Technical Tip: Introduction of Server Certificate Verification for Virtual Server and ZTNA Access Proxy

Starting in FortiOS v7.4.9 and v7.6.3, FortiGate introduces a new capability that allows administrators to verify the server certificate of backend real servers used by Virtual Server (firewall VIP) and ZTNA Access Proxy configurations.

This enhancement addresses modern deployment scenarios where backend servers may reside not only on internal networks but also on external or cloud-hosted environments, where certificate validation is an important security requirement.

To support these scenarios securely, FortiOS now provides an option to ensure that the backend server presents a valid and trusted certificate before the connection is established.

The following configurations have been enhanced with the newly introduced verify-cert option:

1. Virtual Server (firewall vip → realserver).

config firewall vip

    edit ""
        config realserver
            edit ""
                set verify-cert {enable | disable}
            next
        end
    next
end

2. ZTNA Access Proxy (api-gateway → realservers).

config firewall access-proxy
    edit ""
        config api-gateway
            edit ""
                config realservers
                    edit ""
                        set verify-cert {enable | disable}
                    next
                end
            next
        end
    next
end

This prevents FortiGate from connecting to servers that present invalid or mismatched certificates, providing an additional layer of protection in external server use cases.

Recommended use:
It is recommended to enable verify-cert when:

• Backend servers are cloud-hosted or internet-accessible.
• Backend servers are referenced via FQDN.
• TLS integrity and server identity assurance are operational requirements.

Related documents:

config firewall access-proxy 

config firewall vip