffic to HTTPS.

FortiWeb Cloud uses the following ports for HTTP and HTTPS services. These ports are open on FortiWeb Cloud scrubbing center clusters. There won't be security concerns because if the port is not set as the service port for your application, any request to this port for the application will be rejected.

  • HTTP: 80, 81, 3881, 3883, 8000, 8014, 8080, 8087, 8888, 9003, 9013, 9080, 9091, 9092, and 9219

  • HTTPS: 443, 444, 2087, 4333, 4334, 4430, 4466, 4993, 5001, 5454, 7003, 7443, 7741, 8012, 8076, 8078, 8081, 8086, 8088, 8090, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8099, 8181, 8282, 8443, 8585, 8723, 8787, 8866, 9052, 9090, 9093, 9440, and 52233

If the HTTP and HTTPS port number you want to use is not in the list, please contact Fortinet Support or your sales engineer to customize the port number. Notice not all non-standard ports can be used, and HTTP and HTTPS services must use different ports.

SSL Certificate

The SSL certificate is used to encrypt the HTTPS connections between users and FortiWeb Cloud. Without a valid certificate, users will see a certificate invalid warning when they visit your application.

By default, FortiWeb Cloud automatically retrieves SSL certificates from the Certificate Authority Let's Encrypt. If it fails, or if you would like to use your own certificate, you can manually upload it to FortiWeb Cloud.

FortiWeb Cloud will not apply automatic certificate if your application uses AWS CloudFront service.

Automatic Certificate

Before configuring Automatic Certificate, make sure:

  • You must have changed your DNS record to the CNAME or A record shown in the last step of the ADD APPLICATION wizard.
  • You must have enabled HTTP service and uses port 80 for it on the endpoint if you use HTTP Challenge, because the Certificate Authority sends HTTP requests to FortiWeb Cloud to validate the DNS CNAME record.
  • You must add "letsencrypt.org" in the CAA value if you have configured a CAA record at your DNS service. For more information, search CAA in FAQs.
  • You should not block requests from United States in IP Protection > Geo IP Block, otherwise FortiWeb Cloud can't retrieve certificates from Let's Encrypt.
  • The server health check status should be OK. If not, you should first disable health check so that it won't interrupt certificate retrieval. After the certificate is successfully retrieved, you can go ahead enable health check and troubleshoot the server connection issue.

Selecting the Challenge Type:

Let's Encrypt sends challenges to validate that you control the domain names you have listed while onboarding the application.

You can select HTTP Challenge or DNS Challenge. Please note that DNS challenge will be used for the wildcard domains regardless which challenge type you have chosen.

  • HTTP Challenge

    To pass the challenge, you must change all the DNS entries for the domains you listed.

  • DNS Challenge

    To pass the challenge, you need to create a new CNAME record for automatic certificate as well as change the DNS entries for the domains you listed. To avoid users encounter the "certificate invalid" error, you can first create the CNAME record (beginning with "_acme-challenge") to get the automatic certificate. After DNS status turns to OK, which means the certificate is successfully installed, you can then change the DNS records for your application's domains to direct the traffic to FortiWeb Cloud.

The challenge is handled automatically, but if you need to make some more complex configuration decisions, it’s useful to know more about them. See Challenge Types posted by Let's Encrypt.

Several minutes after the challenge is successful, FortiWeb Cloud obtains an SSL certificate on your behalf from Let’s Encrypt and installs it on your application. It will be used in HTTPS connections to encrypt or decrypt the traffic. If FortiWeb Cloud fails to retrieve the certificate, it will try again every 12 minutes on the 1st day, then once an hour on the 2nd and 3rd days. After that, it downgrades the frequency to once a day, until the certificate is successfully retrieved.

To retrieve the certificate immediately, click the Retrieve button beside Automatic Certificate to restore the interval count to the 1st day. FortiWeb Cloud will then retrieves certificate every 12 minutes, and so on.

Thirty days before your certificate expires, FortiWeb Cloud verifies again that your DNS CNAME record is still correct. If it is, FortiWeb Cloud renews your certificate for another 90 days, so it never expires.

Custom Certificate

FortiWeb Cloud may fail to retrieve the certificate for some reasons, for example, the HTTP traffic is not allowed on the endpoints. An exclamation mark will appear beside the Automatic Certificate option indicating the certificate fails to be retrieved.

In this case, or in case you would like to use your own certificate, you can import SNI certificates or intermediate certificates (optional).

  1. Select Custom Certificate on the Endpoints page.
  2. For SNI Certificate, click Import and copy the Private Key and Certificate values provided by your Certificate Authority.
    FortiWeb Cloud automatically parses information of the SNI certificates including issuance, expiration, status, and certificate chain, and changes them to recognizable formats.
    For status, when FortiWeb Cloud verifies the private key and certificate values are consistent, the status is OK; when FortiWeb Cloud verifies the certificate has expired, the status is Expired; when FortiWeb Cloud verifies the certificate is valid, while the certificate chain verification fails, the status is Invalid Chain.
    FortiWeb Cloud requires you to import the private key and certificate in separate fields. If you use a PKCS#12 certificate, refer to this article to extract the key and certificate: https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl

  3. For Intermediate Certificate (optional), click Import and copy the certificate value provided by your intermediate Certificate Authority.
    FortiWeb Cloud automatically parses information of the intermediate certificates including issuance, and expiration, and changes them to recognizable formats. Also, FortiWeb Cloud verifies the status and certificate chain.
    When an indeterminate certificate is successfully imported or deleted, FortiWeb Cloud reverifies the expiration and certificate chain.

You can import at most 32 SNI certificates and intermediate certificates respectively. Contact support team if you want to extend the limits. See Contacting customer service for how to submit a support ticket.

SSL/TLS

SSL/TLS Versions: Select which versions of SSL or TLS protocols are allowed for the HTTPS connections between FortiWeb Cloud and the clients.

SSL/TLS Encryption Level: The HTTPS traffic is encrypted or decrypted with ciphers.

The SSL/TLS Encryption Level controls how many ciphers are supported and the settings provides the following options:

  • Mozilla-Modern: For services with clients that support TLS 1.3 and don't need backward compatibility, Mozilla-Modern is the recommended configuration as it provides an extremely high level of security.

  • Mozilla-Intermediate: For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL, Mozilla-Intermediate is the recommended configuration as it is highly secure and in the meanwhile compatible with nearly every client released in the last five (or more) years.

  • Mozilla-Old: For services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8. Mozilla-old is the recommended configuration as it is compatible with most of the clients.

  • Customized – Supports a customizable list of all ciphers.

For a complete list of the ciphers of each Encryption Level, see Supported cipher suites & protocol versions.

note icon

When HTTP/2 is enabled, only certain TLS 1.3 and TLS 1.2 ciphers will be supported for all SSL/TLS encryption levels.

Redirect all HTTP traffic to HTTPS: Select to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters. Do not enable this option if you have only one origin server and want FortiWeb Cloud to communicate with the origin server over both HTTP and HTTPS protocols.

If you want to provide different content over HTTP and HTTPS protocols, Please refer to Network settings for applications serving different content over HTTP and HTTPS

HTTP Strict Transport Security (HSTS): Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as: Strict-Transport-Security: max-age=31536000.

This header forces clients to use HTTPS for subsequent visits to this domain. If the certificate is invalid, the client’s web browser receives a fatal connection error and does not display a dialog that allows the user to override the certificate mismatch error and continue.

HSTS Max-age: Specify the time to live in seconds for the HSTS header. The HSTS enforcement will be lifted after the specified max-age. Subsequent visits will not be required to use HTTPS.

Secure flag for internal Cookie: Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page. When enabled, only the HTTPS request contains cookie, while the HTTP is cookieless.

HTTP Only flag for internal Cookie: Enable to add the "HTTP Only" flag to internal cookies, which prevents client-side scripts from accessing the cookie.

Advanced Settings

Configure the following settings:

HTTP/2 Enable to accept HTTP/2 traffic.

Client Certificate Authentication

Enable it so that FortiWeb Cloud requires a client to provide a client certificate during the SSL handshake. When enabled, if a client doesn't provide a client certificate during the SSL handshake, FortiWeb Cloud won't accept the request.

  • Click Import to upload the trusted CA certificates so that FortiWeb Cloud can authenticate client certificates.

    How to obtain CA certificate:

    • If you are using a commercial CA, your web browser should already contain a copy in its CA trust store. Export a copy of the file to your desktop or other folder.

    • If you are using your own private CA, download a copy from your CA’s server. For example, on Windows Server 2003, you would go to:

      HTTPs://<ca-server_ipv4>/certsrv/

      where <ca-server_ipv4> is the IP address of your CA server. Log in as Administrator. Other accounts may not have sufficient privileges. The Microsoft Certificate Services home page for your server’s CA should appear, and you can download a CA certificate, certificate chain, or CRL from there.

    Note: Verify that your private CA’s certificate does not contain its private keys. Disclosure of private keys compromises the security of your network, and will require you to revoke and regenerate all certificates signed by that CA.

  • Click Import to upload the Certificate Revocation Lists. To ensure that FortiWeb Cloud validates only certificates that have not been revoked, you should periodically upload current certificate revocation lists (CRL) that may be provided by certificate authorities (CA).

IPv6 If IPv6 is enabled, both IPv4 and IPv6 are allowed to your application. If disabled, only IPv4 traffic is allowed.
Custom Block Page

Select the block page that FortiWeb Cloud displays to your users. It contains the following messages:

  • The error page FortiWeb Cloud uses to respond to an HTTP request that violates a policy and the configured action is Deny or Period Block.
  • The "Server Unavailable!" page that FortiWeb Cloud returns to the client when none of the server pool members are available either because their status is Disable or Maintenance or they have failed the configured health check.
  • The Captcha enforcement pages that FortiWeb Cloud uses to differentiate between real users and automated users, such as bots.

The custom block page is configured in Global > System Settings > Custom Block Pages.
Previous
Next

Endpoints

Domain name

List the domains to protect. The protection policy configured for this application applies to all the domains.

  • You can add up to 10 domains. They should belong to the same root domain, such as www.example.com and mail.example.com.
  • Wildcard is supported except the first entry in the list. Make sure that the domain name entries do not overlap, for example, “www.example.com” can't be added together with “*.example.com” . The wildcard only matches with the string within the same domain level, for example, "a.example.com" matches with “*.example.com”, while "a.a.example.com" doesn't.
  • Once the application is onboarded, you are not allowed to change the first domain. Highly recommend to use root domain for the first domain, e.g. example.com or www.example.com.

Traffic Type

Select HTTP, HTTPS, HTTP/2, or IPv6 to define the traffic types allowed to arrive at the domains of your application.

HTTP

Select the port number for HTTP service.

HTTPS

If HTTPS is allowed, you will be required to configure the Local Certificate and SSL/TLS settings.

Notes:

  • With both HTTP and HTTPS enabled, selecting port 80 for HTTP will by default allow 443 for HTTPS, even if you select a different port number for HTTPS. For example, if you select 80 for HTTP and 7443 for HTTPS, the HTTPS connections can be transferred through either 443 or 7443.
  • If the port number for HTTPS service is not 443, FortiWeb Cloud can't redirect HTTP traffic to HTTPS.

FortiWeb Cloud uses the following ports for HTTP and HTTPS services. These ports are open on FortiWeb Cloud scrubbing center clusters. There won't be security concerns because if the port is not set as the service port for your application, any request to this port for the application will be rejected.

  • HTTP: 80, 81, 3881, 3883, 8000, 8014, 8080, 8087, 8888, 9003, 9013, 9080, 9091, 9092, and 9219

  • HTTPS: 443, 444, 2087, 4333, 4334, 4430, 4466, 4993, 5001, 5454, 7003, 7443, 7741, 8012, 8076, 8078, 8081, 8086, 8088, 8090, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8099, 8181, 8282, 8443, 8585, 8723, 8787, 8866, 9052, 9090, 9093, 9440, and 52233

If the HTTP and HTTPS port number you want to use is not in the list, please contact Fortinet Support or your sales engineer to customize the port number. Notice not all non-standard ports can be used, and HTTP and HTTPS services must use different ports.

SSL Certificate

The SSL certificate is used to encrypt the HTTPS connections between users and FortiWeb Cloud. Without a valid certificate, users will see a certificate invalid warning when they visit your application.

By default, FortiWeb Cloud automatically retrieves SSL certificates from the Certificate Authority Let's Encrypt. If it fails, or if you would like to use your own certificate, you can manually upload it to FortiWeb Cloud.

FortiWeb Cloud will not apply automatic certificate if your application uses AWS CloudFront service.

Automatic Certificate

Before configuring Automatic Certificate, make sure:

  • You must have changed your DNS record to the CNAME or A record shown in the last step of the ADD APPLICATION wizard.
  • You must have enabled HTTP service and uses port 80 for it on the endpoint if you use HTTP Challenge, because the Certificate Authority sends HTTP requests to FortiWeb Cloud to validate the DNS CNAME record.
  • You must add "letsencrypt.org" in the CAA value if you have configured a CAA record at your DNS service. For more information, search CAA in FAQs.
  • You should not block requests from United States in IP Protection > Geo IP Block, otherwise FortiWeb Cloud can't retrieve certificates from Let's Encrypt.
  • The server health check status should be OK. If not, you should first disable health check so that it won't interrupt certificate retrieval. After the certificate is successfully retrieved, you can go ahead enable health check and troubleshoot the server connection issue.

Selecting the Challenge Type:

Let's Encrypt sends challenges to validate that you control the domain names you have listed while onboarding the application.

You can select HTTP Challenge or DNS Challenge. Please note that DNS challenge will be used for the wildcard domains regardless which challenge type you have chosen.

  • HTTP Challenge

    To pass the challenge, you must change all the DNS entries for the domains you listed.

  • DNS Challenge

    To pass the challenge, you need to create a new CNAME record for automatic certificate as well as change the DNS entries for the domains you listed. To avoid users encounter the "certificate invalid" error, you can first create the CNAME record (beginning with "_acme-challenge") to get the automatic certificate. After DNS status turns to OK, which means the certificate is successfully installed, you can then change the DNS records for your application's domains to direct the traffic to FortiWeb Cloud.

The challenge is handled automatically, but if you need to make some more complex configuration decisions, it’s useful to know more about them. See Challenge Types posted by Let's Encrypt.

Several minutes after the challenge is successful, FortiWeb Cloud obtains an SSL certificate on your behalf from Let’s Encrypt and installs it on your application. It will be used in HTTPS connections to encrypt or decrypt the traffic. If FortiWeb Cloud fails to retrieve the certificate, it will try again every 12 minutes on the 1st day, then once an hour on the 2nd and 3rd days. After that, it downgrades the frequency to once a day, until the certificate is successfully retrieved.

To retrieve the certificate immediately, click the Retrieve button beside Automatic Certificate to restore the interval count to the 1st day. FortiWeb Cloud will then retrieves certificate every 12 minutes, and so on.

Thirty days before your certificate expires, FortiWeb Cloud verifies again that your DNS CNAME record is still correct. If it is, FortiWeb Cloud renews your certificate for another 90 days, so it never expires.

Custom Certificate

FortiWeb Cloud may fail to retrieve the certificate for some reasons, for example, the HTTP traffic is not allowed on the endpoints. An exclamation mark will appear beside the Automatic Certificate option indicating the certificate fails to be retrieved.

In this case, or in case you would like to use your own certificate, you can import SNI certificates or intermediate certificates (optional).

  1. Select Custom Certificate on the Endpoints page.
  2. For SNI Certificate, click Import and copy the Private Key and Certificate values provided by your Certificate Authority.
    FortiWeb Cloud automatically parses information of the SNI certificates including issuance, expiration, status, and certificate chain, and changes them to recognizable formats.
    For status, when FortiWeb Cloud verifies the private key and certificate values are consistent, the status is OK; when FortiWeb Cloud verifies the certificate has expired, the status is Expired; when FortiWeb Cloud verifies the certificate is valid, while the certificate chain verification fails, the status is Invalid Chain.
    FortiWeb Cloud requires you to import the private key and certificate in separate fields. If you use a PKCS#12 certificate, refer to this article to extract the key and certificate: https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl

  3. For Intermediate Certificate (optional), click Import and copy the certificate value provided by your intermediate Certificate Authority.
    FortiWeb Cloud automatically parses information of the intermediate certificates including issuance, and expiration, and changes them to recognizable formats. Also, FortiWeb Cloud verifies the status and certificate chain.
    When an indeterminate certificate is successfully imported or deleted, FortiWeb Cloud reverifies the expiration and certificate chain.

You can import at most 32 SNI certificates and intermediate certificates respectively. Contact support team if you want to extend the limits. See Contacting customer service for how to submit a support ticket.

SSL/TLS

SSL/TLS Versions: Select which versions of SSL or TLS protocols are allowed for the HTTPS connections between FortiWeb Cloud and the clients.

SSL/TLS Encryption Level: The HTTPS traffic is encrypted or decrypted with ciphers.

The SSL/TLS Encryption Level controls how many ciphers are supported and the settings provides the following options:

  • Mozilla-Modern: For services with clients that support TLS 1.3 and don't need backward compatibility, Mozilla-Modern is the recommended configuration as it provides an extremely high level of security.

  • Mozilla-Intermediate: For services that don't need compatibility with legacy clients such as Windows XP or old versions of OpenSSL, Mozilla-Intermediate is the recommended configuration as it is highly secure and in the meanwhile compatible with nearly every client released in the last five (or more) years.

  • Mozilla-Old: For services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8. Mozilla-old is the recommended configuration as it is compatible with most of the clients.

  • Customized – Supports a customizable list of all ciphers.

For a complete list of the ciphers of each Encryption Level, see Supported cipher suites & protocol versions.

note icon

When HTTP/2 is enabled, only certain TLS 1.3 and TLS 1.2 ciphers will be supported for all SSL/TLS encryption levels.

Redirect all HTTP traffic to HTTPS: Select to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters. Do not enable this option if you have only one origin server and want FortiWeb Cloud to communicate with the origin server over both HTTP and HTTPS protocols.

If you want to provide different content over HTTP and HTTPS protocols, Please refer to Network settings for applications serving different content over HTTP and HTTPS

HTTP Strict Transport Security (HSTS): Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as: Strict-Transport-Security: max-age=31536000.

This header forces clients to use HTTPS for subsequent visits to this domain. If the certificate is invalid, the client’s web browser receives a fatal connection error and does not display a dialog that allows the user to override the certificate mismatch error and continue.

HSTS Max-age: Specify the time to live in seconds for the HSTS header. The HSTS enforcement will be lifted after the specified max-age. Subsequent visits will not be required to use HTTPS.

Secure flag for internal Cookie: Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page. When enabled, only the HTTPS request contains cookie, while the HTTP is cookieless.

HTTP Only flag for internal Cookie: Enable to add the "HTTP Only" flag to internal cookies, which prevents client-side scripts from accessing the cookie.

Advanced Settings

Configure the following settings:

HTTP/2 Enable to accept HTTP/2 traffic.

Client Certificate Authentication

Enable it so that FortiWeb Cloud requires a client to provide a client certificate during the SSL handshake. When enabled, if a client doesn't provide a client certificate during the SSL handshake, FortiWeb Cloud won't accept the request.

  • Click Import to upload the trusted CA certificates so that FortiWeb Cloud can authenticate client certificates.

    How to obtain CA certificate:

    • If you are using a commercial CA, your web browser should already contain a copy in its CA trust store. Export a copy of the file to your desktop or other folder.

    • If you are using your own private CA, download a copy from your CA’s server. For example, on Windows Server 2003, you would go to:

      HTTPs://<ca-server_ipv4>/certsrv/

      where <ca-server_ipv4> is the IP address of your CA server. Log in as Administrator. Other accounts may not have sufficient privileges. The Microsoft Certificate Services home page for your server’s CA should appear, and you can download a CA certificate, certificate chain, or CRL from there.

    Note: Verify that your private CA’s certificate does not contain its private keys. Disclosure of private keys compromises the security of your network, and will require you to revoke and regenerate all certificates signed by that CA.

  • Click Import to upload the Certificate Revocation Lists. To ensure that FortiWeb Cloud validates only certificates that have not been revoked, you should periodically upload current certificate revocation lists (CRL) that may be provided by certificate authorities (CA).

IPv6 If IPv6 is enabled, both IPv4 and IPv6 are allowed to your application. If disabled, only IPv4 traffic is allowed.
Custom Block Page

Select the block page that FortiWeb Cloud displays to your users. It contains the following messages:

  • The error page FortiWeb Cloud uses to respond to an HTTP request that violates a policy and the configured action is Deny or Period Block.
  • The "Server Unavailable!" page that FortiWeb Cloud returns to the client when none of the server pool members are available either because their status is Disable or Maintenance or they have failed the configured health check.
  • The Captcha enforcement pages that FortiWeb Cloud uses to differentiate between real users and automated users, such as bots.

The custom block page is configured in Global > System Settings > Custom Block Pages.
Previous
Next