Technical Tip: Difference between SSL half and full offloading

On the FortiGate, when configuring a virtual server to load-balance secure connections such as HTTPS, there is a requirement to configure SSL offloading. 

SSL offloading is a method by which FortiGate handles SSL encryption and decryption in the place of the real servers used for load balancing. The intention is that the servers being protected do not have to perform these operations themselves and can direct their resources to other operations.

As visible in the above image, the options on the FortiGate are Client<->FortiGate (half) or full.

The commands to change this on the CLI are:

config firewall vip

    edit <name>
        set ssl-mode < half | full >

    next

end

The difference between them is as follows: 

• Half (Client<>FortiGate): In this mode, traffic is only encrypted between the Client and the FortiGate. When FortiGate gets an encrypted request, such as HTTPS traffic, it decrypts the traffic and sends it to the server in plaintext. When the server responds to the client, the response is sent in plaintext and then encrypted by FortiGate before it is forwarded to the client.
• Full: In this mode, traffic is encrypted on both sides, Client to FortiGate and FortiGate to server(s). When encrypted traffic is received, it is decrypted for inspection by FortiGate and then encrypted again before being forwarded to the server. In the reply direction, the traffic from the server is encrypted, and the FortiGate forwards that to the client.