Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 7.6.7 Administration Guide
    7.6.7
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Benefits and limitations of the WCCP modes

    Benefits and limitations of the WCCP modes

    Key benefits

    • Minimal Network Disruption

      • Clients and servers retain their original IP addresses. No need to reconfigure DNS or routing tables.

      • Operates out-of-path (one-arm topology), avoiding inline deployment complexities.

    • Scalability & High Availability

      • WCCP by nature supports multiple WCCP clients in a WCCP group, which enables distributing traffic across multiple FortiWeb appliances for horizontal scaling.

      • WCCP automatically reroutes traffic if a FortiWeb node fails.

    • Fail-to-Wire: Traffic bypasses FortiWeb during power failures (ensures uptime). See Fail-to-wire for power loss/reboots

    Limitations
    • No SSL/TLS offloading
      • What is SSL/TLS offloading

        SSL/TLS offloading means that FortiWeb functions as an SSL proxy. It terminates the HTTPS connection from the client and presents a server certificate to prove authority for your application domain.

        After inspecting the decrypted traffic, FortiWeb initiates a new connection to the back-end server, which can be either encrypted (HTTPS) or unencrypted (HTTP), depending on the configured settings between FortiWeb and the server. This back-end connection setup is entirely independent of the front-end connection.

      • Is SSL/TLS offloading supported in WCCP mode?

        In WCCP mode, FortiWeb does not perform SSL/TLS offloading. Instead:

        • The web server terminates the SSL/TLS connection using its own certificate.

        • FortiWeb does not present any certificate to the client, as it does not act as the endpoint of the SSL/TLS connection.

        • You do not need to upload your CA-signed certificate to FortiWeb, as is required in Reverse Proxy mode. Instead, the CA-signed certificate remains solely on your web server.

        • FortiWeb uses its own internal or default certificate only for decrypting SSL traffic to screen out attacks, not for authentication with the client.

    • Limited Protocol Support

      • HTTP/HTTPS Only: Non-web traffic (e.g., SSH, FTP) bypasses FortiWeb.

      • No UDP/WebSocket: WCCPv2 focuses on TCP-based HTTP/HTTPS.

    Previous
    Next

    Benefits and limitations of the WCCP modes

    Benefits and limitations of the WCCP modes

    Key benefits

    • Minimal Network Disruption

      • Clients and servers retain their original IP addresses. No need to reconfigure DNS or routing tables.

      • Operates out-of-path (one-arm topology), avoiding inline deployment complexities.

    • Scalability & High Availability

      • WCCP by nature supports multiple WCCP clients in a WCCP group, which enables distributing traffic across multiple FortiWeb appliances for horizontal scaling.

      • WCCP automatically reroutes traffic if a FortiWeb node fails.

    • Fail-to-Wire: Traffic bypasses FortiWeb during power failures (ensures uptime). See Fail-to-wire for power loss/reboots

    Limitations
    • No SSL/TLS offloading
      • What is SSL/TLS offloading

        SSL/TLS offloading means that FortiWeb functions as an SSL proxy. It terminates the HTTPS connection from the client and presents a server certificate to prove authority for your application domain.

        After inspecting the decrypted traffic, FortiWeb initiates a new connection to the back-end server, which can be either encrypted (HTTPS) or unencrypted (HTTP), depending on the configured settings between FortiWeb and the server. This back-end connection setup is entirely independent of the front-end connection.

      • Is SSL/TLS offloading supported in WCCP mode?

        In WCCP mode, FortiWeb does not perform SSL/TLS offloading. Instead:

        • The web server terminates the SSL/TLS connection using its own certificate.

        • FortiWeb does not present any certificate to the client, as it does not act as the endpoint of the SSL/TLS connection.

        • You do not need to upload your CA-signed certificate to FortiWeb, as is required in Reverse Proxy mode. Instead, the CA-signed certificate remains solely on your web server.

        • FortiWeb uses its own internal or default certificate only for decrypting SSL traffic to screen out attacks, not for authentication with the client.

    • Limited Protocol Support

      • HTTP/HTTPS Only: Non-web traffic (e.g., SSH, FTP) bypasses FortiWeb.

      • No UDP/WebSocket: WCCPv2 focuses on TCP-based HTTP/HTTPS.

    Previous
    Next