Fortinet white logo
Fortinet white logo

CLI Reference

system settings

system settings

Use this command to configure the operation mode and gateway of the FortiWeb appliance.

You will usually set the operation mode once, during installation. Exceptions include if you install the FortiWeb appliance in Offline Protection mode for evaluation purposes, before deciding to switch to another mode for more feature support in a permanent deployment.

Back up your configuration before changing the operation mode. Changing modes deletes any policies not applicable to the new mode, TCP SYN flood protection settings, all static routes, all V-zone (bridge) IPs, and all VLANs. You must re-cable your network topology to suit the operation mode, unless you are switching between the two transparent modes, which have similar network topology requirements.

The physical topology must match the operation mode. You may need to re-cable your deployment after changing this setting. For details, see the FortiWeb Installation Guide.

There are four operation modes:

  • Reverse proxy—Requests are destined for a virtual server’s network interface and IP address on the FortiWeb appliance. The FortiWeb appliance applies the first applicable policy, then forwards permitted traffic to a real web server. The FortiWeb appliance logs, blocks, or modifies violations according to the matching policy and its protection profile. Most features are supported.

  • Offline Protection — Requests are destined for a real web server instead of the FortiWeb appliance; traffic is duplicated to the FortiWeb through a span port. The FortiWeb appliance monitors traffic received on the virtual server’s network interface (regardless of the IP address) and applies the first applicable policy. Because it is not inline with the destination, it does not forward permitted traffic. The FortiWeb appliance logs or blocks violations according to the matching policy and its protection profile. If FortiWeb detects a malicious request, it sends a TCP RST (reset) packet to the web server and client to attempt to terminate the connection. It does not otherwise modify traffic. (It cannot, for example, apply SSL, load-balance connections, or support user authentication.)

    Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than Alertcannot be guaranteed to be successful in Offline Protection mode. The FortiWeb appliance will attempt to block traffic that violates the policy by mimicking the client or server and requesting to reset the connection. However, the client or server may receive the reset request after it receives the other traffic due to possible differences in routing paths.

    Most organizations do not permanently deploy their FortiWeb appliances in Offline Protection mode. Instead, they will use Offline Protection as a way to learn about their web servers’ protection requirements and to form some of the appropriate configuration during a transition period, after which they will switch to one of the operation modes that places the appliance inline between all clients and all web servers.

    Switching out of Offline Protection mode when you are done with transition can prevent bypass problems that can arise as a result of misconfigured routing. It also offers you the ability to offer some protection features that cannot be supported in a span port topology used with offline detection.

  • True transparent proxy — Requests are destined for a real web server instead of the FortiWeb appliance. The FortiWeb appliance transparently proxies the traffic arriving on a network port that belongs to a Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. The FortiWeb appliance logs, blocks, or modifies violations according to the matching policy and its protection profile. No changes to the IP address scheme of the network are required. This mode supports user authentication via HTTP but not HTTPS.

  • Transparent Inspection — Requests are destined for a real web server instead of the FortiWeb appliance. The FortiWeb appliance asynchronously inspects traffic arriving on a network port that belongs to a Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. The FortiWeb appliance logs or blocks traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It cannot, for example, apply SSL, load-balance connections, or support user authentication.

Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than Alertcannot be guaranteed to be successful in Transparent Inspection mode. The FortiWeb appliance will attempt to block traffic that violates the policy. However, due to the nature of asynchronous inspection, the client or server may have already received the traffic that violated the policy.

The default operation mode is Reverse Proxy.

Feature support varies by operation mode. For details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

You can use SNMP traps to notify you if the operation mode changes. For details, see system snmp community.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system settings

set opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}

set gateway "<router_ipv4>"

set stop-guimonitor {enable | disable}

set enable-cache-flush {enable | disable}

set enable-debug-log {enable | disable}

set enable-machine-learning-debug {enable | disable}

set enable-file-upload {enable | disable}

end

Variable Description Default

opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}

Select the operation mode of the FortiWeb appliance.

If you have not yet adjusted the physical topology to suit the new operation mode, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

You may also need to reconfigure IP addresses, VLANs, static routes, bridges, policies, TCP SYN flood prevention, and virtual servers, and on your web servers, enable or disable SSL.

Note: If you select offline-protection, you can configure the port from which TCP RST (reset) commands are sent to block traffic that violates a policy. For details, see block-port <port_int>.

reverse-proxy

gateway "<router_ipv4>"

Type the IPv4 address of the default gateway.

This setting is visible only if opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp} is either True Transparent Proxy, Transparent Inspection, or WCCP.

FortiWeb will use the gateway setting to create a corresponding static route under router static with the first available index number. Packets will egress through port1 or mgmt1, the hard-coded management network interface for the transparent operation modes.

none

stop-guimonitor {enable | disable}

Enable to configure FortiWeb to stop checking whether the process that generates the web UI (HTTPSd) is defunct.

In some cases, a process that has completed execution can still have an entry in the process table, which can create a resource leak.

When this setting is disabled, FortiWeb checks the process and stops and reloads the web UI if it determines that the process is defunct.

enable

enable-cache-flush {enable | disable}

Enable to configure FortiWeb to clear its cache memory every 45 minutes and generate an event log message for the action. enable

enable-debug-log {enable | disable}

Enable so that FortiWeb will record crash, daemon, kernel, netstat, and core dump logs.

enable

enable-machine-learning-debug {enable | disable}

Enable so that FortiWeb will record machine learning debug.

enable

enable-file-upload {enable | disable}

Enable to upload the debugging file. disable

Related topics

system settings

system settings

Use this command to configure the operation mode and gateway of the FortiWeb appliance.

You will usually set the operation mode once, during installation. Exceptions include if you install the FortiWeb appliance in Offline Protection mode for evaluation purposes, before deciding to switch to another mode for more feature support in a permanent deployment.

Back up your configuration before changing the operation mode. Changing modes deletes any policies not applicable to the new mode, TCP SYN flood protection settings, all static routes, all V-zone (bridge) IPs, and all VLANs. You must re-cable your network topology to suit the operation mode, unless you are switching between the two transparent modes, which have similar network topology requirements.

The physical topology must match the operation mode. You may need to re-cable your deployment after changing this setting. For details, see the FortiWeb Installation Guide.

There are four operation modes:

  • Reverse proxy—Requests are destined for a virtual server’s network interface and IP address on the FortiWeb appliance. The FortiWeb appliance applies the first applicable policy, then forwards permitted traffic to a real web server. The FortiWeb appliance logs, blocks, or modifies violations according to the matching policy and its protection profile. Most features are supported.

  • Offline Protection — Requests are destined for a real web server instead of the FortiWeb appliance; traffic is duplicated to the FortiWeb through a span port. The FortiWeb appliance monitors traffic received on the virtual server’s network interface (regardless of the IP address) and applies the first applicable policy. Because it is not inline with the destination, it does not forward permitted traffic. The FortiWeb appliance logs or blocks violations according to the matching policy and its protection profile. If FortiWeb detects a malicious request, it sends a TCP RST (reset) packet to the web server and client to attempt to terminate the connection. It does not otherwise modify traffic. (It cannot, for example, apply SSL, load-balance connections, or support user authentication.)

    Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than Alertcannot be guaranteed to be successful in Offline Protection mode. The FortiWeb appliance will attempt to block traffic that violates the policy by mimicking the client or server and requesting to reset the connection. However, the client or server may receive the reset request after it receives the other traffic due to possible differences in routing paths.

    Most organizations do not permanently deploy their FortiWeb appliances in Offline Protection mode. Instead, they will use Offline Protection as a way to learn about their web servers’ protection requirements and to form some of the appropriate configuration during a transition period, after which they will switch to one of the operation modes that places the appliance inline between all clients and all web servers.

    Switching out of Offline Protection mode when you are done with transition can prevent bypass problems that can arise as a result of misconfigured routing. It also offers you the ability to offer some protection features that cannot be supported in a span port topology used with offline detection.

  • True transparent proxy — Requests are destined for a real web server instead of the FortiWeb appliance. The FortiWeb appliance transparently proxies the traffic arriving on a network port that belongs to a Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. The FortiWeb appliance logs, blocks, or modifies violations according to the matching policy and its protection profile. No changes to the IP address scheme of the network are required. This mode supports user authentication via HTTP but not HTTPS.

  • Transparent Inspection — Requests are destined for a real web server instead of the FortiWeb appliance. The FortiWeb appliance asynchronously inspects traffic arriving on a network port that belongs to a Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. The FortiWeb appliance logs or blocks traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It cannot, for example, apply SSL, load-balance connections, or support user authentication.

Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than Alertcannot be guaranteed to be successful in Transparent Inspection mode. The FortiWeb appliance will attempt to block traffic that violates the policy. However, due to the nature of asynchronous inspection, the client or server may have already received the traffic that violated the policy.

The default operation mode is Reverse Proxy.

Feature support varies by operation mode. For details, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

You can use SNMP traps to notify you if the operation mode changes. For details, see system snmp community.

To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For details, see Permissions.

Syntax

config system settings

set opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}

set gateway "<router_ipv4>"

set stop-guimonitor {enable | disable}

set enable-cache-flush {enable | disable}

set enable-debug-log {enable | disable}

set enable-machine-learning-debug {enable | disable}

set enable-file-upload {enable | disable}

end

Variable Description Default

opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp}

Select the operation mode of the FortiWeb appliance.

If you have not yet adjusted the physical topology to suit the new operation mode, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

You may also need to reconfigure IP addresses, VLANs, static routes, bridges, policies, TCP SYN flood prevention, and virtual servers, and on your web servers, enable or disable SSL.

Note: If you select offline-protection, you can configure the port from which TCP RST (reset) commands are sent to block traffic that violates a policy. For details, see block-port <port_int>.

reverse-proxy

gateway "<router_ipv4>"

Type the IPv4 address of the default gateway.

This setting is visible only if opmode {offline-protection | reverse-proxy | transparent | transparent-inspection | wccp} is either True Transparent Proxy, Transparent Inspection, or WCCP.

FortiWeb will use the gateway setting to create a corresponding static route under router static with the first available index number. Packets will egress through port1 or mgmt1, the hard-coded management network interface for the transparent operation modes.

none

stop-guimonitor {enable | disable}

Enable to configure FortiWeb to stop checking whether the process that generates the web UI (HTTPSd) is defunct.

In some cases, a process that has completed execution can still have an entry in the process table, which can create a resource leak.

When this setting is disabled, FortiWeb checks the process and stops and reloads the web UI if it determines that the process is defunct.

enable

enable-cache-flush {enable | disable}

Enable to configure FortiWeb to clear its cache memory every 45 minutes and generate an event log message for the action. enable

enable-debug-log {enable | disable}

Enable so that FortiWeb will record crash, daemon, kernel, netstat, and core dump logs.

enable

enable-machine-learning-debug {enable | disable}

Enable so that FortiWeb will record machine learning debug.

enable

enable-file-upload {enable | disable}

Enable to upload the debugging file. disable

Related topics