Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 6.2.3 Administration Guide
    6.2.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Configuring the integrated firewall

    Configuring the integrated firewall

    You can add basic stateful firewall functionality when FortiWeb is in Reverse Proxy, True Transparent Proxy, and Transparent Inspection modes. The firewall monitors TCP, UDP, and ICMP traffic and determines which packets to allow. For details, see To configure the stateful firewall.

    You can also configure firewall SNAT policies that translate a matching source IP address to a single IP address or an IP address in an address pool. Firewall SNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes. FortiWeb supports modifying the firewall configurations even if the license is expired. For details, see To configure a firewall SNAT policy.

    By default, the value of the system firewall policy Default Action setting is Accept. This allows any traffic that does not match a firewall policy rule to access the FortiWeb network interfaces.

    When the firewall policy Default Action setting is Deny and the policy has no rules, FortiWeb only allows administrative access to ports. For example, the firewall prevents requests that do no match a rule from reaching virtual servers.

    FortiWeb by default allows the connections from itself to the DNS server, even though the Default Action is Deny.
    To configure the stateful firewall
    1. Go to System > Firewall and select the Firewall Address tab.

      2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configurationcategory. For details, see Permissions.

    2. Click Create New.
    3. Configure these settings:
      Name Enter a name that identifies the firewall address.
      Type

      Select how this configuration specifies a firewall address or addresses:

      • IP/IP Range—A single IP or a range of IP addresses.
      • IP/Netmask—A single IP address and netmask.
      IP/Netmask

      or

      IP/IP Range

      Enter one of the following:

      • If Type is IP/Netmask, an IPv4 address and subnet mask, separated by a forward slash ( / ). For example, 192.0.2.2/24.
      • If Type is IP/IP Range, a single IP address or a range of addresses. For example, 172.22.14.1, or 172.22.14.1-172.22.14.256.
    4. Click OK.
    5. Add any additional firewall addresses you require.
    6. Go to System > Firewall and select the Firewall Service tab.

      7. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    7. Click Create New.
    8. Configure these settings:
      Name Enter a name that identifies the firewall service.
      Protocol

      Select the protocol that this firewall service inspects: TCP, UDP, or ICMP.
      Minimum Source Port

      Select the start port in the range of source ports for this firewall service.

      The default value is 0.

      Not available if Protocol is IMCP.
      Maximum Source Port Select the end port in the range of source ports for this firewall service.

      The default value is 65535.

      Not available if Protocol is IMCP.
      Minimum Destination Port

      Select the start port in the range of destination ports for this firewall service.

      The default value is 0.

      Not available if Protocol is IMCP.
      Maximum Destination Port Select the end port in the range of destination ports for this firewall service.

      The default value is 65535.

      Not available if Protocol is IMCP.
    9. Add any additional firewall services you require.
    10. Go to System > Firewall and select the Firewall Policy tab.

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    11. For Default Action, select one of the following:
      • Deny—Firewall blocks traffic that does not match a policy rule. However, administrative access is still allowed on network interfaces for which it has been configured.
      • Accept—Firewall allows traffic that does not match a policy rule.
    12. To add a policy rule, click Create New.
    13. Configure these settings:
      V-zone Enable

      Select to enable a V-zone (bridge). If this option is enabled, select a V-zone below. V-zones allow network connections to travel through FortiWeb's physical network ports without explicitly connecting to one of its IP addresses.

      This option is available only when the operation mode is True Transparent Proxy or Transparent Inspection mode.
      V-zone Select a configured V-zone. For details, see Configuring a bridge (V-zone)
      Ingress Interface Specify incoming traffic that this rule applies to by selecting a network interface.
      Egress Interface

      Specify outgoing traffic that this rule applies to by selecting a network interface.

      Source

      Specify the source address of traffic that this rule applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Address.
      Destination Specify the destination address of traffic that this rules applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Address.
      Service

      Select the protocol and port range that this rule applies to by selecting a firewall service configuration under System > Firewall > Firewall Service.
      Action

      Select the action FortiWeb takes for traffic that matches this rule:

      • Deny—Firewall blocks matching traffic. Administrative access is still allowed on network interfaces for which it has been configured.
      • Accept—Firewall allows matching traffic.
    14. Click OK.
    15. Add any additional rules that you require, and then click Apply.
    To configure a firewall SNAT policy
    1. Go to System > Firewall and select the Firewall SNAT Policy tab.

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    2. Click Create New.
    3. Configure these settings:

      Name

      Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

      Source

      Enter the IP address and subnet mask to match the source IP address in the packet header that you want to translate. An example Source is 192.0.2.0/24. The IP address must be an IPv4 address.

      Destination

      Enter the IP address and subnet mask to match the destination IP address in the packet header. An example Destination is 192.0.2.1/24. The IP address must be an IPv4 address.

      Egress interface

      Select the interface that FortiWeb will use to forward traffic that matches the Source.

      Translation Type

      Select one of the following:

      • IP Address—Select to translate the Source to an IP address that you specify. To specify an IP address, configure Translation to IP Address.

      • Pool—Select to translate the Source to the next available IP address in an IP address pool that you specify. To specify an IP address pool, configure both Pool Address Range and To.

      Translation to IP Address

      Enter the IP address that you want to translate the Source to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

      This option is available only when the Translation Type is set to IP Address.

      Pool Address Range

      Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

      This option is available only when the Translation Type is set to Pool.

      To

      Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

      This option is available only when the Translation Type is set to Pool.
    4. Click OK.
    5. FortiWeb applies a firewall SNAT policy only if IP forwarding is enabled. To check whether IP forwarding is enabled, enter this command in the CLI:

      6. get router setting

      If ip-forward is set to enable, IP forwarding is enabled, and FortiWeb is applying the firewall SNAT policy.

      If ip-forward is set to disable, IP forwarding isn't enabled, and FortiWeb isn't applying the firewall SNAT policy. To enable IP forwarding, enter these commands in the CLI:

      config router setting

      set ip-forward enable

      end

      For details about these CLI commands, see the FortiWeb CLI Reference:

      https://docs.fortinet.com/fortigate/reference

    Previous
    Next

    Configuring the integrated firewall

    Configuring the integrated firewall

    You can add basic stateful firewall functionality when FortiWeb is in Reverse Proxy, True Transparent Proxy, and Transparent Inspection modes. The firewall monitors TCP, UDP, and ICMP traffic and determines which packets to allow. For details, see To configure the stateful firewall.

    You can also configure firewall SNAT policies that translate a matching source IP address to a single IP address or an IP address in an address pool. Firewall SNAT policies are available in Reverse Proxy, True Transparent Proxy, and Transparent Inspection operating modes. FortiWeb supports modifying the firewall configurations even if the license is expired. For details, see To configure a firewall SNAT policy.

    By default, the value of the system firewall policy Default Action setting is Accept. This allows any traffic that does not match a firewall policy rule to access the FortiWeb network interfaces.

    When the firewall policy Default Action setting is Deny and the policy has no rules, FortiWeb only allows administrative access to ports. For example, the firewall prevents requests that do no match a rule from reaching virtual servers.

    FortiWeb by default allows the connections from itself to the DNS server, even though the Default Action is Deny.
    To configure the stateful firewall
    1. Go to System > Firewall and select the Firewall Address tab.

      2. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configurationcategory. For details, see Permissions.

    2. Click Create New.
    3. Configure these settings:
      Name Enter a name that identifies the firewall address.
      Type

      Select how this configuration specifies a firewall address or addresses:

      • IP/IP Range—A single IP or a range of IP addresses.
      • IP/Netmask—A single IP address and netmask.
      IP/Netmask

      or

      IP/IP Range

      Enter one of the following:

      • If Type is IP/Netmask, an IPv4 address and subnet mask, separated by a forward slash ( / ). For example, 192.0.2.2/24.
      • If Type is IP/IP Range, a single IP address or a range of addresses. For example, 172.22.14.1, or 172.22.14.1-172.22.14.256.
    4. Click OK.
    5. Add any additional firewall addresses you require.
    6. Go to System > Firewall and select the Firewall Service tab.

      7. To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    7. Click Create New.
    8. Configure these settings:
      Name Enter a name that identifies the firewall service.
      Protocol

      Select the protocol that this firewall service inspects: TCP, UDP, or ICMP.
      Minimum Source Port

      Select the start port in the range of source ports for this firewall service.

      The default value is 0.

      Not available if Protocol is IMCP.
      Maximum Source Port Select the end port in the range of source ports for this firewall service.

      The default value is 65535.

      Not available if Protocol is IMCP.
      Minimum Destination Port

      Select the start port in the range of destination ports for this firewall service.

      The default value is 0.

      Not available if Protocol is IMCP.
      Maximum Destination Port Select the end port in the range of destination ports for this firewall service.

      The default value is 65535.

      Not available if Protocol is IMCP.
    9. Add any additional firewall services you require.
    10. Go to System > Firewall and select the Firewall Policy tab.

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    11. For Default Action, select one of the following:
      • Deny—Firewall blocks traffic that does not match a policy rule. However, administrative access is still allowed on network interfaces for which it has been configured.
      • Accept—Firewall allows traffic that does not match a policy rule.
    12. To add a policy rule, click Create New.
    13. Configure these settings:
      V-zone Enable

      Select to enable a V-zone (bridge). If this option is enabled, select a V-zone below. V-zones allow network connections to travel through FortiWeb's physical network ports without explicitly connecting to one of its IP addresses.

      This option is available only when the operation mode is True Transparent Proxy or Transparent Inspection mode.
      V-zone Select a configured V-zone. For details, see Configuring a bridge (V-zone)
      Ingress Interface Specify incoming traffic that this rule applies to by selecting a network interface.
      Egress Interface

      Specify outgoing traffic that this rule applies to by selecting a network interface.

      Source

      Specify the source address of traffic that this rule applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Address.
      Destination Specify the destination address of traffic that this rules applies to by selecting an address from the firewall addresses you configured earlier under System > Firewall > Firewall Address.
      Service

      Select the protocol and port range that this rule applies to by selecting a firewall service configuration under System > Firewall > Firewall Service.
      Action

      Select the action FortiWeb takes for traffic that matches this rule:

      • Deny—Firewall blocks matching traffic. Administrative access is still allowed on network interfaces for which it has been configured.
      • Accept—Firewall allows matching traffic.
    14. Click OK.
    15. Add any additional rules that you require, and then click Apply.
    To configure a firewall SNAT policy
    1. Go to System > Firewall and select the Firewall SNAT Policy tab.

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    2. Click Create New.
    3. Configure these settings:

      Name

      Enter a name that identifies the firewall SNAT policy. Don't use spaces or special characters. The maximum length is 63 characters.

      Source

      Enter the IP address and subnet mask to match the source IP address in the packet header that you want to translate. An example Source is 192.0.2.0/24. The IP address must be an IPv4 address.

      Destination

      Enter the IP address and subnet mask to match the destination IP address in the packet header. An example Destination is 192.0.2.1/24. The IP address must be an IPv4 address.

      Egress interface

      Select the interface that FortiWeb will use to forward traffic that matches the Source.

      Translation Type

      Select one of the following:

      • IP Address—Select to translate the Source to an IP address that you specify. To specify an IP address, configure Translation to IP Address.

      • Pool—Select to translate the Source to the next available IP address in an IP address pool that you specify. To specify an IP address pool, configure both Pool Address Range and To.

      Translation to IP Address

      Enter the IP address that you want to translate the Source to. An example IP address is 192.0.2.2. The IP address must be an IPv4 address.

      This option is available only when the Translation Type is set to IP Address.

      Pool Address Range

      Enter the first IP address in the SNAT pool. An example IP address is 192.0.2.3. The IP address must be an IPv4 address.

      This option is available only when the Translation Type is set to Pool.

      To

      Enter the last IP address in the SNAT pool. An example IP address is 192.0.2.4. The IP address must be an IPv4 address.

      This option is available only when the Translation Type is set to Pool.
    4. Click OK.
    5. FortiWeb applies a firewall SNAT policy only if IP forwarding is enabled. To check whether IP forwarding is enabled, enter this command in the CLI:

      6. get router setting

      If ip-forward is set to enable, IP forwarding is enabled, and FortiWeb is applying the firewall SNAT policy.

      If ip-forward is set to disable, IP forwarding isn't enabled, and FortiWeb isn't applying the firewall SNAT policy. To enable IP forwarding, enter these commands in the CLI:

      config router setting

      set ip-forward enable

      end

      For details about these CLI commands, see the FortiWeb CLI Reference:

      https://docs.fortinet.com/fortigate/reference

    Previous
    Next