FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to convert HTTP client request to a HTTPS with an enabled virtual server.
Scope FortiOS 6.2.1 and above.
Solution When enabled, a virtual server can convert a HTTP client request to a HTTPS request. Through this mandatory conversion, HTTP traffic is converted to HTTPS traffic. This conversion improves the security of the user network.
Enable this feature by using the CLI and traffic will flow as follows:
- When the FortiGate receives a HTTP request for an external IP, such as 10.1.200.101 in the following example, FortiGate sends an HTTP 303 response back to the original client and redirects HTTP to HTTPS, instead of forwarding the HTTP request to the real backend servers.
- The client browser restarts the TCP session to HTTPS.
- The HTTPS session comes to the FortiGate where a matching IPv4 policy allows the HTTPS traffic and establishes a secure SSL connection. Then forwards the request to the real back end servers.
To configure virtual server with HTTPS redirect enabled:
1) Create a virtual server with server-type set to http:
# config firewall vip edit "virtual-server-http" set type server-load-balance set extip 10.1.200.101 set extintf "wan2" set server-type http set ldb-method round-robin set extport 80
# config realservers edit 1 set ip 172.16.200.44 set port 80 next edit 2 set ip 172.16.200.55 set port 80 next end next end
2) Create a virtual server with server-type set to HTTPS and with the same external IP address:
# config firewall vip edit "virtual-server-https" set type server-load-balance set extip 10.1.200.101 set extintf "wan2" set server-type https set ldb-method round-robin set extport 443
# config realservers edit 1 set ip 172.16.200.44 set port 443 next edit 2 set ip 172.16.200.55 set port 443 next end set ssl-certificate "Fortinet_CA_SSL" next end
3) Enable the 'http-redirect' option for the virtual server with server-type set to HTTP:
# config firewall vip edit "virtual-server-http" set http-redirect enable next end
4) Add the two virtual servers to a policy:
# config firewall policy edit 9 set srcintf "wan2" set dstintf "wan1" set srcaddr "all" set dstaddr "virtual-server-http" "virtual-server-https" set action accept set schedule "always" set service "ALL" set inspection-mode proxy set logtraffic all set auto-asic-offload disable set nat enable next end
