Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide

    Onboarding

    Onboarding

    What is a FortiAppSec Cloud application, and how many domains does a WAF application support?

    In FortiAppSec Cloud, an application can include:

    • A primary declared domain name.

    • Up to 9 additional domain names that belong to the same root domain and point to the same origin server(s).

    For example,

    • Domains such as "example.com" and "test.example.com" can be part of the same application "example.com."

    • However, "test.com" would be considered a different application because it does not share the same root domain.

    This structure ensures that all domains within an application share consistent security and origin configurations.

    How do I onboard WAF applications?

    For instructions on onboarding WAF applications, please see Onboard WAF applications.

    What are the recommended actions after an application is onboarded?

    It's suggested to perform the following actions after an application is onboarded:

    Required actions

    • Change the DNS record at your DNS service using the CNAME IP address provided by FortiAppSec Cloud.
    • Configure your origin servers to only accept traffic from FortiAppSec Cloud IP addresses. See this article for a list of FortiAppSec Cloud IP addresses.
    • Configure security rules and observe the attack logs in FortiView Threat View or Attack Logs. If legitimate traffic is falsely detected as attacks, add exceptions or modify the security rules to avoid false positives in the future. See Attack logs for how to add exceptions.
    • Enable Block Mode in WAF > Applications if you have continuously observed the attack logs for several days and there aren't any false positives recorded in the logs.

    Optional actions

    • Whitelist FortiAppSec Cloud IP addresses to make sure access from FortiAppSec Cloud to your web application is uninterrupted. See this article for a list of FortiAppSec Cloud IP addresses.
    What is an application in FortiAppSec Cloud?

    In FortiAppSec Cloud, an application is a declared domain name and up to 9 other domain names attaching to it, which all belong to the same root domain and all point to the same origin server(s). For example, "example.com" and "test.example.com" can be part of the same application "example.com", while "test.com" is a different application.

    What is a CNAME?

    A CNAME record is a part of the DNS zone records (that may or may not be present) that is used to essentially redirect from one URL to another. The CNAME record for a DNS zone will have a URL for the record NAME, it will be of record TYPE “CNAME”, and it will have a VALUE of another URL. The VALUE field of a CNAME record is often called the CNAME, or canonical (true) name.

    When you complete onboarding an application, FortiAppSec Cloud provides you with a CNAME. You need to go to your DNS service and pair this CNAME with your application's domain name.

    What if my DNS service does not support CNAMEs?

    If your DNS service does not support CNAME, the workaround is to pair your application's domain name with the IP addresses of the FortiAppSec Cloud scrubbing center which is deployed in the same region with your origin server. See this article for a list of FortiAppSec Cloud IP addresses.

    Please note the CDN feature won't be available in this scenario because all the traffic will be forwarded to a fixed scrubbing center.

    Which public cloud regions host FortiAppSec Cloud scrubbing centers?

    FortiAppSec Cloud supports most of the regions on AWS, Azure, and Google Cloud. See this article for a detailed list of supported regions.

    What is a CDN?

    By enabling CDN, the data on your origin servers can be cached in FortiAppSec Cloud scrubbing centers distributed around the world. When users request data from your application, they can be directed to the nearest scrubbing center and rendered with the requested data. See this article for a list of FortiAppSec Cloud IP addresses.

    You can enable CDN when onboarding an application, or set this option in the Application Settings dialog (WAF > Applications).

    Why am I getting false alarms for DDoS or HTTP rate limiting when using a CDN or Proxy?

    When a CDN or proxy sits in front of your load balancer, it causes the WAF to see the scrubbing center's IP instead of the real client IP, triggering false DDoS and rate limiting alarms.

    To fix this issue:

    1. Configure your CDN/proxy to forward the original client's IP to the WAF in a custom header (for example, x-client-ip).

    2. Go to WAF > Application Delivery > Rewriting Requests, and enable Use X-Header to Identify Original Clients' IP, defining x-client-ip as the header name.

      The WAF will then use the IP value from x-client-ip as the true source IP for rate limiting and threat detection.

    Previous
    Next

    Onboarding

    Onboarding

    What is a FortiAppSec Cloud application, and how many domains does a WAF application support?

    In FortiAppSec Cloud, an application can include:

    • A primary declared domain name.

    • Up to 9 additional domain names that belong to the same root domain and point to the same origin server(s).

    For example,

    • Domains such as "example.com" and "test.example.com" can be part of the same application "example.com."

    • However, "test.com" would be considered a different application because it does not share the same root domain.

    This structure ensures that all domains within an application share consistent security and origin configurations.

    How do I onboard WAF applications?

    For instructions on onboarding WAF applications, please see Onboard WAF applications.

    What are the recommended actions after an application is onboarded?

    It's suggested to perform the following actions after an application is onboarded:

    Required actions

    • Change the DNS record at your DNS service using the CNAME IP address provided by FortiAppSec Cloud.
    • Configure your origin servers to only accept traffic from FortiAppSec Cloud IP addresses. See this article for a list of FortiAppSec Cloud IP addresses.
    • Configure security rules and observe the attack logs in FortiView Threat View or Attack Logs. If legitimate traffic is falsely detected as attacks, add exceptions or modify the security rules to avoid false positives in the future. See Attack logs for how to add exceptions.
    • Enable Block Mode in WAF > Applications if you have continuously observed the attack logs for several days and there aren't any false positives recorded in the logs.

    Optional actions

    • Whitelist FortiAppSec Cloud IP addresses to make sure access from FortiAppSec Cloud to your web application is uninterrupted. See this article for a list of FortiAppSec Cloud IP addresses.
    What is an application in FortiAppSec Cloud?

    In FortiAppSec Cloud, an application is a declared domain name and up to 9 other domain names attaching to it, which all belong to the same root domain and all point to the same origin server(s). For example, "example.com" and "test.example.com" can be part of the same application "example.com", while "test.com" is a different application.

    What is a CNAME?

    A CNAME record is a part of the DNS zone records (that may or may not be present) that is used to essentially redirect from one URL to another. The CNAME record for a DNS zone will have a URL for the record NAME, it will be of record TYPE “CNAME”, and it will have a VALUE of another URL. The VALUE field of a CNAME record is often called the CNAME, or canonical (true) name.

    When you complete onboarding an application, FortiAppSec Cloud provides you with a CNAME. You need to go to your DNS service and pair this CNAME with your application's domain name.

    What if my DNS service does not support CNAMEs?

    If your DNS service does not support CNAME, the workaround is to pair your application's domain name with the IP addresses of the FortiAppSec Cloud scrubbing center which is deployed in the same region with your origin server. See this article for a list of FortiAppSec Cloud IP addresses.

    Please note the CDN feature won't be available in this scenario because all the traffic will be forwarded to a fixed scrubbing center.

    Which public cloud regions host FortiAppSec Cloud scrubbing centers?

    FortiAppSec Cloud supports most of the regions on AWS, Azure, and Google Cloud. See this article for a detailed list of supported regions.

    What is a CDN?

    By enabling CDN, the data on your origin servers can be cached in FortiAppSec Cloud scrubbing centers distributed around the world. When users request data from your application, they can be directed to the nearest scrubbing center and rendered with the requested data. See this article for a list of FortiAppSec Cloud IP addresses.

    You can enable CDN when onboarding an application, or set this option in the Application Settings dialog (WAF > Applications).

    Why am I getting false alarms for DDoS or HTTP rate limiting when using a CDN or Proxy?

    When a CDN or proxy sits in front of your load balancer, it causes the WAF to see the scrubbing center's IP instead of the real client IP, triggering false DDoS and rate limiting alarms.

    To fix this issue:

    1. Configure your CDN/proxy to forward the original client's IP to the WAF in a custom header (for example, x-client-ip).

    2. Go to WAF > Application Delivery > Rewriting Requests, and enable Use X-Header to Identify Original Clients' IP, defining x-client-ip as the header name.

      The WAF will then use the IP value from x-client-ip as the true source IP for rate limiting and threat detection.

    Previous
    Next