Confused on SSL Inspection for our internally hosted web server

Question

Hello,I'm new to FortiGates, moving off of SonicWALL. I'm trying to set myself up for success, and not setting myself up for failure.I have a FortiGate 600F, and 2 web servers that are hosted internally. These web servers are accessed by many users daily, across many different countries, so I'm concerned about security.Since we operate two web servers and our websites are customized for a wide range of clients, we manage numerous unique URLs. To streamline this, we use a wildcard domain certificate.. Right now, I have a basic policy. Incoming WAN interfaces to VIP, with HTTP/HTTPs services, and NAT enabled, no security profiles. I think its wise to setup at a basic, IPS and WAF security profiles. As default, SSL inspection "no-inspection" is selected, and gives the standard message " The no-inspection profile doesn't perform SSL inspection, so it shouldn't be selected with other UTM profiles or features that require SSL inspection."What is the correct approach to configuring the SSL Inspection profile, and certificate, since I can't control external endpoints and their certificates?

Yurisk · Answer

Hi, most suitable I guess would be to configure instead of usual port-forwarding VIP the Virtual Server (it is not shown in menu by default - so go to System -> Feature Visibility and enable Load Balance). In such configuration you can supply the Virtual Server your wildcard certificate and it will do Deep Inspection by decrypting the incoming packets and sending them to the real servers as regular HTTP (SSL offloading) or you can do FGT -> Internal servers SSL encryption as well.

Some info to start with https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-configuration-for-HTTPS-Virtual-Server/ta-p/225289

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded