Add a Protected Web Application

This section describes steps for adding protected web applications to a DNG deployed within Secure Firewall Threat Defense.

Before you begin

  • Identify the web application you'd like to protect with Duo Network Gateway.

  • Obtain an SSL certificate for your application from a commercial certificate authority (CA) using the fully qualified external DNS name of your application as the common name (e.g. This secures the connection between your external users and the Duo Network Gateway server.

  • If the application you'll be protecting is communicating over HTTPS you will also need to obtain the Base64-encoded X.509 (pem, cer, or crt) formatted version of the application's certificate bundle including the issuing certificates and the root certificate. You may also use a wildcard SSL certificate.

  • Ensure that a minimum of one Duo Admin Panel is onboarded into your CDO tenant.


Step 1

In the CDO navigation bar, choose Secure Connect Choice > Protected Applications.


You can click the copy button in the application row to create a new application from an existing one. When creating the application, you can modify the prepopulated fields.

Step 2

In the Web Applications tab, click + to add a web application.

The Add Protected Web Application screen provides normal and advanced views. The simple view displays the minimum parameters required for creating a web application, whereas the advanced view displays advanced fields for application creation.

You can move the Advanced View slider to the right to view the advanced fields required for application creation.

  • In the Select Region, choose a region in which you want to protect web applications.

  • Posture Policy (from Duo): Select a posture policy created in Duo Admin Panel.

    You can create a policy in the Duo Admin Panel. Click the web URL of the Duo Admin Panel provided in this field and then create it. Click the refresh icon to read the latest changes from the Duo Admin Panel. See Duo Administration - Protecting Applications.

Step 3

In the normal view, you can configure the following fields:

  • Automatically Create DNS Entries: Enable this check box to auto-create the DNS record for the external URL, which will be specified in the External URL field.

  • External URL: Specify the public facing URL of the web application Duo Network Gateway is protecting (eg.

    You must create a Canonical Name (CNAME) record in your DNS records to map the external URL specified here. The field displays the value of the record to be used in DNS records. In the following example, the value is "".

    A wildcard external URL such as https://* can also be used, which will automatically route all subdomains of to this application that are not already defined as a separate application in Duo Network Gateway. When using a wildcard URL the internal application must be able to distinguish between the various hostnames.

    You must create a Canonical Name (CNAME) record in your DNS records to map the external URL specified here. The field displays the value of the record to be used in DNS records.

  • Use Wildcard Certificate: Enable this check box to use wildcard certificate to present for the web application. If enabled, you don't have to specify the external SSL certificate and its private key.

    We do not validate the Common Name (CN) of the wildcard certificate keypair to check whether it matches the managed domain name nor we check if it is a wildcard certificate.

    This certificate information is stored in the SFCN cluster's CRD metadata, so deleting and reonboarding a cluster will not require entering this information again.

  • External SSL Certificate: Click Browse and upload your own SSL certificate.

    Base64-encoded X.509 (pem, cer, or crt) public certificate to present for the external URL of the application. We recommend including the entire certificate chain in the certificate file. The certificates should be ordered from top to bottom: certificate, issuing certificates, and root certificate.

  • External SSL Certificate Key: Click Browse and upload the private key.

    Base64-encoded X.509 (pem, cer, or crt) private key for the application's external URL certificate.

  • Internal URL : Enter the IP or DNS address of the web application Duo Network Gateway is protecting (eg. https://wiki.local or

    If you used the same URL for the application's internal and external URLs, ensure that an internal DNS record for this hostname exists and points to the internal application server IP.


    If you provided the DNS address, ensure you have added your internal DNS resolver to CDO and configured it to point to the internal IP address of the protected application. The DNS resolvers resolve the Fully Qualified Domain Name (FQDN) into IP addresses.

  • Internal Port: If the internal application communicates on a port other than 80 or 443 specify the port. Your internal application can communicate over HTTP or HTTPS. For example, internal URL - https://wiki.local:8090.

Step 4

If you have enabled the advanced view, you can configure the following fields:

  • Enable Frameless slider to the right to provide frameless support for Duo Universal Prompt.

    Session Duration (Minutes): Specify the maximum user session duration for a specific application in minutes. Users must reauthenticate to the Duo Network Gateway when the limit is reached. The default value is 480.

  • List of Allowed Prefixes: Specify a list of allowed prefixes that don't require authentication through the Duo Network Gateway and click the blue + icon.

  • List of Allowed Suffixes: Specify a list of allowed suffixes that don't require authentication through the Duo Network Gateway and click the blue + icon.

  • List of Allowed IPs: Specify a list of IPs that allow you to restrict the permitted prefixes and suffixes to a specific IP address or IP address range

  • Maximum Client Body Size (Megabytes): Specify the maximum client to server upload size in megabytes. The default value is 128MB. If you receive "413 Request Entity Too Large" errors, then set this value to the largest upload size the upstream server is expected to handle. It requires Duo Network Gateway version 1.5.12 or later.

  • Use SSL: If enabled, the internal application uses SSL.

  • Use Internal name for SSL validation: If enabled, the subject host name of your certificate used by the internal application is the internal URL.

  • Add X-Forwarded Proto: If enabled, the Duo Network Gateway will send an X-Forwarded-Proto header to the protected application.

  • SSL Certificate: Required only when the internal application is communicating over HTTPS. Provide a Base64-encoded X.509 (pem, cer, or crt) version of the Root CA's certificate that is at the top of the chain for the internal application certificate.

  • Use Internal HTTP Host header name: If enabled, the internal URL will be sent in the HTTP Host header when communicating with the internal application. Otherwise, the external URL will be sent.

  • Add an X-Forwarded-Host header to proxied requests: If enabled, the Duo Network Gateway will send an X-Forwarded-Host header with the Host header value from the incoming request to the protected application. This is required by some applications that generate absolute URLs to internal resources instead of using relative URLs. Note that some applications will break if more than one proxy adds this header.

Step 5

If you want to create another web application with the same values, click Create another.

Step 6

Click Save. A new web application is created.

If you have opted to create another web application, most of the common fields from the previous application are copied automatically to the next application created.

After you make a configuration change using the CDO GUI and save your change, that change is saved in CDO's stored version of the firewall's running configuration file.

Step 7

Deploy the changes you made to the region. See Deploy the Configuration Changes.

The web application is created and deployed on the device. You can click the application to see its details. You can also see the expiry date of the external and internal certificates uploaded during the application creation.