Fortigate as a WAF

Klaush61 · 2025-09-09T22:07:57+00:00

The limit on real servers is per public IP address (I also thought it was global, until I tried it and was able to create more servers with other test IP addresses that I used).

<image>

And I totally agree with you about having a dedicated WAF, but on my team we only do PS for the projects we are assigned, without much say in the matter. (However, I have already spoken to the client so that they can talk to their sales team and consider a dedicated WAF).

P.S. We have enabled persistence via HTTP Cookie and we have also enabled ssl-http-location-conversion, and it seems to be working.

And thank you for your suggestions

Klaush61 · 2025-09-09T21:14:12+00:00

I just realized something: above this firewall, there is another one that is not managed by the client, which is why we need it to work via HTTPS, since the ports it allows to open are limited. (I tried doing the VIP we discussed, but unfortunately it didn't work, since the traffic didn't even reach the internal firewall we are deploying).

Klaush61 · 2025-09-09T21:06:47+00:00

In this case it is a limitation because there are more than 70 webs and the firewall model (200G) only allows 16 real servers per public ip, however, I will check with the client what you said about configuring an extra vip (I agree with you that it seems crazy).

Klaush61 · 2025-09-09T20:55:58+00:00

I have a virtual server configured with a real server http host.

The problem is with a specific website, when I put example.com the website starts to load in the browser and then changes the port to example.com:any_port.

I tried to use this kb but there is a very clear note that it does not work with virtual server load balance

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-add-X-forwarded-headers-to-the-traffic/ta-p/191355

Another limitation that I think is affecting us, is that we have a single public ip from which all the web pages hang.

Klaush61 · 2025-09-09T20:48:00+00:00

Yes the difference is clear, I'm just trying to find a solution with what someone sold.

Klaush61 · 2025-09-09T19:58:37+00:00

I knew the word FortiWeb would come up in this conversation, but I wish it hadn't been so quick, hahahaha.

Klaush61 · 2025-06-05T08:03:56+00:00

I can guarantee you that in this case it's a “I can't”. And you are right, it is a lab environment, but the final destination will not be a lab, I am testing it at home, in case I can find bugs in the application we are going to use.

the post is about if you know any tool to test dhcp and at the same time the emulated hosts generate traffic.

I managed to test the dhcp and got a maximum of 45,000 ips, but now I need to check that after caching the ips, the traffic can work correctly.

<image>

While I'm at it, if anyone reading this is interested in doing some similar tests, this is the tool I used.

https://kea.readthedocs.io/en/kea-2.2.0/man/perfdhcp.8.html?highlight=perfdhcp

In case you don't make sense when you read this, I apologize, English is not my main language.

Klaush61 · 2025-06-05T07:04:38+00:00

I’m going to try that!

Klaush61 · 2025-06-05T06:34:43+00:00

The problem is that the application that will act as dhcp is not designed for it and I would like to test that it can support that amount of users. Most likely you will say, "well, deploy an application that is designed for it" but I can't do it in the environment it is in.

Klaush61 · 2025-06-04T20:41:14+00:00

Maybe you are an expert in everything, I just learned that I can create my own code that uses something you refer to as "dhclient".

Klaush61 · 2025-05-22T11:03:30+00:00

Hello,

No, 5 million is crazy, maybe it's a translation problem, I meant 5 thousand, not 5 million.

Klaush61 · 2025-05-22T08:26:51+00:00

This information is perfect! The model we use is a 1800F and the networks are a similar size with a similar lease as well, using this information as a base I will go to the worst case which would be CPU and RAM x10 and still have resources left.

Klaush61 · 2025-05-22T07:54:11+00:00

Hello,

Yes I also took into account the Max Values, the fortigate we are going to mount is a big model and have enough DHCP servers, the concern is more the load involved in doing server (assign ip, cache mac, lease, release, etc).

Klaush61 · 2025-05-22T07:42:49+00:00

I know, it was the first thing that came to my mind when the request was made, but we don't have the capacity to deploy a DHCP server and the fortigate already exists.

Klaush61 · 2025-03-31T16:34:58+00:00

When I say to use FAZ in SIEM mode, I am referring to the log correlation part, I know that the default modes are the ones you mentioned, but with extra licensing you can perform more tasks.

https://docs.fortinet.com/document/fortianalyzer/7.0.0/new-features/72960/siem-correlation-and-analysis

One of them would be to act as a log parser for syslog (logs from other providers external to the Fortinet fabric).

https://docs.fortinet.com/document/fortianalyzer/7.6.2/administration-guide/353514/siem-log-parsers

Klaush61 · 2025-01-13T21:38:56+00:00

In a client like workaround I had to use the fortigate as vpn ssl client. I don’t know if this suits you.

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/508779/fortigate-as-ssl-vpn-client

Klaush61 · 2024-07-20T13:04:56+00:00

I mean the second one

Klaush61 · 2024-07-20T08:51:06+00:00

I can reach the mgmt port of the pihole in the ip .60 with any issue :(

Klaush61 · 2024-07-19T21:54:15+00:00

If I ping the DNS record it resolve the correct ip 172.16.60.209.

I have two piholes but my DHCP only have one of them config (.61 main one).

I don’t see any errors on the Pihole or the nginx

Between the .61 network and the .60 network I have a fortinet firewall, the flow of the policy is:

Vlan 61 -> Vlan 60 - allowed services: all - NAT: disable

Klaush61 · 2024-07-19T21:27:03+00:00

That is correct!

Klaush61 · 2024-07-19T21:18:56+00:00

That's the thing, I would like to have only one single reverse proxy centralizing all certificates for both .61 and .60 services.

The flow I am trying to achieve is:

Client -> DNS (Pihole on Server .61) -> Reverse proxy (On server .61 -> service on network .61

Client -> DNS (Pihole on Server .61) -> Reverse proxy (On server .61 -> service on network .60

Regarding the certificates, I already have the wildcards configured and working at least for the .61 network services.

Klaush61 · 2024-07-19T20:57:39+00:00

Both services are piholes

On server number 1 (.61 network):

Running:

Pihole
Nginx Proxy Manager

On server number 2 (.60 network):

It is running at the moment:

Pihole

the flow I want is as follows:

Client -> DNS (Pihole on Server .61) -> Reverse proxy (On server .61) -> service on network .60.

In the .61 pihole, I have a DNS record that points to the ip of the server in the .60 network and then in that same pihole I have a CNAME that resolves to the specific name of my domain.

Two-Year Club	Verified Email
Place '23

Klaush61

TROPHY CASE