Fortinet black logo

CLI Reference

router setting

router setting

Use this command to change how FortiWeb handles non-HTTP/HTTPS traffic (for example, SSH and FTP) when it is operating in Reverse Proxy mode.

When this setting is disabled (the default) and FortiWeb is operating in Reverse Proxy mode, the appliance drops any non-HTTP/HTTPS traffic.

When this setting is enabled and FortiWeb is operating in Reverse Proxy mode, the appliance handles non-HTTP/HTTPS protocols in the following ways:

  • Any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.
  • For any non-HTTP/HTTPS traffic destined for another destination (for example, a back-end server), FortiWeb acts as a router and forwards it based in its destination address.

This command has no effect when FortiWeb is operating in transparent modes, which allow and forward non-HTTP/HTTPS packets by default.

Use this setting only if necessary. For security and performance reasons, if you have a FortiGate with an Internet/public address virtual IP (VIP) that forwards traffic to your FortiWeb, and your FortiWeb is on the same subnet as your web servers, do not use this setting. Instead, configure the VIP to forward:

  • only HTTP/HTTPS to FortiWeb, which forwards it to your servers
  • specific traffic such as SSH or SFTP directly to your servers

This avoids latency related to an extra hop. It also avoids accidentally forwarding unscanned protocols.

Routing is best effort. Not all protocols may be supported, such as Citrix Receiver (formerly ICA).

FortiWeb appliances are designed to provide in-depth protection specifically for the HTTP and HTTPS protocols. Because of this, when in Reverse Proxy mode, by default, FortiWeb does not forward non-HTTP/HTTPS protocols to your protected web servers. That is, IP-based forwarding is disabled. Traffic is only forwarded if picked up and scanned by the HTTP Reverse Proxy. This provides a secure default configuration by blocking traffic to services that might have been unintentionally left open and should not be accessible to the general public.

In some cases, however, a web server provides more services, not just HTTP or HTTPS. A typical exception is a server that also allows SFTP and SSH access. In these cases, enable routing to allow FortiWeb to route the non-HTTP/HTTPS traffic to the server using the server’s IP address. For HTTP/HTTPS services, direct traffic to the IP address of the FortiWeb virtual server, which forwards requests to the back-end server after inspection.

This command has no equivalent in the web UI.

Use the following commands to retrieve information about current static route values:

config router setting

get route static

end


Use the following commands to view the current value of ip-forward:

config router setting

get route setting

end


To use this command, your administrator account’s access control profile must have either w or rw permission to the netgrp area. For details, see Permissions.

Syntax

config router setting

set ip-forward {enable | disable}

set ip6-forward {enable | disable}

end


Variable Description Default

ip-forward {enable | disable}

Enable to forward non-HTTP/HTTPS traffic if its IPv4 IP address matches a static route. disable

ip6-forward {enable | disable}

Enable to forward non-HTTP/HTTPS traffic if its IPv6 IP address matches a static route. disable

Example

This example enables forwarding of non-HTTP/HTTPS traffic, based upon whether the IP address matches a route for the web servers’ subnet, and regardless of HTTP proxy pickup.

config router setting

set ip-forward enable

end

Related topics

router setting

Use this command to change how FortiWeb handles non-HTTP/HTTPS traffic (for example, SSH and FTP) when it is operating in Reverse Proxy mode.

When this setting is disabled (the default) and FortiWeb is operating in Reverse Proxy mode, the appliance drops any non-HTTP/HTTPS traffic.

When this setting is enabled and FortiWeb is operating in Reverse Proxy mode, the appliance handles non-HTTP/HTTPS protocols in the following ways:

  • Any non-HTTP/HTTPS traffic destined for a virtual server on the appliance is dropped.
  • For any non-HTTP/HTTPS traffic destined for another destination (for example, a back-end server), FortiWeb acts as a router and forwards it based in its destination address.

This command has no effect when FortiWeb is operating in transparent modes, which allow and forward non-HTTP/HTTPS packets by default.

Use this setting only if necessary. For security and performance reasons, if you have a FortiGate with an Internet/public address virtual IP (VIP) that forwards traffic to your FortiWeb, and your FortiWeb is on the same subnet as your web servers, do not use this setting. Instead, configure the VIP to forward:

  • only HTTP/HTTPS to FortiWeb, which forwards it to your servers
  • specific traffic such as SSH or SFTP directly to your servers

This avoids latency related to an extra hop. It also avoids accidentally forwarding unscanned protocols.

Routing is best effort. Not all protocols may be supported, such as Citrix Receiver (formerly ICA).

FortiWeb appliances are designed to provide in-depth protection specifically for the HTTP and HTTPS protocols. Because of this, when in Reverse Proxy mode, by default, FortiWeb does not forward non-HTTP/HTTPS protocols to your protected web servers. That is, IP-based forwarding is disabled. Traffic is only forwarded if picked up and scanned by the HTTP Reverse Proxy. This provides a secure default configuration by blocking traffic to services that might have been unintentionally left open and should not be accessible to the general public.

In some cases, however, a web server provides more services, not just HTTP or HTTPS. A typical exception is a server that also allows SFTP and SSH access. In these cases, enable routing to allow FortiWeb to route the non-HTTP/HTTPS traffic to the server using the server’s IP address. For HTTP/HTTPS services, direct traffic to the IP address of the FortiWeb virtual server, which forwards requests to the back-end server after inspection.

This command has no equivalent in the web UI.

Use the following commands to retrieve information about current static route values:

config router setting

get route static

end


Use the following commands to view the current value of ip-forward:

config router setting

get route setting

end


To use this command, your administrator account’s access control profile must have either w or rw permission to the netgrp area. For details, see Permissions.

Syntax

config router setting

set ip-forward {enable | disable}

set ip6-forward {enable | disable}

end


Variable Description Default

ip-forward {enable | disable}

Enable to forward non-HTTP/HTTPS traffic if its IPv4 IP address matches a static route. disable

ip6-forward {enable | disable}

Enable to forward non-HTTP/HTTPS traffic if its IPv6 IP address matches a static route. disable

Example

This example enables forwarding of non-HTTP/HTTPS traffic, based upon whether the IP address matches a route for the web servers’ subnet, and regardless of HTTP proxy pickup.

config router setting

set ip-forward enable

end

Related topics