What does this AWS Solution do?

The solution relies on the FortiWeb WAF to protect web resources that need to be protected from common web attacks that affect the availability, security, or consume too many resources of a web application.

AWS Solution overview

Requests from the Internet are forwarded by Application Load Balancer or Network Load Balancer to the FortiWeb server located in a different available zone, and the FortiWeb server verifies the request against the predefined rules. If the request is verified to be secure, the request will continue to be forwarded to the business web server in the private network, otherwise Fortiweb will intercept and block the malicious request.

Architecture of Serverless Image Handler

AWS Deployment with Fortiweb WAF

This solution includes public and private subnets. The FortiWeb will be deployed to the public subnet, and the FortiWeb-protected Web servers will be deployed to the private subnet.


The Load Balance at the front end of the Fortiweb server can be an AWS Application LoadBalance type or a Network Load Balance type.


FortiWeb Master node and FortiWeb Slave node will be created in different availability zones to form active-active-high Volume deployment mode. If the FortiWeb Master node fails, the FortiWeb Slave node is automatically lifted to the Master node.

AWS Deployment with Fortiweb WAF

Version 1.0.0
Last updated: 06/2020
Author: AWS

Estimated deployment time: 5 min

Source code 

Features

Built-in multiple strategies

The solution has built-in multiple protection strategies to protect against OWASP TOP10 threats. It can protect common Web server vulnerability attacks such as SQL injection, XSS cross-site scripting attack, Web Shell, command injection, illegal HTTP protocol request, etc.

Prevent the malicious crawler

Identify and protect the malicious crawler based on the four dimensions, including biometric detection, threshold detection, robot deception technology and mobile application recognition.

Application-level DDoS defense

The solution has built-in two-layer DDoS defense module. Network layer security module combines the dimensions of TCP Flood control and Syn Cookie threshold to defend and mitigate network layer attacks. Application layer security module against HTTP URL, Cookie, IP address, TCP Session and other application layer attacks to defend.

Machine learning identification

Based on machine learning identification technology, identify and block information collection behaviors such as malicious website content crawling, violent cracking, vulnerability scanning and malicious detection.
Product-Page_Standard-Icons_01_Product-Features_SqInk
Explore all AWS Solutions

Browse our portfolio of AWS-built solutions to common architectural problems.

Learn more 
Next-Steps-Icon_Find-a-Partner-B
Find a Partner

Find AWS certified consulting and technology partners to help you get started.

Learn more 
Product-Page_Standard-Icons_03_Start-Building_SqInk
Start building in the console

Sign-up and start exploring our services.

Get started