Technical Tip: How to apply SSL Inspection when traffic is forwarded between VRF
| Description | This article describes how to correctly apply the SSL-Inspection when traffic is forwarded between VRF. |
| Scope | FortiGate. |
| Solution | Basic Topology.
[Client] -- [FortiGate] -- [VRF_1] -- [Route Leaking] -- [VRF_2] -- [Internet]
In this scenario, the Client is connected to an interface that belongs to the VRF_1 and the interface to go out to Internet belongs to the VRF_2.
Note: This article does not talk about how to configure VRF. This is explained in Virtual Routing and Forwarding - FortiGate administration guide. This article talks about the right way to apply SSL Inspection when VRF is in place:
In this scenario, the Client needs to reach the Internet and SSL Inspection (Application Control) needs to be performed on that traffic. So there will be a policy from the Client's interface to the Route Leaking link (in this example, 'Policy_A') and one policy from the Route Leaking to the Internet's interface ('Policy_B').
In this case, the SSL Inspection (Application Control) must be applied on Policy_B.
If SSL Inspection (Application Control) is applied to Policy_A, all of the traffic matching that policy will be dropped. |