Fortinet black logo

Administration Guide

How operation mode affects server policy behavior

How operation mode affects server policy behavior

Policy, protection profile behavior, and supported features vary by the operation mode. For details, see Supported features in each operation mode.

The WCCP operation mode is similar to True Transparent Proxy, except that web servers see the FortiWeb network interface IP address but not the IP address of the client.

Policy behavior by operation mode
Operation mode
Reverse Proxy Offline Protection True Transparent Proxy Transparent Inspection
Matches by
  • Service
  • Virtual server
Virtual server’s network interface, but not its IP address. V-zone (bridge), but not its IP address. V-zone (bridge), but not its IP address.
Violations Blocked or modified, according to profile. Attempts to block by mimicking the client or server and requesting to reset the connection; does not modify otherwise. Blocked or modified, according to profile. Attempts to block by mimicking the client or server and requesting to reset the connection; does not modify otherwise.
Profile support
  • Inline protection profiles
  • Offline Protection profiles
  • Inline protection profiles
  • Offline Protection profiles
SSL Certificate used to offload SSL from the servers to FortiWeb; can optionally re-encrypt before forwarding to the destination server. Certificate used to decrypt and scan only; does not act as an SSL origin or terminator. Certificate used to decrypt and scan only; does not act as an SSL origin or terminator. Certificate used to decrypt and scan only; does not act as an SSL origin or terminator.
Forwarding
  • Forwards to a server pool member using the port number where it listens; similar to a network address translation (NAT) policy on a general-purpose firewall.
  • Can route connections to a specific server pool based on HTTP content.
Lets the traffic pass through to a server pool member, but does not load-balance. Forwards to a server pool member (but allowing to pass through, without actively redistributing connections) using the port number where it listens. Lets the traffic pass through to a member of a server pool, but does not load balance.

The way that FortiWeb determines which policy to apply to a connection varies by operation mode. The appliance applies only one policy to each connection.

If a TCP connection does not match any of the policies, FortiWeb either refuses the connection (if it is operating in Reverse Proxy mode) or denies the connection (if it is operating in other operation modes). Even if the TCP connection has a matching policy and is allowed, subsequently, if the HTTP/HTTPS request is not allowed by the policy’s profiles, it is considered to be in violation of the policy and the client may be blocked at the application (request) level or connection level, depending on the Action that you configure.

Policies are not applied while they are disabled. For details, see Enabling or disabling a policy.

How operation mode affects server policy behavior

Policy, protection profile behavior, and supported features vary by the operation mode. For details, see Supported features in each operation mode.

The WCCP operation mode is similar to True Transparent Proxy, except that web servers see the FortiWeb network interface IP address but not the IP address of the client.

Policy behavior by operation mode
Operation mode
Reverse Proxy Offline Protection True Transparent Proxy Transparent Inspection
Matches by
  • Service
  • Virtual server
Virtual server’s network interface, but not its IP address. V-zone (bridge), but not its IP address. V-zone (bridge), but not its IP address.
Violations Blocked or modified, according to profile. Attempts to block by mimicking the client or server and requesting to reset the connection; does not modify otherwise. Blocked or modified, according to profile. Attempts to block by mimicking the client or server and requesting to reset the connection; does not modify otherwise.
Profile support
  • Inline protection profiles
  • Offline Protection profiles
  • Inline protection profiles
  • Offline Protection profiles
SSL Certificate used to offload SSL from the servers to FortiWeb; can optionally re-encrypt before forwarding to the destination server. Certificate used to decrypt and scan only; does not act as an SSL origin or terminator. Certificate used to decrypt and scan only; does not act as an SSL origin or terminator. Certificate used to decrypt and scan only; does not act as an SSL origin or terminator.
Forwarding
  • Forwards to a server pool member using the port number where it listens; similar to a network address translation (NAT) policy on a general-purpose firewall.
  • Can route connections to a specific server pool based on HTTP content.
Lets the traffic pass through to a server pool member, but does not load-balance. Forwards to a server pool member (but allowing to pass through, without actively redistributing connections) using the port number where it listens. Lets the traffic pass through to a member of a server pool, but does not load balance.

The way that FortiWeb determines which policy to apply to a connection varies by operation mode. The appliance applies only one policy to each connection.

If a TCP connection does not match any of the policies, FortiWeb either refuses the connection (if it is operating in Reverse Proxy mode) or denies the connection (if it is operating in other operation modes). Even if the TCP connection has a matching policy and is allowed, subsequently, if the HTTP/HTTPS request is not allowed by the policy’s profiles, it is considered to be in violation of the policy and the client may be blocked at the application (request) level or connection level, depending on the Action that you configure.

Policies are not applied while they are disabled. For details, see Enabling or disabling a policy.