Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Onboarding applications

Perform the following steps to configure FortiWeb Cloud to protect your web applications.
To onboard applications by DevOps tools, see Using FortiWeb Cloud with DevOps tools.

  1. Enter www.fortiweb-cloud.com in the web browser address bar, and log in with your FortiCloud account credentials.
  2. At the top right corner of the page, or go to Global > Applications, click ADD APPLICATION. The ADD APPLICATION Wizard will open.
  3. Configure Website settings for your application.
    1. Web Application Name: Enter a name for this application that will help you easily identify it.
    2. Domain Name: Enter the domain names of your application.
      1. Up to 10 domains can be added. They should belong to the same root domain, such as www.example.com and mail.example.com. Once the application is onboarded, you are not allowed to change the first domain in the list. Highly recommend to use root domain for the first domain, e.g. example.com or www.example.com.
      2. Wildcard is supported except the first entry in the list. Make sure that the domain name entries do not overlap, for example, “www.example.com” can't be added together with “*.example.com” . The wildcard only matches with the strings within the same domain level, for example, "a.example.com" matches with “*.example.com”, while "a.a.example.com" doesn't.
      3. You can later go to Network > Endpoints to change or add domains.

  4. Configure Network.
    1. Select the services allowed on your application and the corresponding ports. FortiWeb Cloud will then listen the HTTP or/and HTTPS traffic through the selected ports so that only legitimate traffic can go through.

      If the port number you want to use is not in the drop-down list, please contact Fortinet Support or your sales engineer to customize the port number. Notice not all non-standard ports can be used.
    2. Select the IP address/FQDN (Fully Qualified Domain Name) of the origin server that hosts your web application. FortiWeb Cloud will then forward the traffic to the specified IP address.
      FortiWeb Cloud looks up the DNS record and displays in the suggested list the IP addresses or/and FQDNs paired with the domain name you have entered in the previous step. The default port number for them is 443. FortiWeb Cloud continuously updates the IP address or/and FQDN to make sure they are the latest ones.
      You can also choose Customize to enter a different IP address/FQDN and port number.
      If there are multiple origin servers hosting your web application, you can add them later in Network > Origin Servers.
    3. Select Server Protocol for the connections between FortiWeb Cloud and the origin server. If you want to redirect HTTP traffic to HTTPS, make sure to choose HTTPS for Server Protocol.
    4. Click Test Origin Server to ensure that FortiWeb Cloud can connect to the origin server. By default, FortiWeb Cloud sends request to the URL path "/" to test responsiveness of the server, then populates the response code received from the server in the Response Code field of the load balancing rule in Network > Origin Servers.
  5. FortiWeb Cloud automatically selects a scrubbing center for your application:

    • FortiWeb Cloud checks whether your application server is deployed on AWS, Azure, and Google Cloud, then assigns a corresponding scrubbing center on the same cloud platform with you application server.
    • If your application server is deployed elsewhere, FortiWeb Cloud by default assigns a scrubbing center on AWS.

    See How does FortiWeb Cloud choose regions? for more information.

    You can change the selected scrubbing center in Global > Applications after you complete the onboarding process, but you can't choose a scrubbing center across cloud platforms. For example, if your application server is located on AWS, you are not allowed to choose the scrubbing centers deployed on Azure.

    CDN
    By default, CDN is not enabled. This keeps your traffic bill to minimum. Moreover, data latency within the same region is usually lower than that in different regions. Last, keeping traffic within the same region can help address compliance concerns.

    However, if user experience is your top concern, it's recommended to enable CDN so that the data on your origin servers can be cached in FortiWeb Cloud scrubbing centers distributed around the world. When users visit your application, they can be directed to the nearest scrubbing center and rendered with the requested data.

    With CDN enabled, you will be asked to select a specific continent or Global. If you select a specific continent, then only the scrubbing centers within that continent will be used to render cached data. This may reduce your traffic expense as data transfer is restricted within a continent rather than globally.
    For the impact on traffic expense when CDN is enabled, see CDN for more information.
    If you can't decide now, you can revisit this option in Global > Applications after this application is onboarded.

  6. FortiWeb Cloud scrubbing centers are deployed worldwide in different regions on AWS. In this step, you will be assigned with the scrubbing center deployed in the same region with your application server. If there isn't any scrubbing center in the same region, then the one deployed in Europe (Milan) or US East (N. Virginia) will be assigned.

    See this article for the regions where FortiWeb Cloud scrubbing centers are deployed.

    CDN
    If CDN is not enabled, a FortiWeb Cloud scrubbing center located in the same region or the region closest to your application server will be assigned. Data latency within the same region is usually lower than that in different regions. Moreover, keeping traffic within the same region can help address compliance concerns.

    However, if user experience is your top concern, it's recommended to enable CDN so that the data on your origin servers can be cached in FortiWeb Cloud scrubbing centers distributed around the world. When users visit your application, they can be directed to the nearest scrubbing center and rendered with the requested data.
    If you can't decide now, you can revisit this option in Global > Applications after this application is onboarded.

  7. Configure Block mode and Template.
    1. Decide whether to enable Block Mode. If enabled, FortiWeb Cloud blocks requests if they trigger a violation. It's recommended to leave it disabled at the first week. During this period you can observe the attack logs and fine-tune the web protection configurations.
      You can later enable the Block Mode in Dashboard when you are confident that the traffic flow is stable and the legitimate traffic is not falsely blocked as attacks.
    2. Decide whether to inherit WAF configurations from a template. See Templates for more information.
  8. Go to your DNS provider to change your DNS record and create a new record for Automatic Certificate challenge as suggested, so that the traffic to your application can be correctly directed to FortiWeb Cloud.
    If there are multiple DNS records corresponding to the domain name, make sure to change all the records using the provided CNAME, otherwise users may encounter error when visiting your application.
    If the traffic to your application server should be first forwarded to a Content Distribution Service such as AWS CloudFront, then flows to FortiWeb Cloud for threat detection, refer to Using FortiWeb Cloud behind a Content Distribution Service.
    Please note that FortiWeb Cloud can't get the DNS status if you use CloudFront, so the DNS status will always be "Unknown" whether or not you have added the DNS record.

    Here we provide an example to show how to change the DNS record: Example: Changing DNS records on AWS Route 53


    Note: You can't directly access your website with the provided CNAME if you have not added the CNAME record in your DNS server. If you want to test it before changing the DNS record, follow steps below.
    1. Run ping or nslookup command to get the IP address of CNAME.
    2. Modify the HOST file of Windows or Linux by adding for example www.<domain_name>.com for the IP you get in Step a.
    3. Access the domain name with the browser to test it.
  9. To access the application you just onboarded, log in to FortiWeb Cloud and navigate to Global > Applications. Click the name of the application.

  10. In the navigation pane, the application security modules will appear. FortiWeb Cloud automatically assigns a security policy with the most basic web protection rules enabled. You can select additional protection rules using the Modules tab. See How to add or remove a module.

Onboarding applications

Perform the following steps to configure FortiWeb Cloud to protect your web applications.
To onboard applications by DevOps tools, see Using FortiWeb Cloud with DevOps tools.

  1. Enter www.fortiweb-cloud.com in the web browser address bar, and log in with your FortiCloud account credentials.
  2. At the top right corner of the page, or go to Global > Applications, click ADD APPLICATION. The ADD APPLICATION Wizard will open.
  3. Configure Website settings for your application.
    1. Web Application Name: Enter a name for this application that will help you easily identify it.
    2. Domain Name: Enter the domain names of your application.
      1. Up to 10 domains can be added. They should belong to the same root domain, such as www.example.com and mail.example.com. Once the application is onboarded, you are not allowed to change the first domain in the list. Highly recommend to use root domain for the first domain, e.g. example.com or www.example.com.
      2. Wildcard is supported except the first entry in the list. Make sure that the domain name entries do not overlap, for example, “www.example.com” can't be added together with “*.example.com” . The wildcard only matches with the strings within the same domain level, for example, "a.example.com" matches with “*.example.com”, while "a.a.example.com" doesn't.
      3. You can later go to Network > Endpoints to change or add domains.

  4. Configure Network.
    1. Select the services allowed on your application and the corresponding ports. FortiWeb Cloud will then listen the HTTP or/and HTTPS traffic through the selected ports so that only legitimate traffic can go through.

      If the port number you want to use is not in the drop-down list, please contact Fortinet Support or your sales engineer to customize the port number. Notice not all non-standard ports can be used.
    2. Select the IP address/FQDN (Fully Qualified Domain Name) of the origin server that hosts your web application. FortiWeb Cloud will then forward the traffic to the specified IP address.
      FortiWeb Cloud looks up the DNS record and displays in the suggested list the IP addresses or/and FQDNs paired with the domain name you have entered in the previous step. The default port number for them is 443. FortiWeb Cloud continuously updates the IP address or/and FQDN to make sure they are the latest ones.
      You can also choose Customize to enter a different IP address/FQDN and port number.
      If there are multiple origin servers hosting your web application, you can add them later in Network > Origin Servers.
    3. Select Server Protocol for the connections between FortiWeb Cloud and the origin server. If you want to redirect HTTP traffic to HTTPS, make sure to choose HTTPS for Server Protocol.
    4. Click Test Origin Server to ensure that FortiWeb Cloud can connect to the origin server. By default, FortiWeb Cloud sends request to the URL path "/" to test responsiveness of the server, then populates the response code received from the server in the Response Code field of the load balancing rule in Network > Origin Servers.
  5. FortiWeb Cloud automatically selects a scrubbing center for your application:

    • FortiWeb Cloud checks whether your application server is deployed on AWS, Azure, and Google Cloud, then assigns a corresponding scrubbing center on the same cloud platform with you application server.
    • If your application server is deployed elsewhere, FortiWeb Cloud by default assigns a scrubbing center on AWS.

    See How does FortiWeb Cloud choose regions? for more information.

    You can change the selected scrubbing center in Global > Applications after you complete the onboarding process, but you can't choose a scrubbing center across cloud platforms. For example, if your application server is located on AWS, you are not allowed to choose the scrubbing centers deployed on Azure.

    CDN
    By default, CDN is not enabled. This keeps your traffic bill to minimum. Moreover, data latency within the same region is usually lower than that in different regions. Last, keeping traffic within the same region can help address compliance concerns.

    However, if user experience is your top concern, it's recommended to enable CDN so that the data on your origin servers can be cached in FortiWeb Cloud scrubbing centers distributed around the world. When users visit your application, they can be directed to the nearest scrubbing center and rendered with the requested data.

    With CDN enabled, you will be asked to select a specific continent or Global. If you select a specific continent, then only the scrubbing centers within that continent will be used to render cached data. This may reduce your traffic expense as data transfer is restricted within a continent rather than globally.
    For the impact on traffic expense when CDN is enabled, see CDN for more information.
    If you can't decide now, you can revisit this option in Global > Applications after this application is onboarded.

  6. FortiWeb Cloud scrubbing centers are deployed worldwide in different regions on AWS. In this step, you will be assigned with the scrubbing center deployed in the same region with your application server. If there isn't any scrubbing center in the same region, then the one deployed in Europe (Milan) or US East (N. Virginia) will be assigned.

    See this article for the regions where FortiWeb Cloud scrubbing centers are deployed.

    CDN
    If CDN is not enabled, a FortiWeb Cloud scrubbing center located in the same region or the region closest to your application server will be assigned. Data latency within the same region is usually lower than that in different regions. Moreover, keeping traffic within the same region can help address compliance concerns.

    However, if user experience is your top concern, it's recommended to enable CDN so that the data on your origin servers can be cached in FortiWeb Cloud scrubbing centers distributed around the world. When users visit your application, they can be directed to the nearest scrubbing center and rendered with the requested data.
    If you can't decide now, you can revisit this option in Global > Applications after this application is onboarded.

  7. Configure Block mode and Template.
    1. Decide whether to enable Block Mode. If enabled, FortiWeb Cloud blocks requests if they trigger a violation. It's recommended to leave it disabled at the first week. During this period you can observe the attack logs and fine-tune the web protection configurations.
      You can later enable the Block Mode in Dashboard when you are confident that the traffic flow is stable and the legitimate traffic is not falsely blocked as attacks.
    2. Decide whether to inherit WAF configurations from a template. See Templates for more information.
  8. Go to your DNS provider to change your DNS record and create a new record for Automatic Certificate challenge as suggested, so that the traffic to your application can be correctly directed to FortiWeb Cloud.
    If there are multiple DNS records corresponding to the domain name, make sure to change all the records using the provided CNAME, otherwise users may encounter error when visiting your application.
    If the traffic to your application server should be first forwarded to a Content Distribution Service such as AWS CloudFront, then flows to FortiWeb Cloud for threat detection, refer to Using FortiWeb Cloud behind a Content Distribution Service.
    Please note that FortiWeb Cloud can't get the DNS status if you use CloudFront, so the DNS status will always be "Unknown" whether or not you have added the DNS record.

    Here we provide an example to show how to change the DNS record: Example: Changing DNS records on AWS Route 53


    Note: You can't directly access your website with the provided CNAME if you have not added the CNAME record in your DNS server. If you want to test it before changing the DNS record, follow steps below.
    1. Run ping or nslookup command to get the IP address of CNAME.
    2. Modify the HOST file of Windows or Linux by adding for example www.<domain_name>.com for the IP you get in Step a.
    3. Access the domain name with the browser to test it.
  9. To access the application you just onboarded, log in to FortiWeb Cloud and navigate to Global > Applications. Click the name of the application.

  10. In the navigation pane, the application security modules will appear. FortiWeb Cloud automatically assigns a security policy with the most basic web protection rules enabled. You can select additional protection rules using the Modules tab. See How to add or remove a module.