Description
Inbound SSL Deep Inspection is configured in cases where an internal server is accessed from the public internet over HTTPS and incoming traffic is to be inspected.
This feature is covered in the 'FortiOS Handbook - Load Balancing' document which is available in the Fortinet Document Library.
This article provides additional information that may help when configuring the feature.
Scope
FortiGate, capable of SSL Offloading
Solution
Inbound SSL Deep Inspection requires the FortiGate to be configured as follows:
FortiGate needs to have server certificate signed by a CA.
1) Go to System Certificates and import the server certificate.
Typically the server certificate would be installed on the HTTPS server behind the FortiGate, but in this case it must be installed on the FortiGate for Inbound Deep Inspection to be configured.
SSL/SSH Inspection Profile must be configured to 'Protect SSL Server' referencing the server certificate.
1) Go to Security Profiles -> SSL/SSH Inspection.
2) 'Protecting SSL Server' should be Selected.
3) Server Certificate must reference the server certificate already imported to the FortiGate in section A.
Virtual Server configured to reference the server certificate.
1) Go to Policy & Objects -> Virtual Servers.
2) Configure Type as HTTPS.
3) Set Interface to WAN interface (example: wan1).
4) Set Virtual Server IP as WAN IP address.
5) Set Virtual Server Port as '443'.
6) Set Load Balance Method as desired - if only one server is used then the configuration for Load Balance Method does not matter.
7) Set SSL Offloading to Client <-> FortiGate <-> Server to ensure that there is an HTTPS session between both (a) Client-FortiGate and (b) FortiGate-Server.
8) Set Certificate to reference the server certificate already imported to the FortiGate in section A.
Real Server is configured with the server IP address.
1) Go to Policy & Objects -> Virtual Servers -> Real Servers.
2) Set IP address as the internal IP address of the server (example: 192.168.1.x).
3) Set Port to 443.
Firewall Policy is configured to reference the Virtual Server.
1) Go to Policy & Objects -> IPv4 Policy.
2) Create a new firewall policy.
3) Set Incoming Interface as WAN (example: wan1).
4) Set source address to public addresses allowed to access this server (example: all).
5) Set Outgoing Interface to the internal interface to which the HTTPS server is connected.
6) Set Destination Address to be the virtual server created in section C.
7) Set SSL/SSH Inspection to be the SSL/SSH Inspection profile created in section B.
8) Ensure that security profiles are enabled to make use of the Inbound Deep Inspection configuration.
A good way to test this is by configuring a web filter profile with a Web Content Filter - the page could be blocked with a pattern found on the HTTPS web site which would confirm that Inbound Deep Inspection is working as expected.
