Technical Tip: Recommended configuration for HTTPS Virtual Server with deep inspection

This article describes the recommended configuration on the FortiGate for an HTTPS Virtual Server with deep inspection.

Note: Some Low-end models do not support load balancing of secure protocols (HTTP, HTTPS, IMAPS, POP3S, SMTPS, and SSL). Check documentation for the version & model in use. v6.2, v6.4, v7.0, v7.2.

1. Import the server certificate.

Go to System -> Certificates and select Create/Import -> Certificate.

Import certificate

2. Configure the Virtual Server.

   Go to Policy & Objects -> Virtual Servers and select 'Create New'.

    

   Virtual Server configuration

    

   Note: In SSL-offloading choose the imported certificate.

    

    

3. Configure the SSH/SSL profile.

   Go to Security Profiles -> SSL/SSH Inspection and select 'Create New'.

    

   SSL/SSH profile configuration

    

   Note: 'Inspect All Ports' should not be set as the port for this setup is already known and it may lead to a performance degradation.

    

    

4. Configure policy.

    

Go to Policy & Objects -> Firewall Policy and select 'Create New'.

Policy configuration

Note: Inspection mode must be set to proxy, otherwise the Virtual server will be filtered out in the 'Destination' field.

Related article:

Technical Tip: Configure virtual server