Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Endpoints

Domain name

List the domains to protect. The protection policy configured for this application applies to all the domains.

  • You can add up to 10 domains. They should belong to the same root domain, such as www.example.com and mail.example.com.
  • Wildcard is supported except the first entry in the list. Make sure that the domain name entries do not overlap, for example, “www.example.com” can't be added together with “*.example.com” . The wildcard only matches with the string within the same domain level, for example, "a.example.com" matches with “*.example.com”, while "a.a.example.com" doesn't.
  • Once the application is onboarded, you are not allowed to change the first domain. Highly recommend to use root domain for the first domain, e.g. example.com or www.example.com.

Traffic Type

Select HTTP, HTTPS, HTTP/2, or IPv6 to define the traffic types allowed to arrive at the domains of your application.

HTTP

Select the port number for HTTP service.

HTTPS

If HTTPS is allowed, you will be required to configure the Local Certificate and SSL/TLS settings.

Notes:

  • With both HTTP and HTTPS enabled, selecting port 80 for HTTP will by default allow 443 for HTTPS, even if you select a different port number for HTTPS. For example, if you select 80 for HTTP and 7443 for HTTPS, the HTTPS connections can be transferred through either 443 or 7443.
  • If the port number for HTTPS service is not 443, FortiWeb Cloud can't redirect HTTP traffic to HTTPS.

If the HTTP and HTTPS port number you want to use is not in the drop-down list, please contact Fortinet Support or your sales engineer to customize the port number. Notice not all non-standard ports can be used, and HTTP and HTTPS services must use different ports.

SSL Certificate

The SSL certificate is used to encrypt the HTTPS connections between users and FortiWeb Cloud. Without a valid certificate, users will see a certificate invalid warning when they visit your application.

By default, FortiWeb Cloud automatically retrieves SSL certificates from the Certificate Authority Let's Encrypt. If it fails, or if you would like to use your own certificate, you can manually upload it to FortiWeb Cloud.

FortiWeb Cloud will not apply automatic certificate if your application uses AWS CloudFront service.

Automatic Certificate

Before configuring Automatic Certificate, make sure:

  • You must have changed your DNS record to the CNAME or A record shown in the last step of the ADD APPLICATION wizard.
  • You must add "letsencrypt.org" in the CAA value if you have configured a CAA record at your DNS service. For more information, search CAA in FAQs.
  • The server health check status should be OK. If not, you should first disable health check so that it won't interrupt certificate retrieval. After the certificate is successfully retrieved, you can go ahead enable health check and troubleshoot the server connection issue.

Selecting the Challenge Type:

Let's Encrypt sends challenges to validate that you control the domain names you have listed while onboarding the application.

You can select HTTP Challenge or DNS Challenge. Please note that DNS challenge will be used for the wildcard domains regardless which challenge type you have chosen.

  • HTTP Challenge

    To pass the challenge, you must change all the DNS entries for the domains you listed.

  • DNS Challenge

    To pass the challenge, you need to create a new CNAME record for automatic certificate as well as change the DNS entries for the domains you listed. To avoid users encounter the "certificate invalid" error, you can first create the CNAME record (beginning with "_acme_challenge") to get the automatic certificate. After DNS status turns to OK, which means the certificate is successfully installed, you can then change the DNS records for your application's domains to direct the traffic to FortiWeb Cloud.

The challenge is handled automatically, but if you need to make some more complex configuration decisions, it’s useful to know more about them. See Challenge Types posted by Let's Encrypt.

Several minutes after the challenge is successful, FortiWeb Cloud obtains an SSL certificate on your behalf from Let’s Encrypt and installs it on your application. It will be used in HTTPS connections to encrypt or decrypt the traffic. If FortiWeb Cloud fails to retrieve the certificate, it will try again every 12 minutes on the 1st day, then once an hour on the 2nd and 3rd days. After that, it downgrades the frequency to once a day, until the certificate is successfully retrieved.

To retrieve the certificate immediately, click the Retrieve button beside Automatic Certificate to restore the interval count to the 1st day. FortiWeb Cloud will then retrieves certificate every 12 minutes, and so on.

Thirty days before your certificate expires, FortiWeb Cloud verifies again that your DNS CNAME record is still correct. If it is, FortiWeb Cloud renews your certificate for another 90 days, so it never expires.

Custom Certificate

FortiWeb Cloud may fail to retrieve the certificate for some reasons, for example, the HTTP traffic is not allowed on the endpoints. An exclamation mark will appear beside the Automatic Certificate option indicating the certificate fails to be retrieved.

In this case, or in case you would like to use your own certificate, you can import SNI certificates or intermediate certificates (optional).

  1. Select Custom Certificate on the Endpoints page.
  2. For SNI Certificate, click Import and copy the Private Key and Certificate values provided by your Certificate Authority.
    FortiWeb Cloud automatically parses information of the SNI certificates including issuance, expiration, status, and certificate chain, and changes them to recognizable formats.
    For status, when FortiWeb Cloud verifies with signature the private key and certificate values are consistent, the status is OK; when FortiWeb Cloud verifies the certificate has expired, the status is Expired; when FortiWeb Cloud verifies the certificate is valid, while the certificate chain verification fails, the status is Invalid Chain.
    FortiWeb Cloud requires you to import the private key and certificate in separate fields. If you use a PKCS#12 certificate, refer to this article to extract the key and certificate: https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl

  3. For Intermediate Certificate (optional), click Import and copy the certificate value provided by your intermediate Certificate Authority.
    FortiWeb Cloud automatically parses information of the intermediate certificates including issuance, and expiration, and changes them to recognizable formats. Also, FortiWeb Cloud verifies the status and certificate chain.
    When an indeterminate certificate is successfully imported or deleted, FortiWeb Cloud reverifies the expiration and certificate chain.

You can import at most 32 SNI certificates and intermediate certificates respectively. Contact support team if you want to extend the limits. See Contacting customer service for how to submit a support ticket.

SSL/TLS

SSL/TLS Versions: Select which versions of SSL or TLS protocols are allowed for the HTTPS connections between FortiWeb Cloud and the clients.

SSL/TLS Encryption Level: The HTTPS traffic is encrypted or decrypted with ciphers.

The SSL/TLS Encryption Level controls how many ciphers are supported and the settings provides the following options:

note icon

When HTTP/2 is enabled, only certain TLS 1.3 and TLS 1.2 ciphers will be supported for all SSL/TLS encryption levels.

Redirect all HTTP traffic to HTTPS: Select to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters. Do not enable this option if you have only one origin server and want FortiWeb Cloud to communicate with the origin server over both HTTP and HTTPS protocols.

If you want to provide different content over HTTP and HTTPS protocols, Please refer to Network settings for applications serving different content over HTTP and HTTPS

HTTP Strict Transport Security (HSTS): Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as: Strict-Transport-Security: max-age=31536000.

This header forces clients to use HTTPS for subsequent visits to this domain. If the certificate is invalid, the client’s web browser receives a fatal connection error and does not display a dialog that allows the user to override the certificate mismatch error and continue.

HSTS Max-age: Specify the time to live in seconds for the HSTS header. The HSTS enforcement will be lifted after the specified max-age. Subsequent visits will not be required to use HTTPS.

Secure flag for internal Cookie: Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page. When enabled, only the HTTPS request contains cookie, while the HTTP is cookieless.

HTTP Only flag for internal Cookie: Enable to add the "HTTP Only" flag to internal cookies, which prevents client-side scripts from accessing the cookie.

Advanced Settings

Configure the following settings:

HTTP/2 Enable to accept HTTP/2 traffic.
IPv6 If IPv6 is enabled, both IPv4 and IPv6 are allowed to your application. If disabled, only IPv4 traffic is allowed.
Custom Block Page

Select the block page that FortiWeb Cloud displays to your users. It contains the following messages:

  • The error page FortiWeb Cloud uses to respond to an HTTP request that violates a policy and the configured action is Deny or Period Block.
  • The "Server Unavailable!" page that FortiWeb Cloud returns to the client when none of the server pool members are available either because their status is Disable or Maintenance or they have failed the configured health check.
  • The Captcha enforcement pages that FortiWeb Cloud uses to differentiate between real users and automated users, such as bots.

The custom block page is configured in Global > Custom Block Pages.

Endpoints

Domain name

List the domains to protect. The protection policy configured for this application applies to all the domains.

  • You can add up to 10 domains. They should belong to the same root domain, such as www.example.com and mail.example.com.
  • Wildcard is supported except the first entry in the list. Make sure that the domain name entries do not overlap, for example, “www.example.com” can't be added together with “*.example.com” . The wildcard only matches with the string within the same domain level, for example, "a.example.com" matches with “*.example.com”, while "a.a.example.com" doesn't.
  • Once the application is onboarded, you are not allowed to change the first domain. Highly recommend to use root domain for the first domain, e.g. example.com or www.example.com.

Traffic Type

Select HTTP, HTTPS, HTTP/2, or IPv6 to define the traffic types allowed to arrive at the domains of your application.

HTTP

Select the port number for HTTP service.

HTTPS

If HTTPS is allowed, you will be required to configure the Local Certificate and SSL/TLS settings.

Notes:

  • With both HTTP and HTTPS enabled, selecting port 80 for HTTP will by default allow 443 for HTTPS, even if you select a different port number for HTTPS. For example, if you select 80 for HTTP and 7443 for HTTPS, the HTTPS connections can be transferred through either 443 or 7443.
  • If the port number for HTTPS service is not 443, FortiWeb Cloud can't redirect HTTP traffic to HTTPS.

If the HTTP and HTTPS port number you want to use is not in the drop-down list, please contact Fortinet Support or your sales engineer to customize the port number. Notice not all non-standard ports can be used, and HTTP and HTTPS services must use different ports.

SSL Certificate

The SSL certificate is used to encrypt the HTTPS connections between users and FortiWeb Cloud. Without a valid certificate, users will see a certificate invalid warning when they visit your application.

By default, FortiWeb Cloud automatically retrieves SSL certificates from the Certificate Authority Let's Encrypt. If it fails, or if you would like to use your own certificate, you can manually upload it to FortiWeb Cloud.

FortiWeb Cloud will not apply automatic certificate if your application uses AWS CloudFront service.

Automatic Certificate

Before configuring Automatic Certificate, make sure:

  • You must have changed your DNS record to the CNAME or A record shown in the last step of the ADD APPLICATION wizard.
  • You must add "letsencrypt.org" in the CAA value if you have configured a CAA record at your DNS service. For more information, search CAA in FAQs.
  • The server health check status should be OK. If not, you should first disable health check so that it won't interrupt certificate retrieval. After the certificate is successfully retrieved, you can go ahead enable health check and troubleshoot the server connection issue.

Selecting the Challenge Type:

Let's Encrypt sends challenges to validate that you control the domain names you have listed while onboarding the application.

You can select HTTP Challenge or DNS Challenge. Please note that DNS challenge will be used for the wildcard domains regardless which challenge type you have chosen.

  • HTTP Challenge

    To pass the challenge, you must change all the DNS entries for the domains you listed.

  • DNS Challenge

    To pass the challenge, you need to create a new CNAME record for automatic certificate as well as change the DNS entries for the domains you listed. To avoid users encounter the "certificate invalid" error, you can first create the CNAME record (beginning with "_acme_challenge") to get the automatic certificate. After DNS status turns to OK, which means the certificate is successfully installed, you can then change the DNS records for your application's domains to direct the traffic to FortiWeb Cloud.

The challenge is handled automatically, but if you need to make some more complex configuration decisions, it’s useful to know more about them. See Challenge Types posted by Let's Encrypt.

Several minutes after the challenge is successful, FortiWeb Cloud obtains an SSL certificate on your behalf from Let’s Encrypt and installs it on your application. It will be used in HTTPS connections to encrypt or decrypt the traffic. If FortiWeb Cloud fails to retrieve the certificate, it will try again every 12 minutes on the 1st day, then once an hour on the 2nd and 3rd days. After that, it downgrades the frequency to once a day, until the certificate is successfully retrieved.

To retrieve the certificate immediately, click the Retrieve button beside Automatic Certificate to restore the interval count to the 1st day. FortiWeb Cloud will then retrieves certificate every 12 minutes, and so on.

Thirty days before your certificate expires, FortiWeb Cloud verifies again that your DNS CNAME record is still correct. If it is, FortiWeb Cloud renews your certificate for another 90 days, so it never expires.

Custom Certificate

FortiWeb Cloud may fail to retrieve the certificate for some reasons, for example, the HTTP traffic is not allowed on the endpoints. An exclamation mark will appear beside the Automatic Certificate option indicating the certificate fails to be retrieved.

In this case, or in case you would like to use your own certificate, you can import SNI certificates or intermediate certificates (optional).

  1. Select Custom Certificate on the Endpoints page.
  2. For SNI Certificate, click Import and copy the Private Key and Certificate values provided by your Certificate Authority.
    FortiWeb Cloud automatically parses information of the SNI certificates including issuance, expiration, status, and certificate chain, and changes them to recognizable formats.
    For status, when FortiWeb Cloud verifies with signature the private key and certificate values are consistent, the status is OK; when FortiWeb Cloud verifies the certificate has expired, the status is Expired; when FortiWeb Cloud verifies the certificate is valid, while the certificate chain verification fails, the status is Invalid Chain.
    FortiWeb Cloud requires you to import the private key and certificate in separate fields. If you use a PKCS#12 certificate, refer to this article to extract the key and certificate: https://www.ssl.com/how-to/export-certificates-private-key-from-pkcs12-file-with-openssl

  3. For Intermediate Certificate (optional), click Import and copy the certificate value provided by your intermediate Certificate Authority.
    FortiWeb Cloud automatically parses information of the intermediate certificates including issuance, and expiration, and changes them to recognizable formats. Also, FortiWeb Cloud verifies the status and certificate chain.
    When an indeterminate certificate is successfully imported or deleted, FortiWeb Cloud reverifies the expiration and certificate chain.

You can import at most 32 SNI certificates and intermediate certificates respectively. Contact support team if you want to extend the limits. See Contacting customer service for how to submit a support ticket.

SSL/TLS

SSL/TLS Versions: Select which versions of SSL or TLS protocols are allowed for the HTTPS connections between FortiWeb Cloud and the clients.

SSL/TLS Encryption Level: The HTTPS traffic is encrypted or decrypted with ciphers.

The SSL/TLS Encryption Level controls how many ciphers are supported and the settings provides the following options:

note icon

When HTTP/2 is enabled, only certain TLS 1.3 and TLS 1.2 ciphers will be supported for all SSL/TLS encryption levels.

Redirect all HTTP traffic to HTTPS: Select to automatically redirect all HTTP requests to the HTTPS service with the same URL and parameters. Do not enable this option if you have only one origin server and want FortiWeb Cloud to communicate with the origin server over both HTTP and HTTPS protocols.

If you want to provide different content over HTTP and HTTPS protocols, Please refer to Network settings for applications serving different content over HTTP and HTTPS

HTTP Strict Transport Security (HSTS): Enable to combat MITM attacks on HTTP by injecting the RFC 6797 (http://tools.ietf.org/html/rfc6797) strict transport security header into the reply, such as: Strict-Transport-Security: max-age=31536000.

This header forces clients to use HTTPS for subsequent visits to this domain. If the certificate is invalid, the client’s web browser receives a fatal connection error and does not display a dialog that allows the user to override the certificate mismatch error and continue.

HSTS Max-age: Specify the time to live in seconds for the HSTS header. The HSTS enforcement will be lifted after the specified max-age. Subsequent visits will not be required to use HTTPS.

Secure flag for internal Cookie: Enable to add the secure flag to cookies, which forces browsers to return the cookie only when the request is for an HTTPS page. When enabled, only the HTTPS request contains cookie, while the HTTP is cookieless.

HTTP Only flag for internal Cookie: Enable to add the "HTTP Only" flag to internal cookies, which prevents client-side scripts from accessing the cookie.

Advanced Settings

Configure the following settings:

HTTP/2 Enable to accept HTTP/2 traffic.
IPv6 If IPv6 is enabled, both IPv4 and IPv6 are allowed to your application. If disabled, only IPv4 traffic is allowed.
Custom Block Page

Select the block page that FortiWeb Cloud displays to your users. It contains the following messages:

  • The error page FortiWeb Cloud uses to respond to an HTTP request that violates a policy and the configured action is Deny or Period Block.
  • The "Server Unavailable!" page that FortiWeb Cloud returns to the client when none of the server pool members are available either because their status is Disable or Maintenance or they have failed the configured health check.
  • The Captcha enforcement pages that FortiWeb Cloud uses to differentiate between real users and automated users, such as bots.

The custom block page is configured in Global > Custom Block Pages.