config : system settings
 
system settings
Use this command to configure the operation mode and gateway of the FortiWeb appliance.
You will usually set the operation mode once, during installation. Exceptions include if you install the FortiWeb appliance in offline protection mode for evaluation purposes, before deciding to switch to another mode for more feature support in a permanent deployment.
 
Back up your configuration before changing the operation mode. Changing modes deletes any policies not applicable to the new mode, TCP SYN flood protection settings, all static routes, all V-zone (bridge) IPs, and all VLANs. You must re-cable your network topology to suit the operation mode, unless you are switching between the two transparent modes, which have similar network topology requirements.
 
The physical topology must match the operation mode. You may need to re-cable your deployment after changing this setting. For details, see the FortiWeb Installation Guide.
There are four operation modes:
Reverse proxy — Requests are destined for a virtual server’s network interface and IP address on the FortiWeb appliance. The FortiWeb appliance applies the first applicable policy, then forwards permitted traffic to a real web server. The FortiWeb appliance logs, blocks, or modifies violations according to the matching policy and its protection profile. Most features are supported.
Offline protection — Requests are destined for a real web server instead of the FortiWeb appliance; traffic is duplicated to the FortiWeb through a span port. The FortiWeb appliance monitors traffic received on the virtual server’s network interface (regardless of the IP address) and applies the first applicable policy. Because it is not inline with the destination, it does not forward permitted traffic. The FortiWeb appliance logs or blocks violations according to the matching policy and its protection profile. If FortiWeb detects a malicious request, it sends a TCP RST (reset) packet to the web server and client to attempt to terminate the connection. It does not otherwise modify traffic. (It cannot, for example, apply SSL, load-balance connections, or support user authentication.)
 
Unlike in reverse proxy mode or true transparent proxy mode, actions other than Alert cannot be guaranteed to be successful in offline protection mode. The FortiWeb appliance will attempt to block traffic that violates the policy by mimicking the client or server and requesting to reset the connection. However, the client or server may receive the reset request after it receives the other traffic due to possible differences in routing paths.
 
Most organizations do not permanently deploy their FortiWeb appliances in offline protection mode. Instead, they will use offline protection as a way to learn about their web servers’ protection requirements and to form some of the appropriate configuration during a transition period, after which they will switch to one of the operation modes that places the appliance inline between all clients and all web servers.
Switching out of offline protection mode when you are done with transition can prevent bypass problems that can arise as a result of misconfigured routing. It also offers you the ability to offer some protection features that cannot be supported in a span port topology used with offline detection.
True transparent proxy — Requests are destined for a real web server instead of the FortiWeb appliance. The FortiWeb appliance transparently proxies the traffic arriving on a network port that belongs to a Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. The FortiWeb appliance logs, blocks, or modifies violations according to the matching policy and its protection profile. No changes to the IP address scheme of the network are required. This mode supports user authentication via HTTP but not HTTPS.
Transparent inspection — Requests are destined for a real web server instead of the FortiWeb appliance. The FortiWeb appliance asynchronously inspects traffic arriving on a network port that belongs to a Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. The FortiWeb appliance logs or blocks traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It cannot, for example, apply SSL, load-balance connections, or support user authentication.
 
Unlike in reverse proxy mode or true transparent proxy mode, actions other than Alert cannot be guaranteed to be successful in transparent inspection mode. The FortiWeb appliance will attempt to block traffic that violates the policy. However, due to the nature of asynchronous inspection, the client or server may have already received the traffic that violated the policy.
The default operation mode is reverse proxy.
Feature support varies by operation mode. For details, see the FortiWeb Administration Guide.
You can use SNMP traps to notify you if the operation mode changes. For details, see “system snmp community” on page 217.
To use this command, your administrator account’s access control profile must have either w or rw permission to the sysgrp area. For more information, see “Permissions” on page 46.
Syntax
config system settings
set opmode {offline-protection | reverse-proxy | transparent | transparent-inspection}
set stop-monitor {enable | disable}
set gateway <router_ipv4>
end
Variable
Description
Default
opmode {offline-protection | reverse-proxy | transparent | transparent-inspection}
Select the operation mode of the FortiWeb appliance.
If you have not yet adjusted the physical topology to suit the new operation mode, see the FortiWeb Administration Guide. You may also need to reconfigure IP addresses, VLANs, static routes, bridges, policies, TCP SYN flood prevention, and virtual servers, and on your web servers, enable or disable SSL.
Note: If you select offline-protection, you can configure the port from which TCP RST (reset) commands are sent to block traffic that violates a policy. For details, see block-port <port_int>.
reverse-proxy
gateway <router_ipv4>
Type the IP address of the default gateway.
This setting is visible only if opmode is either transparent or transparent-inspection. FortiWeb will use the gateway setting to create a corresponding static route under router static with the first available index number. Packets will egress through port1, the hard-coded management network interface for the transparent operation modes.
none
stop-monitor {enable | disable}
Enable to stop the physical or domain server health check daemon (also called a “watchdog” daemon).
The watchdog daemon monitors all the active policies by sending either HTTP or HTTPS requests to servers every 5 seconds. If the watchdog daemon fails to get successful response from the server for 3 consecutive times (a total of 15 seconds), it will restart the corresponding policy and create a debug log entry.
Disable to resume the watchdog daemon.
Tip: Enable this option if a server is experiencing extended downtime, or if its IP address or port number configuration is incorrect. The watchdog daemon will detect a traffic disruption and restart the policy if:
a policy only forwards to one server (i.e., the policy uses either a single server, or a server farm that contains only one server), and
that server is unreachable
In the case of extended downtime, enabling this option can improve performance by disabling availability checks and policy restarts that would otherwise consume FortiWeb resources.
Note: The watchdog daemon is available only in reverse proxy mode.
Note: To create debug log entries, you must first enable debug logging. See “debug” on page 423.
disable
Related topics
server-policy policy
server-policy vserver