router setting
Use this command to change how FortiWeb handles non-HTTP/HTTPS traffic (for example, SSH and FTP) when it is operating in Reverse Proxy mode.
When this setting is disabled (the default) and FortiWeb is operating in Reverse Proxy mode, the appliance drops any non-HTTP/HTTPS traffic.
When this setting is enabled and FortiWeb is operating in Reverse Proxy mode, the appliance handles non-HTTP/HTTPS protocols in the following ways:
- Any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.
- For any non-HTTP/HTTPS traffic destined for another destination (for example, a back-end server), FortiWeb acts as a router and forwards it based in its destination address.
This command has no effect when FortiWeb is operating in transparent modes, which allow and forward non-HTTP/HTTPS packets by default.
Use this setting only if necessary. For security and performance reasons, if you have a FortiGate with an Internet/public address virtual IP (VIP) that forwards traffic to your FortiWeb, and your FortiWeb is on the same subnet as your web servers, do not use this setting. Instead, configure the VIP to forward:
This avoids latency related to an extra hop. It also avoids accidentally forwarding unscanned protocols. Routing is best effort. Not all protocols may be supported, such as Citrix Receiver (formerly ICA). |
FortiWeb appliances are designed to provide in-depth protection specifically for the HTTP and HTTPS protocols. Because of this, when in Reverse Proxy mode, by default, FortiWeb does not forward non-HTTP/HTTPS protocols to your protected web servers. That is, IP-based forwarding is disabled. Traffic is only forwarded if picked up and scanned by the HTTP Reverse Proxy. This provides a secure default configuration by blocking traffic to services that might have been unintentionally left open and should not be accessible to the general public.
In some cases, however, a web server provides more services, not just HTTP or HTTPS. A typical exception is a server that also allows SFTP and SSH access. In these cases, enable routing to allow FortiWeb to route the non-HTTP/HTTPS traffic to the server using the server’s IP address. For HTTP/HTTPS services, direct traffic to the IP address of the FortiWeb virtual server, which forwards requests to the back-end server after inspection.
This command has no equivalent in the web UI.
Use the following commands to retrieve information about current static route values:
config router setting
get route static
end
Use the following commands to view the current value of ip-forward
:
config router setting
get route setting
end
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the netgrp
area. For details, see Permissions.
Syntax
config router setting
set ip-forward {enable | disable}
set ip6-forward {enable | disable}
end
Variable | Description | Default |
Enable to forward non-HTTP/HTTPS traffic if its IPv4 IP address matches a static route. |
disable
|
|
Enable to forward non-HTTP/HTTPS traffic if its IPv6 IP address matches a static route. |
disable
|
Example
This example enables forwarding of non-HTTP/HTTPS traffic, based upon whether the IP address matches a route for the web servers’ subnet, and regardless of HTTP proxy pickup.
config router setting
set ip-forward enable
end
Related topics
- "router static" on page 1
- router policy
- router all