Back up your configuration before changing the operation mode. Changing modes deletes any policies not applicable to the new mode, TCP SYN flood protection settings, all static routes, all V-zone (bridge) IPs, and all VLANs. You must re-cable your network topology to suit the operation mode, unless you are switching between the two transparent modes, which have similar network topology requirements. |
The physical topology must match the operation mode. You may need to re-cable your deployment after changing this setting. For details, see the FortiWeb Installation Guide. |
Unlike in reverse proxy mode or true transparent proxy mode, actions other than Alert cannot be guaranteed to be successful in offline protection mode. The FortiWeb appliance will attempt to block traffic that violates the policy by mimicking the client or server and requesting to reset the connection. However, the client or server may receive the reset request after it receives the other traffic due to possible differences in routing paths. |
Most organizations do not permanently deploy their FortiWeb appliances in offline protection mode. Instead, they will use offline protection as a way to learn about their web servers’ protection requirements and to form some of the appropriate configuration during a transition period, after which they will switch to one of the operation modes that places the appliance inline between all clients and all web servers. Switching out of offline protection mode when you are done with transition can prevent bypass problems that can arise as a result of misconfigured routing. It also offers you the ability to offer some protection features that cannot be supported in a span port topology used with offline detection. |
Unlike in reverse proxy mode or true transparent proxy mode, actions other than Alert cannot be guaranteed to be successful in transparent inspection mode. The FortiWeb appliance will attempt to block traffic that violates the policy. However, due to the nature of asynchronous inspection, the client or server may have already received the traffic that violated the policy. |
Variable | Description | Default |
opmode {offline-protection | reverse-proxy | transparent | transparent-inspection} | Select the operation mode of the FortiWeb appliance. If you have not yet adjusted the physical topology to suit the new operation mode, see the FortiWeb Administration Guide. You may also need to reconfigure IP addresses, VLANs, static routes, bridges, policies, TCP SYN flood prevention, and virtual servers, and on your web servers, enable or disable SSL. Note: If you select offline-protection, you can configure the port from which TCP RST (reset) commands are sent to block traffic that violates a policy. For details, see block-port <port_int>. | reverse-proxy |
gateway <router_ipv4> | Type the IPv4 address of the default gateway. This setting is visible only if opmode is either transparent or transparent-inspection. FortiWeb will use the gateway setting to create a corresponding static route under config router static with the first available index number. Packets will egress through port1, the hard-coded management network interface for the transparent operation modes. | none |
stop-guimonitor {enable | disable} | Enable to configure FortiWeb to stop checking whether the process that generates the web UI (httpsd) is defunct (that is, a defunct or zombie process). In some cases, a process that has completed execution can still have an entry in the process table, which can create a resource leak. When this setting is disabled, FortiWeb checks the process and stops and reloads the web UI if it determines that the process is defunct. | disable |
enable-cache-flush {enable | disable} | Enable to configure FortiWeb to clear its cache memory every 45 minutes and generate an event log message for the action. | disable |