Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.2
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.2 Administration Guide
    8.0.2
    8.0.4
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Benefits and limitations of the transparent modes

    Benefits and limitations of the transparent modes

    Key benefits

    • No Network Changes: Works with existing IP/DNS configurations.

    • Client IP Preservation: Back-end servers see the original client IP (no NAT).

    • Fail-to-Wire: Traffic bypasses FortiWeb during power failures (ensures uptime). See Fail-to-wire for power loss/reboots

    Limitations

    FortiWeb does not support the following features in TTP and TI modes:

    • Features that require Layer 3 (IP layer) control, such as load balancing, HTTP Content Routing

      Transparent modes operate at Layer 2 (Data Link Layer), where FortiWeb acts as a "bump on the wire" (layer 2 bridge) and forwards traffic based on MAC addresses. This limits features that require Layer 3 (IP layer) control, such as round-robin load balancing based on IP/port (part of the back-end server pool configurations in FortiWeb).

    • No SSL/TLS offloading

      • What is SSL/TLS offloading?

        SSL/TLS offloading means that FortiWeb functions as an SSL proxy. It terminates the HTTPS connection from the client and presents a server certificate to prove authority for your application domain.

        After inspecting the decrypted traffic, FortiWeb initiates a new connection to the back-end server, which can be either encrypted (HTTPS) or unencrypted (HTTP), depending on the configured settings between FortiWeb and the server. This back-end connection setup is entirely independent of the front-end connection.

      • Is SSL/TLS offloading supported in TTP and TI modes?

        In TTP and TI modes, FortiWeb does not perform SSL/TLS offloading. Instead:

        • The web server terminates the SSL/TLS connection using its own certificate.

        • FortiWeb does not present any certificate to the client, as it does not act as the endpoint of the SSL/TLS connection.

        • You do not need to upload your CA-signed certificate to FortiWeb, as is required in Reverse Proxy mode. Instead, the CA-signed certificate remains solely on your web server.

        • FortiWeb uses its own internal or default certificate only for decrypting SSL traffic to screen out attacks, not for authentication with the client.

    Previous
    Next

    Benefits and limitations of the transparent modes

    Benefits and limitations of the transparent modes

    Key benefits

    • No Network Changes: Works with existing IP/DNS configurations.

    • Client IP Preservation: Back-end servers see the original client IP (no NAT).

    • Fail-to-Wire: Traffic bypasses FortiWeb during power failures (ensures uptime). See Fail-to-wire for power loss/reboots

    Limitations

    FortiWeb does not support the following features in TTP and TI modes:

    • Features that require Layer 3 (IP layer) control, such as load balancing, HTTP Content Routing

      Transparent modes operate at Layer 2 (Data Link Layer), where FortiWeb acts as a "bump on the wire" (layer 2 bridge) and forwards traffic based on MAC addresses. This limits features that require Layer 3 (IP layer) control, such as round-robin load balancing based on IP/port (part of the back-end server pool configurations in FortiWeb).

    • No SSL/TLS offloading

      • What is SSL/TLS offloading?

        SSL/TLS offloading means that FortiWeb functions as an SSL proxy. It terminates the HTTPS connection from the client and presents a server certificate to prove authority for your application domain.

        After inspecting the decrypted traffic, FortiWeb initiates a new connection to the back-end server, which can be either encrypted (HTTPS) or unencrypted (HTTP), depending on the configured settings between FortiWeb and the server. This back-end connection setup is entirely independent of the front-end connection.

      • Is SSL/TLS offloading supported in TTP and TI modes?

        In TTP and TI modes, FortiWeb does not perform SSL/TLS offloading. Instead:

        • The web server terminates the SSL/TLS connection using its own certificate.

        • FortiWeb does not present any certificate to the client, as it does not act as the endpoint of the SSL/TLS connection.

        • You do not need to upload your CA-signed certificate to FortiWeb, as is required in Reverse Proxy mode. Instead, the CA-signed certificate remains solely on your web server.

        • FortiWeb uses its own internal or default certificate only for decrypting SSL traffic to screen out attacks, not for authentication with the client.

    Previous
    Next