For how to onboard applications, please refer to Getting Started in our online help.
It's suggested to perform the following actions after an application is onboarded:
- Change the DNS record at your DNS service using the
CNAMEprovided by FortiWeb Cloud. Here is an example of how to change DNS record on AWS Route 53.
- Configure your origin servers to only accept traffic from FortiWeb Cloud IP addresses. See this article for a list of FortiWeb Cloud IP addresses.
- Configure security rules and observe the attack logs in FortiView. If legitimate traffic is falsely detected as attacks, add exceptions or modify the security rules to avoid false positives in the future. See Log Settings for how to add exceptions.
- Enable Block Mode in Global > Applications if you have continuously observed the attack logs for several days and there aren't any false positives recorded in the logs.
- Allow FortiWeb Cloud IP addresses to make sure access from FortiWeb Cloud to your web application is uninterrupted. See this article for a list of FortiWeb Cloud IP addresses.
To prevent log poisoning, it's recommended to set filters on your log server to allow only the traffic from FortiWeb Cloud. The source IPs are as follows:
- 184.108.40.206 (US - Virginia)
- 220.127.116.11 (EU - Frankfurt)
In FortiWeb Cloud, an application is a declared domain name and up to 9 other domain names attaching to it, which all belong to the same root domain and all point to the same origin server(s). For example, "example.com" and "test.example.com" can be part of the same application "example.com", while "test.com" is a different application. Wildcard is supported for non-root domain names, but make sure the domain name entries in the list should not overlap, for example, “www.fortinet.com” can't be added together with “*.fortinet.com” .
A CNAME record is a part of the DNS zone records (that may or may not be present) that is used to essentially redirect from one URL to another. The CNAME record for a DNS zone will have a URL for the record NAME, it will be of record TYPE “CNAME”, and it will have a VALUE of another URL. The VALUE field of a CNAME record is often called the CNAME, or canonical (true) name.
When you complete onboarding an application, FortiWeb Cloud provides you with a CNAME. You need to go to your DNS service and pair this CNAME with your application's domain name.
If your DNS service does not support CNAME, the workaround is to pair your application's domain name with the IP addresses of the FortiWeb Cloud scrubbing center which is deployed in the same region with your origin server. See this article for a list of FortiWeb Cloud IP addresses.
Please note the CDN feature won't be available in this scenario because all the traffic will be forwarded to a fixed scrubbing center.
FortiWeb Cloud supports most of the regions on AWS, Azure, and Google Cloud. See this article for a detailed list of supported regions.
By enabling CDN, the data on your origin servers can be cached in FortiWeb Cloud scrubbing centers distributed around the world. When users request data from your application, they can be directed to the nearest scrubbing center and rendered with the requested data. For the list of scrubbing centers, see Restricting direct traffic & allowing FortiWeb Cloud IP addresses.
You can enable CDN when onboarding an application, or set this option in the Application Settings dialog (Global > Applications).
FortiWeb Cloud by default uses port 80 for HTTP protocol and 443 for HTTPS protocol. Non-standard ports are also available. You can select them when you onboard applications. Please note if non-standard port is selected for HTTPS, you will not be allowed to configure HTTPS redirection.
If you need to use different ports, please contact Fortinet Support or your sales engineer for further help. Notice not all non-standard ports can be used, and HTTP and HTTPS services must use different ports.
Up to 10 domains are supported in one single application. They should all belong to the same root domain and point to the same origin server(s).
Yes, all the domains should belong to the same root domain, such as www.example.com and mail.example.com.
After the application is onboarded, you can go to Network > Endpoints to change or add domains, but you are not allowed to change the first domain in the list. Highly recommend to use root domain as the first domain.
You can add at most 128 origin servers to the server pool of an application.
FortiWeb Cloud automatically obtains an SSL certificate on your behalf from Let’s Encrypt within two minutes of the DNS CNAME record change. It will be used in HTTPS connections to encrypt or decrypt the traffic. If FortiWeb Cloud fails to obtain the certificate, it will try again 12 minutes later.
Thirty days before your certificate expires, FortiWeb Cloud verifies again that your DNS CNAME record is still correct. If it is, FortiWeb Cloud renews your certificate for another 90 days, so it never expires. For more information, see Automatic Certificate.
FortiWeb Cloud automatically retrieves SSL certificates from the Certificate Authority Let's Encrypt. See Automatic Certificate for the things you should pay attention to if automatic certificate is used.
DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.
If you have configured a CAA record at your DNS service and want to use automatic certificate in FortiWeb Cloud, make sure to add "letsencrypt.org" in the CAA value. This allows Let's Encrypt to issue certificates for your domain name.
Check the following if “connection is not secure” displays in the browser when users visit your application:
- If HTTP protocol is used in this connection, it's suggested to enable HTTPS service and Redirect all HTTP traffic to HTTPS in Network > Endpoints in FortiWeb Cloud, so that the HTTP access can be redirected to HTTPS, which is secured by SSL/TSL certificates.
- If HTTPS protocol is used in this connection, check whether the certificates are valid:
- If Custom Certificate is selected in Network > Endpoints, make sure the SNI certificates or intermediate certificates you imported are valid.
- If Automatic Certificate is selected, see the following FAQs to trouble-shoot:
What do I need to pay attention to if I use automatic certificates?
What’s a Certification Authority Authorization (CAA) record and do I need to use it? How does it affect automatic certificate?
When using FortiWeb Cloud, the client's requests from the Internet are forwarded to FortiWeb Cloud first before they reach the ALB/ELB.
When you onboard an application, for Origin Server settings in Step 2- Network, select Customize, then enter the ALB/ELB's domain name in IP Address or FQDN. Make sure to enter the domain name, not the IP address.
In the DNS record that pairs the dynamic domain name and IP address, you will find a TTL (Time to Live) value. FortiWeb Cloud updates the IP address according to this TTL value. If the TTL indicates the IP address expires, FortiWeb Cloud will resolve the domain name to obtain the latest IP address.
You can use Cloud Connectors to obtain the IP addresses if your origin servers are deployed on AWS, Azure, or GCP.
See Using FortiWeb Cloud behind a Content Distribution Service for detailed information.
See Network settings for applications serving different content over HTTP and HTTPS for more information.
- For subscriptions on AWS, Azure, and Google Cloud: You can unsubscribe from FortiWeb Cloud anytime, while the data in your FortiWeb Cloud account will be kept for an additional week.
- For FortiWeb Cloud contract: After the contract expires, FortiWeb Cloud continues protecting your applications for 21 days. During this period, you are not allowed to edit configuration for your applications unless the contract is renewed.
After the 21-day extension, your applications will be deleted from your FortiWeb Cloud account.
After you unsubscribe from FortiWeb Cloud, remember to replace CNAME with the right IP address in the DNS record so your web application does not experience service interruption.
The data for this application will be deleted and can't be restored.
After the contract expires, FortiWeb Cloud continues protecting your applications for 21 days. During this period, you are not allowed to edit configuration for your applications unless the contract is renewed.
After the 21-day extension, your applications will be deleted from your FortiWeb Cloud account.
From 21.3.b (09/03/2021), FortiWeb Cloud automatically synchronizes sub-users with the ones in your FortiCloud account and assign them with a "None" role. The role of the existing sub-users in your FortiWeb Cloud account will be restored to "None". To grant more permissions to the sub-user, go to Global > Admin Management, click the edit icon for this user, then assign it with a different role. See Admin management.
The following security features are provided by FortiWeb Cloud:
- When Block Mode is enabled, FortiWeb Cloud blocks requests if they trigger violations. Your application server does not receive these requests.
- When Block Mode is disabled (that is, the Monitor mode), FortiWeb Cloud only monitors violations and generates logs for them. FortiWeb Cloud does not block the malicious requests. You can view the attack logs in FortiView or Attack Logs.
You can add exceptions in Attack Logs so that the requests from the specified URL or parameter will not be detected as attack again. See Log Settings for more information.
You can also add exceptions in the following three security modules:
You can use the URL Access in Access Rules to define which HTTP requests FortiWeb Cloud accepts or denies based on their
Host: name and URL, as well as the origin of the request. See URL Access for more information.
You can also add URL filters in Custom Rules to match the requests with specified URLs. See Custom Rule for more information.
No. FortiWeb Cloud does not charge for inbound traffic, so additional charges will not be incurred related to DDoS attacks.
FortiWeb Cloud provides Templates for you to create configuration templates and apply them to multiple applications. For more information, see Templates.
FortiWeb Cloud executes the security rules in a certain sequence. See Sequence of scans.
You can view the blocked requests in three places: 1) Attack Logs; 2) FortiView; 3) Blocked Requests widget on Dashboard. The ways they count the blocked requests are slightly different.
- Certain attack types such as Bot and DDoS attacks generate a large amount of requests in a short time. To prevent numerous identical attack logs flooding the UI, FortiWeb Cloud only logs the first request in Attack Logs and FortiView, while it shows the actual count in Blocked Requests Widget so you can know how many actual attack requests were blocked.
- To prevent Information Leakage, FortiWeb Cloud may cloak the error pages or erase sensitive HTTP headers in response packets. Such item are logged only once per minute in Attack Logs and FortiView for you to know the Information Leakage rule took effect. In the meanwhile, the actual count is recorded in Blocked Requests Widget.
- If you have set FortiWeb Cloud to block attacks but do not generate a log when certain violation occurs, such as Deny(no log), then the attacks will not be logged in Attack Logs and FortiView, but will be counted in the Blocked Requests widget.
FortiWeb Cloud support sending logs to your syslog or ElasticSearch server to notify the origin server status change.
- Enable Health Check for the origin server in the Load Balancing rule in Network > Origin Server. Please note this setting is only available when the Server Balance is turned on.
- Refer to Audit logs to export logs to your syslog server.
FortiWeb Cloud saves the attack logs for two months and the audit logs for three months. After that, they will be deleted.
FortiWeb Cloud offers Two-Factor Authentication to secure your FortiWeb Cloud account by an additional security token
FortiWeb Cloud offers 14-day free trial on public cloud platforms. After the free trial, you can subscribe to FortiWeb Cloud or purchase service contracts from Fortinet to continue using it.
- Subscribing through AWS Marketplace. The cost is calculated on the Pay-as-you-go basis.
- Subscribing through Azure Marketplace. The cost is calculated on the Pay-as-you-go basis.
- Subscribing through Google Cloud Marketplace. The cost is calculated on the Pay-as-you-go basis.
- Using FortiWeb Cloud license purchased from your Fortinet reseller. The license allows you to protect certain number of applications and specifies the maximum bandwidth.
Please note that if you have subscribed to FortiWeb Cloud on public cloud platforms and also imported a FortiWeb Cloud license in your account, it's recommended to unsubscribe from FortiWeb Cloud, otherwise you will be charged simultaneously through both channels.
If you purchase FortiWeb Cloud service from Fortinet sales team, you will be charged for the Bandwidth contract and Applications contract, which respectively control how many applications you can add in your account and the maximum bandwidth.
If you subscribe FortiWeb Cloud from AWS, Azure, or Google Cloud, you will be charged on a pay-as-you-go basis for the data transferred out from FortiWeb Cloud to your application users. In this scenario, we don't limit the number of applications in your account.
The estimated cost shown in your FortiWeb Cloud account may not be accurate. It's estimated by FortiWeb Cloud based on the amount of data transferred in your account. The final cost is billed in your AWS/Azure/Google Cloud account, depending on where you subscribe.
FortiWeb Cloud measures each account using a burstable model for overall account bandwidth calculation. The model is based on calculating the 95th percentile of bandwidth usage of clean traffic and is also common with other CDNs and Cloud solutions.
The 95th percentile bandwidth is calculated in the following way:
- Traffic for the entire month is measured in 5 minute buckets.
- At the end of the month, the 5% of buckets with the most Mbps are dropped, and the highest Mbps rate of the remaining buckets represents the 95th percentile value for the account.
At the beginning of every month, the 95th percentile bandwidth shown in FortiWeb Cloud might be very low, or even shown as 0. This is because there aren't enough 5-minute buckets collected to calculate a valid value. At the end of the month with more buckets generated, the value becomes more accurate.
FortiWeb Cloud supports the following web browsers:
- Mozilla Firefox version 59 or higher
- Google Chrome version 65 or higher
You can submit a support ticket to the support team. See Contacting customer service.
See Registering SN number for how to find the SN number and register it.
If the SN number has already been registered, you can find it through Asset > Manage/View Products on Fortinet Support site https://support.fortinet.com/.