Hi everyone,

I’m working with a FortiGate 100F where interfaces X1 and X2 (10 Gbps) are in a dedicated VDOM used only for public-facing web services. We’re using SD-WAN and Virtual Servers in ssl-mode half, with a wildcard certificate to handle incoming HTTPS traffic for different subdomains like cloud.mydomain.com and nest.mydomain.com.

Here’s my situation:
I’m not a networking expert — actually, I’m pretty new to FortiGate and still learning as I go. It’s a small company and we all wear many hats, so I do a bit of everything, from servers to firewalls to figuring out reverse proxies when needed :grinning_face_with_sweat:

Inside the server called nest, I’ve got multiple virtual hosts configured (for Joomla, Unity, etc.), and I’d love to route incoming HTTPS traffic based on SNI — ideally sending requests for cloud.mydomain.com to one backend, and nest.mydomain.com to another, or at least letting a single server like nest receive the correct traffic and handle it based on the domain.

From what I’ve read and tried, it looks like FortiGate can’t really do this kind of SNI-based routing natively, but maybe I’m missing something?

So my main question is:
:backhand_index_pointing_right: Can FortiGate 100F route incoming HTTPS requests based on SNI (or the Host header)?
:backhand_index_pointing_right: Or is the best solution to place an internal reverse proxy like NGINX behind the FortiGate and do the routing there?

Apologies in advance if I’m mixing up terms or missing something obvious — I’m still learning, and really appreciate any guidance or ideas.

Thanks a lot!

Cheers,

[alf]