FortiGate / FortiOS

FortiManager

FortiAnalyzer

Administration Guide

Introduction
Product knowledge resource
- Documentation
- Videos
New Features in 8.0.x releases
- FortiAI
  - Analyze Individual Attack Logs with FortiAI (8.0.1)
  - FortiAI Integration (8.0.0)
- WAF features
- Server Policy
  - Replacement Message Support at HTTP Content Routing Policy Level (8.0.0)
  - Support for Lua Scripting with HTTP/3 (8.0.0)
- Application Delivery
- System
- Log, FortiView, and Debug
- High Availability
  - Manual HA Failover Trigger Support (8.0.0)
- Documentation enhancement
Key concepts
- Key Components of FortiWeb
- Sequence of scans
- FortiWeb's role and placement in network topology
- Operation modes
- High Availability (HA)
- Solutions for specific web attacks
- IPv6 support
- HTTP/2 support
- HTTP sessions & security
- FortiWeb high availability (HA)
- Administrative domains (ADOMs)
- How to use the web UI
- Shutdown
How to set up your FortiWeb
- Workflow
- Appliance vs. VMware
- Registering your FortiWeb
- Supported features in each operation mode
- Connecting to the web UI or CLI
- Updating the firmware
- Changing the “admin” account password
- Setting the system time & date
- Setting the operation mode
- Feature visibility
- Configuring High Availability (HA) basic settings
  - HA heartbeat & active node election
  - Synchronization
- Replicating the configuration without FortiWeb HA (external HA)
- Configuring the network settings
- Configuring DNS settings
- Configuring HA settings specifically for active-passive and standard active-active modes
- Configuring HA settings specifically for high volume active-active mode
- Defining your web servers & load balancers
  - Defining your protected/allowed HTTP “Host:” header names
  - Defining your web servers
  - Defining your proxies, clients, & X-headers
  - Defining your network services
  - Configuring virtual servers on your FortiWeb
  - Enabling or disabling traffic forwarding to your servers
- Configuring FortiWeb to receive traffic via WCCP
- Configuring basic policies
- Testing your installation
- Switching out of Offline Protection mode
FortiAI
- Enabling Administrator Access to FortiAI
- Using FortiAI
- FortiAI Tokens
- FortiAI Data Privacy
- FortiAI Example Tasks
Policies
- How operation mode affects server policy behavior
- Configuring the global object allow list
- Configuring the allow list at server policy level
- Configuring a protection profile for inline topologies
- Generating a protection profile using scanner reports
- Configuring a protection profile for an out-of-band topology or asynchronous mode of operation
- Configuring client management
- Configuring an HTTP server policy
- Configuring traffic mirror
- ADFS Proxy
- Configuring FTP security
Secure connections (SSL/TLS)
- Offloading vs. inspection
- Supported cipher suites & protocol versions
  - Supported cipher suites - for connections between FortiWeb and the clients
  - Supported cipher suites - for connection between FortiWeb and back-end servers
- CA certificates
- How to offload or inspect HTTPS
- Forcing clients to use HTTPS
- HTTP Public Key Pinning
- How to apply PKI client authentication (personal certificates)
- Seamless PKI integration
- Revoking certificates
- How to export/back up certificates & private keys
- How to change FortiWeb's default certificate
- OCSP-Based certificate revocation check
Users
- Authentication styles
- Offloading HTTP authentication and authorization
- Creating reCAPTCHA servers
Application delivery
- Rewriting & redirecting
- Compression
- Site Publishing (Single sign-on)
- Caching
  - What can be cached?
- Acceleration
- Scripting
- Waiting room
  - Customizing waiting room display page
Web protection
- Known Attacks
- Advanced protection
- Client Side Security
- Data Loss Prevention
- Input validation
- Protocol constraints
- Access control
  - Restricting access based on specific URLs
  - Specifying allowed HTTP methods
- ML Based Anomaly Detection
  - Viewing domain data
  - Viewing anomaly detection log
- Web Anti-Defacement
Zero Trust Network Access (ZTNA)
- Configuring FortiClient EMS Connector for ZTNA
- Verifying EMS CA certificate, ZTNA tag, and FortiClient endpoint synchronized from FortiClient EMS
- Configuring a ZTNA Profile
- Referencing ZTNA profile in a server policy
- ZTNA troubleshooting and debugging
Bot mitigation
- Configuring threshold based detection
- Configuring biometrics based detection
- Configuring bot deception
- Configuring known bots
- Configuring bot mitigation policy
- Configuring ML Based Bot Detection policy
  - Viewing bot detection model status
  - Viewing the bot detection violations
- Configuring Advanced Bot Protection policy
- Exception Policy
API Protection
- Configuring JSON protection
- Configuring XML protection
- Configuring GraphQL protection
  - Creating GraphQL protection rules
  - Creating GraphQL protection policy
- OpenAPI Validation
- Configuring mobile API protection
- API gateway
- Configuring ML Based API Protection policy
DoS protection
- DoS prevention
- Preventing slow and low attacks
- Exception Policy
IP Protection
- GEO IP - Blocklisting & whitelisting countries & regions
- IP List - Blocklisting & whitelisting clients using a source IP or source IP range
- IP Reputation - Blocklisting source IPs with poor reputation
- Creating IP groups
Tracking
- Compliance
Administrators
- Configuring access profiles
- Grouping remote authentication queries and certificates for administrators
- Changing an administrator’s password
- Configuring SSL certificate for the administrator access to FortiWeb GUI via HTTPS
- Certificate-based Web UI login
Advanced/optional system settings
- Changing the FortiWeb appliance’s host name
- Fail-to-wire for power loss/reboots
- Customizing error and authentication pages (replacement messages)
- Configuring machine-learning URL replacer policy
- Configuring the integrated firewall
  - Network address translation (NAT)
- Advanced settings
- Backup & restore
Dashboard
- Status dashboard
- Monitors
Log&Report
- Logging
- Alert email
- SNMP traps & queries
- Reports
- Debug log
- FortiGuard updates
- Analyzing attack logs in FortiWeb Cloud Threat Analytics
Security Fabric
- Fabric Connectors
  - FortiGSLB
  - Single Sign On (SSO)
    - FortiGate SSO
    - Single Sign On with Azure
- External connectors
- Automation
Ingress Controller
Security Operations Center-as-a-Service (SOCaaS)
Fine-tuning & best practices
- Hardening security
- Improving performance
- Improving fault tolerance
- Reducing false positives
- Regular backups
- Downloading logs in RAM before shutdown or reboot
Troubleshooting
- Introduction
- Troubleshooting outline
- Diagnosing server-policy connectivity issues
- Diagnosing system issues
- Diagnose software function issues
- Diagnose hardware issues
- System tools & diagnose commands
Appendix A: Port numbers
Appendix B: Maximum configuration values
Appendix C: FortiWeb-VM licenses
Appendix D: Supported RFCs, W3C, & IEEE standards
Appendix E: Regular expressions
Appendix F: How to purchase and renew FortiGuard licenses
Appendix G: Supported image versions for EOS models

Home FortiWeb 8.0.2 Administration Guide

8.0.2

Traffic flow of WCCP mode

WCCP mode redirects traffic at the network layer (Layer 3/4). Clients send requests directly to the application domain's IP address, while WCCP-enabled devices (e.g., firewalls, routers) intercept and transparently redirect these requests to FortiWeb. FortiWeb inspects the traffic and establishes a new session to forward the HTTP/HTTPS traffic to the web server. As a result, web servers log FortiWeb’s IP as the source IP.

Functionally, WCCP mode combines aspects of True Transparent Proxy (TTP) and Reverse Proxy (RP):

Front-end behavior (similar to TTP): Clients initiate traffic toward the back-end server’s IP address.
Back-end behavior (similar to RP): FortiWeb processes and forwards traffic using its own IP address when communicating with the back-end server.

Client request:
- A client accesses a web application via its domain (e.g., https://www.example.com, resolved to public IP 93.184.216.34).
- The traffic first reaches the WCCP-enabled firewall (acting as the WCCP server).
Firewall Redirection:
- The firewall intercepts HTTP/HTTPS traffic (e.g., port 80/443) and redirects it to FortiWeb (WCCP client) using:
  - GRE Tunnels (Layer 3 encapsulation)
    GRE (Generic Routing Encapsulation) is a tunneling protocol used to encapsulate one packet inside another. The firewall encapsulates the request, specify FortiWeb's IP address (WCCP Port's IP) as the destination of the encapsulated packet.
  - Instead of GRE, the firewall rewrites the MAC address in the packet header to redirect traffic to FortiWeb at Layer 2.
- Non-HTTP/HTTPS traffic (e.g., SSH, SMTP) bypasses FortiWeb and flows directly to the web server via the switch.
FortiWeb Processing:
- FortiWeb receives the GRE packet, decapsulates it, and inspects the traffic.
- If SSL inspection is enabled, it decrypts the traffic for analysis. At this point, FortiWeb sees the real client IP and web server destination IP.
- After processing, FortiWeb encrypts the traffic. It sends the packet as a new connection, with FortiWeb's IP address (192.0.2.1) as the source IP, and web server's IP (93.184.216.34) as the destination.
FortiWeb to Web Server:
- FortiWeb forwards the HTTP/HTTPS traffic to the web server.
- The web server sees FortiWeb’s IP (WCCP Port's IP) as the source address, not the client’s original IP.