FortiWeb provides a dedicated PCI-DSS mode that, when selected for SSL off-loading, automatically enforces the cipher suites, key lengths, protocol versions, and logging settings mandated by PCI-DSS v3.2/3.2.1. Reverse-proxy or transparent modes can still be made secure, but they rely on manual tuning; only PCI-DSS mode ships with the pre-set hardening required for immediate, auditable compliance, making “SSL offloading with FortiWeb in PCI-DSS mode” the implementation purposely designed to meet the standard.

A. Reverse proxy mode alone does not enforce PCI-DSS-approved ciphers/protocols; weak options remain unless manually removed.

C. Transparent mode forwards traffic; it cannot terminate and re-encrypt with PCI-DSS-approved settings out-of-box.

D. Full transparent proxy similarly passes traffic in-line; it lacks the predefined compliance hardening present in PCI-DSS mode.

1. Fortinet “FortiWeb 7.0.x Administration Guide”

section “System > PCI-DSS”

pp. 274-276 – describes PCI-DSS mode enforcing TLS 1.2+

strong ciphers

audit logging.

2. Fortinet “FortiWeb 7.0.x Administration Guide”

table “Operating Modes vs Compliance”

p. 38 – notes PCI-DSS mode is recommended for card-holder-data environments.

3. PCI Security Standards Council. “Payment Card Industry Data Security Standard v3.2.1”

Req 4.1

pp. 19-21 – mandates use of strong cryptography for transmission; FortiWeb’s PCI-DSS mode maps to these requirements.

4. Fortinet KB Article #FD47794 “How to enable PCI-DSS compliance on FortiWeb” (2022-06-15) – states that enabling PCI-DSS mode is the prescribed method to satisfy compliance audits.