Skip to main content
terasto
terasto
Explorer
November 27, 2025
Question

Deep SSL Inspection + WAF for Internal Server via DNAT - Not Working

  • November 27, 2025
  • 1 reply
  • 416 views

ssl profile.jpgdnat.jpgACL.jpgvirtual_srv.jpgHi all,

Need help with FortiGate 7.4 SSL inspection setup:

Setup:

Internal API: 10.10.10.99:8000 (HTTPS)
External access: 3.3.3.33:8000 → DNAT to internal
Corporate CA certificates imported to FortiGate
SSL/SSH profile: "Protecting SSL Server" mode
WAF profile: Monitor mode
Policy: Proxy inspection mode with SSL + WAF profiles

 

Issue: Traffic passes through but SSL inspection doesn't work - no SSL logs, WAF not inspecting content.

 

Has anyone configured "Protecting SSL Server" for inbound API traffic? What's the correct architecture?

Thanks!

1 reply

AEK
SuperUser
AEK
SuperUser
November 27, 2025

Hi Terasto

I'm not aware that FGT's WAF can protect API server. I'm actually pretty certain it doesn't.

You need a dedicated WAF that does API protection, like FortiWeb.

AEK
terasto
terastoAuthor
Explorer
November 28, 2025

Hi AEK!
Okay, let's say I don't need to protect the API service, but I need to use the built-in WAF functionality on the firewall specifically in the scheme (Protecting SSL Server) that I described earlier. I'm wondering, should I enable IPS? It seems like it has some basic attack scenarios for web services that it can block.

AEK
SuperUser
AEK
SuperUser
November 29, 2025

Hi Terasto

Here are the recommended steps.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-configuration-for-HTTPS-Virtual-Server/ta-p/225289

AEK
Terms & ConditionsAccessibility statement