Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Setting the operation mode

Once the FortiWeb appliance is mounted and powered on, you have physically connected the FortiWeb appliance to your overall network, and you have connected to either the FortiWeb appliance’s web UI or CLI, you must configure the operation mode.

You will usually set the operation mode once when setting up FortiWeb. Exceptions include if you install the FortiWeb appliance in Offline Protection mode for evaluation or transition purposes, before deciding to switch to another mode for more feature support in a permanent deployment. See also Switching out of Offline Protection mode.

The physical topology must match the operation mode. For details, see Planning the network topology and How to choose the operation mode.

FortiWeb models that use Data Plane Development Kit (DPDK) for packet processing (for example, models 3000E, 3010E and 4000E) reboot automatically when you change the operation mode to or from Offline Protection.

To configure the operation mode via the web UI
Back up your configuration before changing the operation mode. For details, see Backup & restore. Changing modes deletes any policies not applicable to the new mode, all static routes, V-zone IPs, TCP SYN flood protection settings, and VLANs. You also must re-cable your network topology to suit the operation mode, unless you are switching between the two transparent modes, which have similar network topology requirements.
  1. Go to System > Config > Operation.
  2. Alternatively, go to System > Status > Status. In the System Information widget, next to Operation Mode, click Change.

    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

  3. From Operation Mode, select one of the following modes:
  • Reverse Proxy
  • Offline Protection
  • True Transparent Proxy
  • Transparent Inspection
  • WCCP

For details, see How to choose the operation mode.

If you are selecting True Transparent Proxy, Transparent Inspection mode, or WCCP, configure the following:

Management IP—Specify the IP address to access the web UI. FortiWeb assigns this management IP address to port1.

Default Gateway—Set to the IP address of the next hop router.

  • Click Apply.
  • If you have not yet adjusted the physical topology to suit the new operation mode, see Planning the network topology. You may also need to reconfigure IP addresses, static routes, bridges, and virtual servers, and enable or disable SSL on your web servers.
  • To configure the operation mode via the CLI
    Back up your configuration before changing the operation mode. For details, see Backup & restore. Changing modes deletes any policies not applicable to the new mode, all static routes, V-zone IPs, and VLANs. You may also need to re-cable your network topology to suit the operation mode. Exceptions may include switching between the two transparent modes, which have similar network topology requirements.
    1. Enter the following commands:
    2. config system settings

      set opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}

      end

      where {offline-protection | reverse-proxy | transparent | transparent-inspection| wccp} specifies the operation mode.

    3. If you are changing to True Transparent Proxy, Transparent Inspection, or WCCP mode, also enter the following commands:
    4. config system settings

      set gateway <gateway_ipv4>

      end

      where <gateway_ipv4> is the IP address of the gateway router. For details, see Adding a gateway.

      FortiWeb will use the gateway setting to create a corresponding static route under config router static with the first available index number. Packets will egress through port1, the hard-coded management network interface for the transparent and WCCP operation modes.

    5. If you have not yet adjusted the physical topology to suit the new operation mode, see Planning the network topology. You may also need to reconfigure IP addresses, static routes, bridges, and virtual servers, and enable or disable SSL/TLS on your web servers.
    See also

    Setting the operation mode

    Once the FortiWeb appliance is mounted and powered on, you have physically connected the FortiWeb appliance to your overall network, and you have connected to either the FortiWeb appliance’s web UI or CLI, you must configure the operation mode.

    You will usually set the operation mode once when setting up FortiWeb. Exceptions include if you install the FortiWeb appliance in Offline Protection mode for evaluation or transition purposes, before deciding to switch to another mode for more feature support in a permanent deployment. See also Switching out of Offline Protection mode.

    The physical topology must match the operation mode. For details, see Planning the network topology and How to choose the operation mode.

    FortiWeb models that use Data Plane Development Kit (DPDK) for packet processing (for example, models 3000E, 3010E and 4000E) reboot automatically when you change the operation mode to or from Offline Protection.

    To configure the operation mode via the web UI
    Back up your configuration before changing the operation mode. For details, see Backup & restore. Changing modes deletes any policies not applicable to the new mode, all static routes, V-zone IPs, TCP SYN flood protection settings, and VLANs. You also must re-cable your network topology to suit the operation mode, unless you are switching between the two transparent modes, which have similar network topology requirements.
    1. Go to System > Config > Operation.
    2. Alternatively, go to System > Status > Status. In the System Information widget, next to Operation Mode, click Change.

      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.

    3. From Operation Mode, select one of the following modes:
    • Reverse Proxy
    • Offline Protection
    • True Transparent Proxy
    • Transparent Inspection
    • WCCP

    For details, see How to choose the operation mode.

    If you are selecting True Transparent Proxy, Transparent Inspection mode, or WCCP, configure the following:

    Management IP—Specify the IP address to access the web UI. FortiWeb assigns this management IP address to port1.

    Default Gateway—Set to the IP address of the next hop router.

  • Click Apply.
  • If you have not yet adjusted the physical topology to suit the new operation mode, see Planning the network topology. You may also need to reconfigure IP addresses, static routes, bridges, and virtual servers, and enable or disable SSL on your web servers.
  • To configure the operation mode via the CLI
    Back up your configuration before changing the operation mode. For details, see Backup & restore. Changing modes deletes any policies not applicable to the new mode, all static routes, V-zone IPs, and VLANs. You may also need to re-cable your network topology to suit the operation mode. Exceptions may include switching between the two transparent modes, which have similar network topology requirements.
    1. Enter the following commands:
    2. config system settings

      set opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}

      end

      where {offline-protection | reverse-proxy | transparent | transparent-inspection| wccp} specifies the operation mode.

    3. If you are changing to True Transparent Proxy, Transparent Inspection, or WCCP mode, also enter the following commands:
    4. config system settings

      set gateway <gateway_ipv4>

      end

      where <gateway_ipv4> is the IP address of the gateway router. For details, see Adding a gateway.

      FortiWeb will use the gateway setting to create a corresponding static route under config router static with the first available index number. Packets will egress through port1, the hard-coded management network interface for the transparent and WCCP operation modes.

    5. If you have not yet adjusted the physical topology to suit the new operation mode, see Planning the network topology. You may also need to reconfigure IP addresses, static routes, bridges, and virtual servers, and enable or disable SSL/TLS on your web servers.
    See also