Adding External Security Devices

External Security Devices

External Security Devices can be configured as means to offload processes to other devices, such as a FortiWeb, FortiCache, or FortiMail. Example processes could include HTTP inspection, web caching, and anti- spam.

Offloading HTTP traffic to FortiWeb

Use the following steps to offload HTTP traffic to FortiWeb to apply Web Application Firewall features to the traffic. Using these steps you can select the HTTP traffic to offload by adding a web application firewall profile configured for external inspection to selected firewall policies. Only the HTTP traffic accepted by those firewall policies is offloaded.

If you offload HTTP traffic to FortiWeb you can also apply other HTTP inspection to it from your FortiGate including virus scanning and web filtering.

A single FortiGate cannot offload HTTP traffic to both FortiCache and FortiWeb.

To offload HTTP traffic to FortiWeb:

  1. Go to the System Information dashboard widget and make sure Inspection Mode is set to Proxy-based.
  2. Go to System > Feature Select and turn on Web Application Firewall.
  3. Go to System > Cooperative Security Fabric, enable HTTP Service, select FortiWeb and add the IP addresses of your FortiWeb devices. You can also select Authentication add a password if required.
  4. Go to Security Profiles > Web Application Firewall and add or edit a Web Application Firewall profile and set Inspection Device to External.
  5. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy, select Web Application Firewall, and select the profile that you set to use the external inspection device.

These steps add the following configuration to the CLI:

config system wccp

set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiWeb)

set group address 0.0.0.0

set server-list 5.5.5.25 255.255.255.255 (the IP address of the FortiWeb)

set authentication enable

set forward-method GRE

set return-method GRE

set assignment-method HASH

set password *

end

Offloading HTTP traffic to FortiCache

To offload Web Caching to FortiCache a FortiGate must support WAN Optimization and WAN Optimization must be enabled. For some FortiGate models you need to turn off disk logging to support WAN Optimization. See WAN Optimization in What's New for details.

Use the following steps to offload web caching to FortiCache. Using these steps you can select the web traffic to offload by selecting web caching in firewall policies. Only the web traffic accepted by those firewall policies will be offloaded.

A single FortiGate cannot offload HTTP traffic to both FortiCache and FortiWeb.

  1. Go to the System Information dashboard widget and make sure Inspection Mode is set to Proxy-based.
  2. Go to System > Advanced > Disk Settings and assign at least one disk to WAN Optimization.
  3. Go to System > Feature Select and turn on WAN Opt. & Cache.
  4. Go to System > Cooperative Security Fabric, enable HTTP Service, select FortiCache and add the IP addresses of your FortiCache devices. You can also select Authentication add a password if required.
  5. Go to Policy & Objects > IPv4 Policy, add or edit a firewall policy and select Web Cache.

These steps add the following configuration to the CLI:

config system wccp

set service-id 51

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiCache)

set group address 0.0.0.0

set server-list 5.5.5.45 255.255.255.255 (the IP address of the FortiCache)

set authentication enable

set forward-method GRE

set return-method GRE

set assignment-method HASH

set password *

end

Offloading SMTP traffic to FortiMail

Use the following steps to offload SMTP traffic to FortiMail to apply FortiMail features to the traffic. Using these steps you can select the SMTP traffic to offload by adding an AntiSpam profile configured for external inspection to selected firewall policies. Only the SMTP traffic accepted by those firewall policies is offloaded.

If you offload HTTP traffic to FortiWeb you can also apply other HTTP inspection to it from your FortiGate including virus scanning and web filtering.

To be able to offload Anti-Spam processing to a FortiMail device you should:

  1. Go to the System Information dashboard widget and make sure Inspection Mode is set to Proxy-based.
  2. Go to System > Feature Select and turn on Anti-Spam Filter.
  3. Go to System > Cooperative Security Fabric, enable SMTP Service - FortiMail and add the IP address of your FortiMail devices. You can also select Authentication add a password if required.
  4. Go to Security Profiles > Anti-Spam and edit an Anti-Spam profile and set Inspection Device to External.
  5. Go to Policy & Objects > IPv4 Policy, add or edit a Firewall policy, enable Anti-Spam and select the profile for which you set Inspection Device to External.

These steps add the following configuration to the CLI:

config system wccp

set service-id 52

set router-id 5.5.5.5 (the IP address of the FortiGate interface that communicates with the FortiMail)

set group address 0.0.0.0

set server-list 5.5.5.65 255.255.255.255 (the IP address of the FortiMail)

set authentication enable

set forward-method GRE

set return-method GRE

set assignment-method HASH

set password *

end

 For more information on this configuration and others, see the FortiWeb Administration Guide.