Fortiweb on AWS


Panel: https://Public DNS:8443

SSH: 22

Default login credentials are with a username of "admin" and the AWS Instance ID value as the password.




它是個簡單 firewall 來, 只提供基本功能


Default Action

For Default Action, select one of the following:

Deny—Firewall blocks traffic that does not match a policy rule.

However, administrative access is still allowed on network interfaces for which it has been configured.

Firewall FWMARK policy

The FWMARK policy allows you to mark the traffic coming in FortiWeb.

Using it together with policy route, you can direct the marked traffic to go out of FortiWeb

through a specified interface or/and to a specified next-hop gateway.


To apply Firewall DNAT Policy, enable IP Forward in CLI config router setting.

get router setting

ip-forward          : disable
ip6-forward         : disable


config router setting
    set ip-forward enable


Virtual Server


It is not an actual server, but simply defines the listening network interface.

It includes a specialized proxy that only picks up HTTP and HTTPS.

IP 選項

  • Virtual IP
  • Use Interface IP




config waf ip-list

--- URL

config waf url-access url-access-rule

config waf url-access url-access-policy

--- Network

config waf http-request-flood-prevention-rule

config waf http-connection-flood-check-rule

config waf layer4-access-limit-rule

--- CA

config system certificate ca

--- Method

config waf allow-method-policy

config waf input-rule


config waf start-pages

--- inline

config waf web-protection-profile inline-protection

--- replace

config system replacemsg

--- cookie

config waf cookie-security



  1. config server-policy vserver
  2. config server-policy server-pool
  3. config server-policy policy