Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

AdriBall
New Contributor

Created on ‎12-14-2017 04:39 AM

WAF topology with fortiweb

Hello and thanks in advance.

I need an advice related fortiweb topology, can we implement ssl certificate only on fortiweb and allow communication between the end-user browser with https and next segment with HTTP only?

External client web browser <- HTTPS -> FortiWeb appliance <- HTTP -> DMZ webserver

thanks

 

Labels:
1186
0 Kudos
1 Solution
ocarper_FTNT
Staff
Staff

Created on ‎12-14-2017 05:36 AM

Hi Adriatik,

Yes it's possible to implement the configuration you mentioned, in which the FortiWeb can offload the SSL encryption/decryption to the web servers. This is only supported when the FortiWeb is deployed as reverse proxy  and thus it can act as the SSL/TLS terminator. Just keep in mind that the FortiWeb will need a copy of your web server's certificate.

You may find more info and examples in: 

http://help.fortinet.com/fweb/586/index.htm#FortiWeb/fortiweb-admin/offloading_vs.htm%3FTocPath%3DSecure%2520connections%2520(SSL%252FTLS)%7C_____1

 

http://help.fortinet.com/fweb/586/index.htm#FortiWeb/fortiweb-admin/offload_https.htm%3FTocPath%3DSecure%2520connections%2520(SSL%252FTLS)%7C_____4

 

Regards

View solution in original post

1169
0 Kudos
8 REPLIES 8
jwhite_FTNT
Staff
Staff

Created on ‎12-14-2017 05:33 AM

Yes, this is option is often referred to as "SSL Offloading".  You can determine the back end communication type (HTTP or HTTPS) when you define the servers within the protected server pool.

1169
0 Kudos
AdriBall
New Contributor
In response to jwhite_FTNT

Created on ‎12-14-2017 06:10 AM

thank you Jim.

1169
0 Kudos
ocarper_FTNT
Staff
Staff

Created on ‎12-14-2017 05:36 AM

Hi Adriatik,

Yes it's possible to implement the configuration you mentioned, in which the FortiWeb can offload the SSL encryption/decryption to the web servers. This is only supported when the FortiWeb is deployed as reverse proxy  and thus it can act as the SSL/TLS terminator. Just keep in mind that the FortiWeb will need a copy of your web server's certificate.

You may find more info and examples in: 

http://help.fortinet.com/fweb/586/index.htm#FortiWeb/fortiweb-admin/offloading_vs.htm%3FTocPath%3DSecure%2520connections%2520(SSL%252FTLS)%7C_____1

 

http://help.fortinet.com/fweb/586/index.htm#FortiWeb/fortiweb-admin/offload_https.htm%3FTocPath%3DSecure%2520connections%2520(SSL%252FTLS)%7C_____4

 

Regards

1170
0 Kudos
AdriBall
New Contributor
In response to ocarper_FTNT

Created on ‎12-14-2017 06:14 AM

Thank you, Octavio,

This is what I was thinking about reverse proxies in general.

I did some tests that obviously failed because I used Fortinet_factory certificate.

seems that i have to have a proper ssl cert for that test.

thanks

adriatik
In Reply to Octavio Carranza:

Hi Adriatik,

Yes it's possible to implement the configuration you mentioned, in which the FortiWeb can offload the SSL encryption/decryption to the web servers. This is only supported when the FortiWeb is deployed as reverse proxy  and thus it can act as the SSL/TLS terminator. Just keep in mind that the FortiWeb will need a copy of your web server's certificate.

You may find more info and examples in: 

http://help.fortinet.com/fweb/586/index.htm#FortiWeb/fortiweb-admin/offloading_vs.htm%3FTocPath%3DSecure%2520connections%2520(SSL%252FTLS)%7C_____1

 

http://help.fortinet.com/fweb/586/index.htm#FortiWeb/fortiweb-admin/offload_https.htm%3FTocPath%3DSecure%2520connections%2520(SSL%252FTLS)%7C_____4

 

Regards

1169
0 Kudos
rmoussa
Contributor
In response to AdriBall

Created on ‎12-15-2017 01:20 AM

Installing the fortinet factory certificate on the end-user browser can work for testing.

In a real environment you need a public CA

Rony Moussa

NSE Certified : Level 8

Rony Moussa
Fortinet NSE Certified: Level 8
Rony MoussaFortinet NSE Certified: Level 8
1169
0 Kudos
AdriBall
New Contributor
In response to rmoussa

Created on ‎12-15-2017 05:55 AM


yes, it works with that one too.

I can confirm with my tests. 

thanks

 Rony

 
In Reply to Rony Charbel Moussa:

Installing the fortinet factory certificate on the end-user browser can work for testing.

In a real environment you need a public CA

Rony Moussa

NSE Certified : Level 8

1169
0 Kudos
Not applicable

Created on ‎02-21-2018 10:23 PM

Offcourse you are doing right but Facilitating on AWS is a quick and disentangled strategy to convey and oversee electronic applications. However these applications still should be secured similarly as though they were sitting in an on-introduce server farm. Regardless of whether to just meet consistence gauges or to ensure mission basic facilitated applications,

Essay Writers

1169
0 Kudos
rebehick
New Contributor
In response to

Created on ‎03-29-2018 03:11 AM

Actually this is one of the most exciting games. And the site also has many different types of games you can play and feel. Thank you very much for visiting my website and wish you success. Thank you so much!
 |=>bloons tower defense 5 super smash flash 2

1169
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.