Fortinet black logo

User Guide

Home FortiWeb Cloud User Guide

Network

Network

FortiWeb Cloud by default uses port 80 for HTTP protocol and 443 for HTTPS protocol. Non-standard ports are also available. You can select them when you onboard applications. Please note if non-standard port is selected for HTTPS, you will not be allowed to configure HTTPS redirection.

If you need to use different ports, please contact Fortinet Support or your sales engineer for further help. Notice not all non-standard ports can be used, and HTTP and HTTPS services must use different ports.

Up to 100 domains are supported in one single application. They should all belong to the same root domain and point to the same origin server(s).

Yes, all the domains should belong to the same root domain, such as www.example.com and mail.example.com.

After the application is onboarded, you can go to Network > Endpoints to change or add domains, but you are not allowed to change the first domain in the list. Highly recommend to use root domain as the first domain.

You can add at most 128 origin servers to the server pool of an application.

FortiWeb Cloud automatically obtains an SSL certificate on your behalf from Let’s Encrypt within two minutes of the DNS CNAME record change. It will be used in HTTPS connections to encrypt or decrypt the traffic. If FortiWeb Cloud fails to obtain the certificate, it will try again 12 minutes later.

Thirty days before your certificate expires, FortiWeb Cloud verifies again that your DNS CNAME record is still correct. If it is, FortiWeb Cloud renews your certificate for another 90 days, so it never expires. For more information, see Automatic Certificate.

FortiWeb Cloud automatically retrieves SSL certificates from the Certificate Authority Let's Encrypt. See Automatic Certificate for the things you should pay attention to if automatic certificate is used.

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.

If you have configured a CAA record at your DNS service and want to use automatic certificate in FortiWeb Cloud, make sure to add "letsencrypt.org" in the CAA value. This allows Let's Encrypt to issue certificates for your domain name.

No. We now support TLS 1.1, 1.2, and 1.3.

Check the following if “connection is not secure” displays in the browser when users visit your application:

To troubleshoot network connectivity when traffic doesn't go through, follow these steps:

  1. Ensure that you are using a supported web browser. FortiWeb Cloud supports Mozilla Firefox version 59 or higher, and Google Chrome version 65 or higher. While other browsers may also display well but we cannot guarantee compatibility.
  2. Check the error message displayed. If it shows server connectivity issue, perform either one of the following actions:
    1. Modify the local host file on your computer to map your application's domain name to the IP address of the origin server. Then, enter the domain name of your application in the browser to verify the traffic can go through when FortiWeb Cloud is bypassed.
    2. If there are more than one origin servers, FortiWeb Cloud performs health check and displays the server status in the Server Status widget on Dashboard page, as well as in the Server Status column of the Origin Server page. Make sure the Health Check option is turned on and the URL Path on the Origin Server page is configured correctly, as FortiWeb Cloud relies on it to verify server responsiveness.
      3. If the origin server is accessible, proceed to the following steps to identify the specific configuration on FortiWeb Cloud causing the error.
      If the origin server is not accessible, it suggests that the connectivity issue is unrelated to FortiWeb Cloud and you should troubleshoot the origin server.
  3. Verify the SSL Encryption Level configuration on the Origin Server page and ensure that your origin server supports the specified SSL Encryption Level.
  4. Disable HTTP/2 on the Origin Server page and check if the traffic goes through. If it does, it indicates that your origin server doesn't support HTTP/2, and therefore, the HTTP/2 option on FortiWeb Cloud should be disabled.
  5. Analyze attack logs in Threat Analytics > Attack Logs to identify any WAF modules that may be blocking traffic.

FortiWeb Cloud support sending logs to your syslog or ElasticSearch server to notify the origin server status change.

  1. Enable Health Check for the origin server in the Load Balancing rule in Network > Origin Server. Please note this setting is only available when the Server Balance is turned on.
  2. Refer to Audit logs to export logs to your syslog server.

When using FortiWeb Cloud, the client's requests from the Internet are forwarded to FortiWeb Cloud first before they reach the ALB/ELB.

When you onboard an application, for Origin Server settings in Step 2- Network, select Customize, then enter the ALB/ELB's domain name in IP Address or FQDN. Make sure to enter the domain name, not the IP address.

In the DNS record that pairs the dynamic domain name and IP address, you will find a TTL (Time to Live) value. FortiWeb Cloud updates the IP address according to this TTL value. If the TTL indicates the IP address expires, FortiWeb Cloud will resolve the domain name to obtain the latest IP address.

You can use Cloud Connectors to obtain the IP addresses if your origin servers are deployed on AWS, Azure, or GCP.

  1. Create a Cloud Connector to authorize FortiWeb Cloud to access the resources in your public cloud account. See Cloud Connectors.
  2. In Network > Origin Servers, select Dynamic for Server Type, then configure Cloud Connector and Filter as instructed in Origin Servers.

See Using FortiWeb Cloud behind a Content Distribution Service for detailed information.

See Network settings for applications serving different content over HTTP and HTTPS for more information.

  • Check the inbox of your account email. Search for keywords "new WAF cluster" from "noreply@fortiweb-cloud.com".

  • Check the What's New part in Online help.

  • Use the following APIs to retrieve the IP lists:

    • IPv4: https://www.fortiweb-cloud.com/ips-v4

    • IPv6: https://www.fortiweb-cloud.com/ips-v6
Previous
Next

Network

FortiWeb Cloud by default uses port 80 for HTTP protocol and 443 for HTTPS protocol. Non-standard ports are also available. You can select them when you onboard applications. Please note if non-standard port is selected for HTTPS, you will not be allowed to configure HTTPS redirection.

If you need to use different ports, please contact Fortinet Support or your sales engineer for further help. Notice not all non-standard ports can be used, and HTTP and HTTPS services must use different ports.

Up to 100 domains are supported in one single application. They should all belong to the same root domain and point to the same origin server(s).

Yes, all the domains should belong to the same root domain, such as www.example.com and mail.example.com.

After the application is onboarded, you can go to Network > Endpoints to change or add domains, but you are not allowed to change the first domain in the list. Highly recommend to use root domain as the first domain.

You can add at most 128 origin servers to the server pool of an application.

FortiWeb Cloud automatically obtains an SSL certificate on your behalf from Let’s Encrypt within two minutes of the DNS CNAME record change. It will be used in HTTPS connections to encrypt or decrypt the traffic. If FortiWeb Cloud fails to obtain the certificate, it will try again 12 minutes later.

Thirty days before your certificate expires, FortiWeb Cloud verifies again that your DNS CNAME record is still correct. If it is, FortiWeb Cloud renews your certificate for another 90 days, so it never expires. For more information, see Automatic Certificate.

FortiWeb Cloud automatically retrieves SSL certificates from the Certificate Authority Let's Encrypt. See Automatic Certificate for the things you should pay attention to if automatic certificate is used.

DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.

If you have configured a CAA record at your DNS service and want to use automatic certificate in FortiWeb Cloud, make sure to add "letsencrypt.org" in the CAA value. This allows Let's Encrypt to issue certificates for your domain name.

No. We now support TLS 1.1, 1.2, and 1.3.

Check the following if “connection is not secure” displays in the browser when users visit your application:

To troubleshoot network connectivity when traffic doesn't go through, follow these steps:

  1. Ensure that you are using a supported web browser. FortiWeb Cloud supports Mozilla Firefox version 59 or higher, and Google Chrome version 65 or higher. While other browsers may also display well but we cannot guarantee compatibility.
  2. Check the error message displayed. If it shows server connectivity issue, perform either one of the following actions:
    1. Modify the local host file on your computer to map your application's domain name to the IP address of the origin server. Then, enter the domain name of your application in the browser to verify the traffic can go through when FortiWeb Cloud is bypassed.
    2. If there are more than one origin servers, FortiWeb Cloud performs health check and displays the server status in the Server Status widget on Dashboard page, as well as in the Server Status column of the Origin Server page. Make sure the Health Check option is turned on and the URL Path on the Origin Server page is configured correctly, as FortiWeb Cloud relies on it to verify server responsiveness.
      3. If the origin server is accessible, proceed to the following steps to identify the specific configuration on FortiWeb Cloud causing the error.
      If the origin server is not accessible, it suggests that the connectivity issue is unrelated to FortiWeb Cloud and you should troubleshoot the origin server.
  3. Verify the SSL Encryption Level configuration on the Origin Server page and ensure that your origin server supports the specified SSL Encryption Level.
  4. Disable HTTP/2 on the Origin Server page and check if the traffic goes through. If it does, it indicates that your origin server doesn't support HTTP/2, and therefore, the HTTP/2 option on FortiWeb Cloud should be disabled.
  5. Analyze attack logs in Threat Analytics > Attack Logs to identify any WAF modules that may be blocking traffic.

FortiWeb Cloud support sending logs to your syslog or ElasticSearch server to notify the origin server status change.

  1. Enable Health Check for the origin server in the Load Balancing rule in Network > Origin Server. Please note this setting is only available when the Server Balance is turned on.
  2. Refer to Audit logs to export logs to your syslog server.

When using FortiWeb Cloud, the client's requests from the Internet are forwarded to FortiWeb Cloud first before they reach the ALB/ELB.

When you onboard an application, for Origin Server settings in Step 2- Network, select Customize, then enter the ALB/ELB's domain name in IP Address or FQDN. Make sure to enter the domain name, not the IP address.

In the DNS record that pairs the dynamic domain name and IP address, you will find a TTL (Time to Live) value. FortiWeb Cloud updates the IP address according to this TTL value. If the TTL indicates the IP address expires, FortiWeb Cloud will resolve the domain name to obtain the latest IP address.

You can use Cloud Connectors to obtain the IP addresses if your origin servers are deployed on AWS, Azure, or GCP.

  1. Create a Cloud Connector to authorize FortiWeb Cloud to access the resources in your public cloud account. See Cloud Connectors.
  2. In Network > Origin Servers, select Dynamic for Server Type, then configure Cloud Connector and Filter as instructed in Origin Servers.

See Using FortiWeb Cloud behind a Content Distribution Service for detailed information.

See Network settings for applications serving different content over HTTP and HTTPS for more information.

  • Check the inbox of your account email. Search for keywords "new WAF cluster" from "noreply@fortiweb-cloud.com".

  • Check the What's New part in Online help.

  • Use the following APIs to retrieve the IP lists:

    • IPv4: https://www.fortiweb-cloud.com/ips-v4

    • IPv6: https://www.fortiweb-cloud.com/ips-v6
Previous
Next