Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmonte
Staff
Staff

Created on ‎10-17-2025 04:20 AM

Article Id 415449

Technical Tip: How to apply SSL Inspection when traffic is forwarded between VRF

Description This article describes how to correctly apply the SSL-Inspection when traffic is forwarded between VRF.
Scope FortiGate.
Solution

Basic Topology.

 

[Client] -- [FortiGate] -- [VRF_1] -- [Route Leaking] -- [VRF_2] -- [Internet]

 

In this scenario, the Client is connected to an interface that belongs to the VRF_1 and the interface to go out to Internet belongs to the VRF_2.

 

Note: This article does not talk about how to configure VRF. This is explained in Virtual Routing and Forwarding - FortiGate administration guide. This article talks about the right way to apply SSL Inspection when VRF is in place: 

 

In this scenario, the Client needs to reach the Internet and SSL Inspection (Application Control) needs to be performed on that traffic. So there will be a policy from the Client's interface to the Route Leaking link (in this example, 'Policy_A') and one policy from the Route Leaking to the Internet's interface ('Policy_B').

 

In this case, the SSL Inspection (Application Control) must be applied on Policy_B.

 

If SSL Inspection (Application Control) is applied to Policy_A, all of the traffic matching that policy will be dropped.
134
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.