Fortinet black logo

User Guide

Onboarding applications

Copy Link
Copy Doc ID 8d4237ec-c163-11ee-8c42-fa163e15d75b:32019
Download PDF

Onboarding applications

Configure FortiWeb Cloud to protect your web applications by following these steps.
To onboard applications by DevOps tools, see Using FortiWeb Cloud with DevOps tools.

  1. Go to www.fortiweb-cloud.com and log in with your FortiCloud account credentials.
  2. Click ADD APPLICATION near the top right corner of the page. The ADD APPLICATION Wizard will open. You can return to this page by navigating to Global>Applications.
  3. Web Application Configuration

    1. Web Application Name: Enter a name for this application that will make it easy for you to identify within the FortiWeb Cloud UI.
    2. Domain Name: You can add up to 10 domains. They should belong to the same root domain, such as www.example.com and mail.example.com.

      Note: Once the application is onboarded, you cannot change the first domain in the list. Therefore, it is strongly recommended to enter the root domain as the initial domain, for example, example.com or www.example.com.

    3. Wildcard entries are allowed for all domains in the list except the first one. Ensure that domain name entries don't overlap; for instance, you can't add both "www.example.com" and "*.example.com" together.

      Wildcards only match strings at the same domain level; for example, "a.example.com" matches "*.example.com," but "a.a.example.com" does not.

      You can later go to Network > Endpoints to change or add domains.

  4. Network Settings


    1. Select the services allowed on your application and their corresponding ports. FortiWeb Cloud listen for HTTP and/or HTTPS traffic on the selected ports to allow only legitimate traffic to pass through. If the port number you want to use is not in the drop-down list, please contact Fortinet Support or your sales engineer to customize the port number. Please note that not all non-standard ports can be used.
    2. Select the IP address/FQDN for your web application. FortiWeb Cloud will direct traffic to the specified IP address.
      FortiWeb Cloud automatically fetches and displays available IP addresses and/or FQDNs associated with your entered domain, using port 443 as the default. FortiWeb Cloud keeps this information up to date.
      You can also choose Customize to enter a different IP address/FQDN and port number.
      If there are multiple origin servers hosting your web application, you can add them later in Network > Origin Servers.
    3. Under Server Protocol, you can configure the connection between FortiWeb Cloud and the origin server. If you want to redirect HTTP traffic to HTTPS, ensure that you have selected HTTPS.
    4. Click Test Origin Server to ensure that FortiWeb Cloud can connect to the origin server. By default, FortiWeb Cloud sends request to the URL path "/" to test responsiveness of the server, then populates the response code received from the server in the Response Code field of the load balancing rule in Network > Origin Servers.
  5. Application Location

    In this step, FortiWeb Cloud automatically selects a scrubbing center for your application according to the following conditions:

    • FortiWeb Cloud checks whether your application server is deployed on AWS, Azure, and Google Cloud, then assigns a corresponding scrubbing center on the same cloud platform as your application server.
    • If your application server is deployed elsewhere, FortiWeb Cloud by default assigns a scrubbing center on AWS.

    See How does FortiWeb Cloud choose regions? for more information.

    After onboarding, you can switch the chosen scrubbing center within Global > Applications. However, you cannot select a scrubbing center from a different cloud platform. For instance, if your application server is on AWS, you cannot pick scrubbing centers deployed on Azure.

    1. CDN

      If you enable CDN, the data on your origin servers can be cached in FortiWeb Cloud scrubbing centers distributed around the world. When users visit your application, they can be directed to the nearest scrubbing center and rendered with the requested data.

      With CDN enabled, you will be asked to select a specific continent or Global, which means your data will be cached on the scrubbing centers within a specific continent or around the world. Selecting a continent may reduce your traffic expense as data transfer is restricted within a continent rather than globally. For the impact on traffic expense when CDN is enabled, see CDN for more information.

      By default, CDN is not enabled. This keeps your traffic bill to a minimum. Moreover, keeping traffic within the same region can help address compliance concerns.

      However, if user experience is your top concern, we recommend enabling CDN.

      If you can't decide now, you can revisit this option in Global > Applications after this application is onboarded.

  6. Settings


    Configure Block mode and Template.

    1. When Block mode is enabled, FortiWeb Cloud blocks requests if they trigger a violation. It's recommended to leave it disabled at the first week. During this period you can observe the attack logs and fine-tune the web protection configurations.
      You can later enable the Block Mode in Dashboard when you are confident that the traffic flow is stable and the legitimate traffic is not falsely blocked as attacks.

    2. Enable Template if you would like to inherit WAF (Web Application Firewall) configurations from a template. You can edit the configuration after onboarding. See Templates for more information. Leave this option unchecked if you prefer to fully customize your configuration from scratch.

  7. DNS configuration

    Go to your DNS provider, update your DNS record, and create a new record for the Automatic Certificate challenge as recommended. This ensures that traffic to your application can be correctly directed to FortiWeb Cloud.

    If there are multiple DNS records corresponding to the domain name, make sure to change all the records using the provided CNAME. Otherwise, users may encounter error when visiting your application. If the traffic to your application server should be first forwarded to a Content Distribution Service such as AWS CloudFront, before flowing to FortiWeb Cloud for threat detection, refer to Using FortiWeb Cloud behind a Content Distribution Service.
    Please note that FortiWeb Cloud cannot get the DNS status if you use CloudFront, so the DNS status will always be "Unknown" whether or not you have added the DNS record.
    Here we provide an example to show how to change the DNS record: Example: Changing DNS records on AWS Route 53

    Note: You cannot directly access your website with the provided CNAME if you have not added the CNAME record in your DNS server. If you want to test it before changing the DNS record, follow steps below.

    1. Run ping or nslookup command to get the IP address of CNAME.
    2. Modify the HOST file of Windows or Linux by adding for example www.<domain_name>.com for the IP you get in Step a.
    3. Access the domain name with the browser to test it.
  8. To access the application you just onboarded, navigate to Global > Applications and click the name of the application.

  9. The application security modules will appear in the navigation pane. FortiWeb Cloud automatically assigns a security policy with the most basic web protection rules enabled. You can select additional protection rules using the Modules tab. See How to add or remove a module.

Onboarding applications

Configure FortiWeb Cloud to protect your web applications by following these steps.
To onboard applications by DevOps tools, see Using FortiWeb Cloud with DevOps tools.

  1. Go to www.fortiweb-cloud.com and log in with your FortiCloud account credentials.
  2. Click ADD APPLICATION near the top right corner of the page. The ADD APPLICATION Wizard will open. You can return to this page by navigating to Global>Applications.
  3. Web Application Configuration

    1. Web Application Name: Enter a name for this application that will make it easy for you to identify within the FortiWeb Cloud UI.
    2. Domain Name: You can add up to 10 domains. They should belong to the same root domain, such as www.example.com and mail.example.com.

      Note: Once the application is onboarded, you cannot change the first domain in the list. Therefore, it is strongly recommended to enter the root domain as the initial domain, for example, example.com or www.example.com.

    3. Wildcard entries are allowed for all domains in the list except the first one. Ensure that domain name entries don't overlap; for instance, you can't add both "www.example.com" and "*.example.com" together.

      Wildcards only match strings at the same domain level; for example, "a.example.com" matches "*.example.com," but "a.a.example.com" does not.

      You can later go to Network > Endpoints to change or add domains.

  4. Network Settings


    1. Select the services allowed on your application and their corresponding ports. FortiWeb Cloud listen for HTTP and/or HTTPS traffic on the selected ports to allow only legitimate traffic to pass through. If the port number you want to use is not in the drop-down list, please contact Fortinet Support or your sales engineer to customize the port number. Please note that not all non-standard ports can be used.
    2. Select the IP address/FQDN for your web application. FortiWeb Cloud will direct traffic to the specified IP address.
      FortiWeb Cloud automatically fetches and displays available IP addresses and/or FQDNs associated with your entered domain, using port 443 as the default. FortiWeb Cloud keeps this information up to date.
      You can also choose Customize to enter a different IP address/FQDN and port number.
      If there are multiple origin servers hosting your web application, you can add them later in Network > Origin Servers.
    3. Under Server Protocol, you can configure the connection between FortiWeb Cloud and the origin server. If you want to redirect HTTP traffic to HTTPS, ensure that you have selected HTTPS.
    4. Click Test Origin Server to ensure that FortiWeb Cloud can connect to the origin server. By default, FortiWeb Cloud sends request to the URL path "/" to test responsiveness of the server, then populates the response code received from the server in the Response Code field of the load balancing rule in Network > Origin Servers.
  5. Application Location

    In this step, FortiWeb Cloud automatically selects a scrubbing center for your application according to the following conditions:

    • FortiWeb Cloud checks whether your application server is deployed on AWS, Azure, and Google Cloud, then assigns a corresponding scrubbing center on the same cloud platform as your application server.
    • If your application server is deployed elsewhere, FortiWeb Cloud by default assigns a scrubbing center on AWS.

    See How does FortiWeb Cloud choose regions? for more information.

    After onboarding, you can switch the chosen scrubbing center within Global > Applications. However, you cannot select a scrubbing center from a different cloud platform. For instance, if your application server is on AWS, you cannot pick scrubbing centers deployed on Azure.

    1. CDN

      If you enable CDN, the data on your origin servers can be cached in FortiWeb Cloud scrubbing centers distributed around the world. When users visit your application, they can be directed to the nearest scrubbing center and rendered with the requested data.

      With CDN enabled, you will be asked to select a specific continent or Global, which means your data will be cached on the scrubbing centers within a specific continent or around the world. Selecting a continent may reduce your traffic expense as data transfer is restricted within a continent rather than globally. For the impact on traffic expense when CDN is enabled, see CDN for more information.

      By default, CDN is not enabled. This keeps your traffic bill to a minimum. Moreover, keeping traffic within the same region can help address compliance concerns.

      However, if user experience is your top concern, we recommend enabling CDN.

      If you can't decide now, you can revisit this option in Global > Applications after this application is onboarded.

  6. Settings


    Configure Block mode and Template.

    1. When Block mode is enabled, FortiWeb Cloud blocks requests if they trigger a violation. It's recommended to leave it disabled at the first week. During this period you can observe the attack logs and fine-tune the web protection configurations.
      You can later enable the Block Mode in Dashboard when you are confident that the traffic flow is stable and the legitimate traffic is not falsely blocked as attacks.

    2. Enable Template if you would like to inherit WAF (Web Application Firewall) configurations from a template. You can edit the configuration after onboarding. See Templates for more information. Leave this option unchecked if you prefer to fully customize your configuration from scratch.

  7. DNS configuration

    Go to your DNS provider, update your DNS record, and create a new record for the Automatic Certificate challenge as recommended. This ensures that traffic to your application can be correctly directed to FortiWeb Cloud.

    If there are multiple DNS records corresponding to the domain name, make sure to change all the records using the provided CNAME. Otherwise, users may encounter error when visiting your application. If the traffic to your application server should be first forwarded to a Content Distribution Service such as AWS CloudFront, before flowing to FortiWeb Cloud for threat detection, refer to Using FortiWeb Cloud behind a Content Distribution Service.
    Please note that FortiWeb Cloud cannot get the DNS status if you use CloudFront, so the DNS status will always be "Unknown" whether or not you have added the DNS record.
    Here we provide an example to show how to change the DNS record: Example: Changing DNS records on AWS Route 53

    Note: You cannot directly access your website with the provided CNAME if you have not added the CNAME record in your DNS server. If you want to test it before changing the DNS record, follow steps below.

    1. Run ping or nslookup command to get the IP address of CNAME.
    2. Modify the HOST file of Windows or Linux by adding for example www.<domain_name>.com for the IP you get in Step a.
    3. Access the domain name with the browser to test it.
  8. To access the application you just onboarded, navigate to Global > Applications and click the name of the application.

  9. The application security modules will appear in the navigation pane. FortiWeb Cloud automatically assigns a security policy with the most basic web protection rules enabled. You can select additional protection rules using the Modules tab. See How to add or remove a module.