This article describes the recommended configuration on the FortiGate for an HTTPS Virtual Server with deep inspection.

Note: Some Low-end models do not support load balancing of secure protocols (HTTP, HTTPS, IMAPS, POP3S, SMTPS, and SSL). Check the documentation for the version & model in use: v6.2, v6.4, v7.0, v7.2, v7.4 , v7.6.

1. Import the server certificate. Go to System -> Certificates and select Create/Import -> Certificate.

Import certificate

2. Configure the Virtual Server. Go to Policy & Objects -> Virtual Servers and select 'Create New'.

    

Virtual Server configuration

Note: In SSL-offloading, choose the imported certificate. Also, the default value for SSL Offloading is Client <-> FortiGate. Ensure that 'Full' is selected for access to virtual servers to work for HTTPS. If the internal server listens on HTTP (i.e. server type is HTTP), keep the default value Client <-> FortiGate. 

To better understand how these two methods work, see Technical Tip: Difference Between SSL Half and Full Offloading.

Use the following command:

FGT # config firewall vip

FGT # edit "Virtual-Server1"

FGT (Virtual-Server1)# set ssl-mode ?
     half Client to FortiGate SSL.                          [Client <--> FortiGate]
     full Client to FortiGate and FortiGate to Server SSL.  [Full]

3. Configure the SSH/SSL profile.

Go to Security Profiles -> SSL/SSH Inspection and select 'Create New'.

Note: 'Inspect All Ports' should not be set as the port for this setup is already known and it may lead to a performance degradation.

SSL/SSH profile configuration

4. Configure policy.

Go to Policy & Objects -> Firewall Policy and select 'Create New'.

Policy configuration

Note: Inspection mode must be set to proxy, otherwise the Virtual server will be filtered out in the 'Destination' field.

Related article:

Technical Tip: Configure virtual server