User Guide

Overview
What's new
Subscribing to FortiWeb Cloud
- Subscribing on AWS Marketplace
- Subscribing on Azure Marketplace
- Subscribing on Google Cloud Marketplace
- Subscribing on OCI Marketplace
- Purchasing contracts
- Two-Factor Authentication
- FortiFlex
FortiCloud Organizational Units
Getting started
- Onboarding applications
- Example: Changing DNS records on AWS Route 53
- Changing IP addresses of origin servers
- Restricting direct traffic & allowing FortiWeb Cloud IP addresses
- How does FortiWeb Cloud choose regions?
- CDN
- Understanding block mode and action
Global settings
- Application management
- Templates
- Audit logs
- Admin management
  - Migrating to IAM user
- Role management
- Contracts
- Cloud Connectors
- Custom block pages
- Settings
- Reports
Threat Analytics
- Threat Analytics
- Attack logs
- WAF Gateway
Log Settings
Configuring network
- Origin Servers
Endpoints
- Supported cipher suites & protocol versions
WAF modules
- How to add or remove a module
- Security Rules
- Client Security
- Access Rules
- Bot Mitigation
- DDoS prevention
- Advanced Applications
  - Custom Rule
  - WebSocket Security
- API Protection
- Application Delivery
- Global Trustlist
Vulnerability Scan
FortiView
Using FortiWeb Cloud with DevOps tools
- Configuring FortiWeb Cloud with Terraform
- Configuring FortiWeb Cloud with Ansible
- Configuring FortiWeb Cloud with Jenkins
Use cases
- Using FortiWeb Cloud behind a Content Distribution Service
- Network settings for applications serving different content over HTTP and HTTPS
- FortiWeb Cloud and Splunk
- Fortinet Security Fabric
- Managing External IdP roles in FortiCloud IAM
- Frequently used regular expressions
Best practices
- Using Dashboard to monitor important notices
- Utilizing FortiView to reduce false positives
- Setting up a secure environment
- How to block the ongoing DDoS attack
Sequence of scans
Supported cipher suites & protocol versions
Maximum configuration values
FAQs
- Onboarding applications
- Network
- Security
- Logs
- Subscriptions and Contracts
- Accounts
- Miscellaneous
Contacting customer service

Home FortiWeb Cloud User Guide

Creating an IP protection policy

Example: create an IP protection policy

---

- name: Execute cloud api

hosts: fortiwebcloud01

gather_facts: no

collections:

- fortinet.fortiwebcloud

connection: httpapi

vars:

ansible_httpapi_validate_certs: False

ansible_httpapi_use_ssl: true

ansible_httpapi_port: 443

application_name: "YOUR_APP_NAME"

tasks:

- name: Configure IP Protection.

cloudwaf_ip_protection_method:

api_token: "You must specify a token"

app_name: "{{application_name}}"

template_status: disable

status: enable

IPProtection:

ip-reputation: enable

geo-ip-block:

members:

- Antigua And Barbuda

- Aland Islands

- Afghanistan

ip-list:

members:

- type: trust-ip

ip: '1.1.1.1,2.2.2.21-2.2.2.27'

- type: block-ip

ip: '3.1.1.1,3.1.1.11-3.1.1.17'

- type: allow-only-ip

ip: '4.1.1.1-4.1.1.17,4.1.1.19'

ansible_httpapi_validate_certs	Whether to validate certificates for the connections between your Ansible host and FortiWeb Cloud's API gateway. Specify `False`.
ansible_httpapi_use_ssl	Whether to use SSL protocol for the connections between your Ansible host and FortiWeb Cloud's API gateway. Specify `true`.
ansible_httpapi_port	The port number used for the SSL connection. Specify `443`.
template_status	Specify whether to `enable` or `disable` inheriting the configurations of the template that you have applied to this application.
status	Specify whether to `enable` or `disable` IP reputation module.
ip-reputation	Specify whether to `enable` or `disable` blocking client access based on up-to-date threat intelligence gathered by FortiGuard.
geo-ip-block members:	Specify one or more geographical regions that you want to block. All requests from the specified regions will be blocked.
ip-list type: trust-ip	Specify the trust IPs.
ip-list type: block-ip	Specify the block IPs.
ip-list type: allow-only-ip	Specify the allow only IPs. For more information about the trust IP, block IP, and allow only IP, see IP Protection.

Example: create an IP protection policy

---

- name: Execute cloud api

hosts: fortiwebcloud01

gather_facts: no

collections:

- fortinet.fortiwebcloud

connection: httpapi

vars:

ansible_httpapi_validate_certs: False

ansible_httpapi_use_ssl: true

ansible_httpapi_port: 443

application_name: "YOUR_APP_NAME"

tasks:

- name: Configure IP Protection.

cloudwaf_ip_protection_method:

api_token: "You must specify a token"

app_name: "{{application_name}}"

template_status: disable

status: enable

IPProtection:

ip-reputation: enable

geo-ip-block:

members:

- Antigua And Barbuda

- Aland Islands

- Afghanistan

ip-list:

members:

- type: trust-ip

ip: '1.1.1.1,2.2.2.21-2.2.2.27'

- type: block-ip

ip: '3.1.1.1,3.1.1.11-3.1.1.17'

- type: allow-only-ip

ip: '4.1.1.1-4.1.1.17,4.1.1.19'

ansible_httpapi_validate_certs	Whether to validate certificates for the connections between your Ansible host and FortiWeb Cloud's API gateway. Specify `False`.
ansible_httpapi_use_ssl	Whether to use SSL protocol for the connections between your Ansible host and FortiWeb Cloud's API gateway. Specify `true`.
ansible_httpapi_port	The port number used for the SSL connection. Specify `443`.
template_status	Specify whether to `enable` or `disable` inheriting the configurations of the template that you have applied to this application.
status	Specify whether to `enable` or `disable` IP reputation module.
ip-reputation	Specify whether to `enable` or `disable` blocking client access based on up-to-date threat intelligence gathered by FortiGuard.
geo-ip-block members:	Specify one or more geographical regions that you want to block. All requests from the specified regions will be blocked.
ip-list type: trust-ip	Specify the trust IPs.
ip-list type: block-ip	Specify the block IPs.
ip-list type: allow-only-ip	Specify the allow only IPs. For more information about the trust IP, block IP, and allow only IP, see IP Protection.