Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

 

Using FortiWeb Cloud behind a Content Distribution Service

If the traffic to your application server should be first forwarded to a Content Distribution Service, then flows to FortiWeb Cloud for threat detection, perform the following steps so that the traffic can correctly go through. In this example we assume the Content Distribution Service is AWS CloudFront.

 

Step 1 - Onboarding your application on FortiWeb Cloud

  1. Refer to Getting Started in FortiWeb Cloud Online Help to onboard your application.
    • DO NOT enable CDN. A FortiWeb Cloud scrubbing center located nearest to your application server will be assigned. In your scenario, it's unnecessary to use the CDN feature of FortiWeb Cloud because AWS CloudFront already serves this purpose.
    • Take note of the CNAME provided by FortiWeb Cloud.
  2. Go to your DNS service to create or modify the DNS record to pair your application's domain name with the CNAME provided by FortiWeb Cloud.
    This step is to ensure that FortiWeb Cloud can successfully retrieve the SSL certificate from the certificate authority Let's Encrypt on your behalf. The SSL certificate is used for the HTTPS connections between CloudFront and FortiWeb Cloud. To make sure the domain name is indeed owned by you, Let's Encrypt will look up the DNS record to verify whether the CNAME provided by FortiWeb Cloud is paired with your application's domain name. For more information on the SSL certificate, see SSL Certificate.
  3. Wait several minutes until the check mark appears after the Automatic Certificate in Network > Endpoint in FortiWeb Cloud. It means the SSL certificate is successfully retrieved.

If you have your own SSL certificate and don't want to use the certificate issued by Let's Encrypt, you can skip step 2, then select Custom Certificate in Network > Endpoint to upload your own SSL certificate.

 

Step 2 - Creating a Distribution in CloudFront

  1. Log in to AWS cloud portal. Navigate to CloudFront.
  2. Click Create Distribution.
  3. Click Getting Started in the Web delivery method section.
  4. Configure the following options as described. For other options, you can configure them as you want. Refer to AWS online help for more information.
  5. Origin Settings

    Origin Domain Name Enter the CNAME provided by FortiWeb Cloud.
    Origin Protocol Policy Select Match Viewer so that the protocol used for the connections between CloudFront and FortiWeb Cloud can be HTTP or HTTPS. It matches with the protocol used by the viewer, for example, if the viewer connects to CloudFront using HTTPS, CloudFront will connect to FortiWeb Cloud using HTTPS.
    HTTP Port Set HTTP port value to 80.
    HTTPS Port Set HTTPS port value to 443.

    Default Cache Behavior Settings

    Viewer Protocol Policy

    You can set this option as you want, but, if you select Redirect HTTP to HTTPS, it's suggested to turn off Redirect all HTTP traffic to HTTPS in Network > Endpoint in FortiWeb Cloud. See Endpoints.

    Cache Based on Selected Request Headers Select Whitelist.

    Whitelist Headers

    Select Host from the list, then click Add. CloudFront will directly forward the host header to FortiWeb Cloud.

    If you don't add host in the whitelist, CloudFront will change the host value to the CNAME provided by FortiWeb Cloud. The packets will be dropped at FortiWeb Cloud, and cannot reach your application server.

    Forward Cookies Select All. Forward all cookies to FortiWeb Cloud for cookie security check.

    Distribution Settings

    Alternate Domain Names

    (CNAMEs)

    Enter an alternate domain name (for example, www.example.com). It's the domain name your users use to access your application. You can add multiple domain names. FortiWeb Cloud also supports multiple domain names for one application.

    SSL Certificate

    Select Custom SSL Certificate to upload the SSL certificate.

  6. Click Create Distribution.
  7. Wait several minutes for the status turning into Enabled.
  8. Take note of the Domain Name. You need to update the DNS record using this domain name.

 

Step 3 - Modifying DNS record to use the domain name provided by CloudFront

Go to your DNS service to modify the DNS record to route queries for the your application's domain name (e.g. www.example.com) to the CloudFront domain name (e.g. d1234.cloudfront.net).

If you use AWS Route 53, refer to Working with Records on how to create or change the DNS records.

At this point, the queries to your application's domain name should successfully be forwarded to CloudFront first, then reach FortiWeb Cloud.

 

Step 4 - Configuring Error Pages

When FortiWeb Cloud detects a violation to its security rules, it takes appropriate actions, such as blocking the request and returning an error code to the client who initiated this request. The error code is cached in CloudFront, so that when the same client initiates the same request next time, CloudFront can directly return this error code to the client.

However, the request might be falsely detected as a violation. You can add the request as an exception in FortiWeb Cloud so that it will not be detected as a violation next time, but, if you have set a long Minimum TTL, the client may keep receiving the cached error code until the minimum TTL passes. During this period, CloudFront uses the cached error code to respond to the subsequent requests instead of forwarding them to FortiWeb Cloud for re-processing.

In most cases, the minimum TTL in the distribution settings is set to a long time value because for efficiency considerations you may not want CloudFront to renew its caches too frequently, so, the optimal solution for the above mentioned error code caching problem is to set a comparatively shorter Minimum TTL specially for error codes.

In the following example shown in the screenshots, the Minimum TTL in the distribution is set to 500s, while the Minimum TTL for the error code is set much shorterly to 30s. This distinguishes the minimum TTL time for error codes and the rest content. The objects such as the rarely changing icons and background images stay in cache for a long time, while the error codes frequently renews.

 

To set the Minimum TTL for error pages:

  1. In the distribution list, find the distribution you just created. Click its ID to open the distribution details page.
  2. Select Error Pages tab.
  3. Click Create Custom Error Response to create a new error page, or click an existing error page to edit its Minimum TTL.
  4. Set Error Caching Minimum TTL (Seconds).
  5. Configure other options as desired.
  6. Click Create.

After you complete the settings above, you can go ahead configure security rules in FortiWeb Cloud to protect your application.

FortiWeb Cloud has a security module called Caching and Compression. It allows you to cache and compress objects that rarely change, such as icons, background images, movies. If you have configured CloudFront to cache such objects, you can disable this module in FortiWeb Cloud.

 

Using FortiWeb Cloud behind a Content Distribution Service

If the traffic to your application server should be first forwarded to a Content Distribution Service, then flows to FortiWeb Cloud for threat detection, perform the following steps so that the traffic can correctly go through. In this example we assume the Content Distribution Service is AWS CloudFront.

 

Step 1 - Onboarding your application on FortiWeb Cloud

  1. Refer to Getting Started in FortiWeb Cloud Online Help to onboard your application.
    • DO NOT enable CDN. A FortiWeb Cloud scrubbing center located nearest to your application server will be assigned. In your scenario, it's unnecessary to use the CDN feature of FortiWeb Cloud because AWS CloudFront already serves this purpose.
    • Take note of the CNAME provided by FortiWeb Cloud.
  2. Go to your DNS service to create or modify the DNS record to pair your application's domain name with the CNAME provided by FortiWeb Cloud.
    This step is to ensure that FortiWeb Cloud can successfully retrieve the SSL certificate from the certificate authority Let's Encrypt on your behalf. The SSL certificate is used for the HTTPS connections between CloudFront and FortiWeb Cloud. To make sure the domain name is indeed owned by you, Let's Encrypt will look up the DNS record to verify whether the CNAME provided by FortiWeb Cloud is paired with your application's domain name. For more information on the SSL certificate, see SSL Certificate.
  3. Wait several minutes until the check mark appears after the Automatic Certificate in Network > Endpoint in FortiWeb Cloud. It means the SSL certificate is successfully retrieved.

If you have your own SSL certificate and don't want to use the certificate issued by Let's Encrypt, you can skip step 2, then select Custom Certificate in Network > Endpoint to upload your own SSL certificate.

 

Step 2 - Creating a Distribution in CloudFront

  1. Log in to AWS cloud portal. Navigate to CloudFront.
  2. Click Create Distribution.
  3. Click Getting Started in the Web delivery method section.
  4. Configure the following options as described. For other options, you can configure them as you want. Refer to AWS online help for more information.
  5. Origin Settings

    Origin Domain Name Enter the CNAME provided by FortiWeb Cloud.
    Origin Protocol Policy Select Match Viewer so that the protocol used for the connections between CloudFront and FortiWeb Cloud can be HTTP or HTTPS. It matches with the protocol used by the viewer, for example, if the viewer connects to CloudFront using HTTPS, CloudFront will connect to FortiWeb Cloud using HTTPS.
    HTTP Port Set HTTP port value to 80.
    HTTPS Port Set HTTPS port value to 443.

    Default Cache Behavior Settings

    Viewer Protocol Policy

    You can set this option as you want, but, if you select Redirect HTTP to HTTPS, it's suggested to turn off Redirect all HTTP traffic to HTTPS in Network > Endpoint in FortiWeb Cloud. See Endpoints.

    Cache Based on Selected Request Headers Select Whitelist.

    Whitelist Headers

    Select Host from the list, then click Add. CloudFront will directly forward the host header to FortiWeb Cloud.

    If you don't add host in the whitelist, CloudFront will change the host value to the CNAME provided by FortiWeb Cloud. The packets will be dropped at FortiWeb Cloud, and cannot reach your application server.

    Forward Cookies Select All. Forward all cookies to FortiWeb Cloud for cookie security check.

    Distribution Settings

    Alternate Domain Names

    (CNAMEs)

    Enter an alternate domain name (for example, www.example.com). It's the domain name your users use to access your application. You can add multiple domain names. FortiWeb Cloud also supports multiple domain names for one application.

    SSL Certificate

    Select Custom SSL Certificate to upload the SSL certificate.

  6. Click Create Distribution.
  7. Wait several minutes for the status turning into Enabled.
  8. Take note of the Domain Name. You need to update the DNS record using this domain name.

 

Step 3 - Modifying DNS record to use the domain name provided by CloudFront

Go to your DNS service to modify the DNS record to route queries for the your application's domain name (e.g. www.example.com) to the CloudFront domain name (e.g. d1234.cloudfront.net).

If you use AWS Route 53, refer to Working with Records on how to create or change the DNS records.

At this point, the queries to your application's domain name should successfully be forwarded to CloudFront first, then reach FortiWeb Cloud.

 

Step 4 - Configuring Error Pages

When FortiWeb Cloud detects a violation to its security rules, it takes appropriate actions, such as blocking the request and returning an error code to the client who initiated this request. The error code is cached in CloudFront, so that when the same client initiates the same request next time, CloudFront can directly return this error code to the client.

However, the request might be falsely detected as a violation. You can add the request as an exception in FortiWeb Cloud so that it will not be detected as a violation next time, but, if you have set a long Minimum TTL, the client may keep receiving the cached error code until the minimum TTL passes. During this period, CloudFront uses the cached error code to respond to the subsequent requests instead of forwarding them to FortiWeb Cloud for re-processing.

In most cases, the minimum TTL in the distribution settings is set to a long time value because for efficiency considerations you may not want CloudFront to renew its caches too frequently, so, the optimal solution for the above mentioned error code caching problem is to set a comparatively shorter Minimum TTL specially for error codes.

In the following example shown in the screenshots, the Minimum TTL in the distribution is set to 500s, while the Minimum TTL for the error code is set much shorterly to 30s. This distinguishes the minimum TTL time for error codes and the rest content. The objects such as the rarely changing icons and background images stay in cache for a long time, while the error codes frequently renews.

 

To set the Minimum TTL for error pages:

  1. In the distribution list, find the distribution you just created. Click its ID to open the distribution details page.
  2. Select Error Pages tab.
  3. Click Create Custom Error Response to create a new error page, or click an existing error page to edit its Minimum TTL.
  4. Set Error Caching Minimum TTL (Seconds).
  5. Configure other options as desired.
  6. Click Create.

After you complete the settings above, you can go ahead configure security rules in FortiWeb Cloud to protect your application.

FortiWeb Cloud has a security module called Caching and Compression. It allows you to cache and compress objects that rarely change, such as icons, background images, movies. If you have configured CloudFront to cache such objects, you can disable this module in FortiWeb Cloud.