DescriptionThis article addresses web caching for HTTPS traffic.
SolutionWeb caching can also cache the content of HTTPS traffic on TCP port 443. With HTTPS web caching, the FortiGate unit receives the HTTPS traffic on behalf of the client, opens up the encrypted traffic and extracts content to be cached. Then the FortiGate unit re-encrypts the traffic and sends it on to its intended recipient. It is very similar to a man-in-the-middle attack.
The webcache enable command enables caching only for HTTP traffic. To enable caching for HTTPS traffic, the following command needs to be configured.
#Configuration CLI:
For a firewall policy:
config firewall policy
edit 7
.
.
.
set webcache enable
set webcache-https any
.
end
Web-caching for HTTPS provides three options as below:
config firewall policy
FG200P3911600153 (policy) # edit 7
FG200P3911600153 (7) # set webcache-https
disable Disable web cache for HTTPS.
ssl-server Enable web cache for servers defined in wanopt.ssl-server.
any Enable web cache for all HTTPS traffic matches this policy.
SSL-SERVER:
The ssl-server option causes the FortiGate unit to re-encrypt the traffic with a certificate that you imported into the FortiGate unit. You can add certificates using the following command:
config wanopt ssl-server
edit corporate-server
set ip <Web-Server-IP>
set port 443
set ssl-mode { full | half}
set ssl-cert <Web-Server-Cert>
end
where:
<Web-Server-IP> is the web server’s IP address.
<Web-Server-Cert> is a web server certificate imported into the FortiGate unit.
ANY:
The any setting causes the FortiGate unit to re-encrypt the traffic with the FortiGate unit’s certificate rather than the original certificate. This configuration can cause errors for HTTPS clients because the name on the certificate does not match the name on the web site.
To avoid certificate warnings for the users accessing internet for example "google.com" with "webcache-https any", the default FortiGate certificate used for re-signing the traffic needs to be replaced the external CA certificate.
This can be implemented using SSL-SSH profile.
Under CA certificate settings, the default certificate "Fortinet_CA_SSLProxy" can be replaced with external certificate.
Overall Configuration Required
Steps:
To cache HTTP traffic on port 80 and 8080
1. Go to Policy & Objects > Policy > Proxy Options and edit the default proxy options profile. You could also add a new profile.
2. Under Protocol Port Mapping enable HTTP and under Inspection Ports enter 80,8080.
3. Go to Policy & Objects > Policy > IPv4, edit the security policy.
To cache HTTPS traffic on ports 443 and 8443
1. Go to Policy & Objects > Policy > SSL/SSH Inspection and edit the certificate/deep-inspection SSL/SSH inspection profile.
2. Under SSL Inspection Options select Multiple Clients Connecting to Multiple Servers.
3. Make sure Inspect All Ports is not selected.
4. Make sure HTTPS is turned on and enter 443,8443.
5. From the CLI, enter the following command to add the default proxy options profile and the certificate/deep-inspection SSL SSH profile to the firewall policy.
CLI config:
config firewall policy
edit 7
.
.
.
set utm-status enable
set profile-protocol-options default
set ssl-ssh-profile deep-inspection/certificate-inspection
set webcache enable
set webcache-https any
end