FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
simonz_FTNT
Staff
Staff
Description
This article describes how to configure reverse proxy (SSL offloading) using two different methods.

Solution
Diagram.




FortiGate SSL/TLS offloading is designed for the proliferation of SSL/TLS applications.
The key exchange and encryption/decryption tasks are offloaded to the FortiGate where it is accelerating, using FortiASIC technology which provides significantly more performance than a standard server or load balancer.
This frees up valuable resources on the server farm to give better response to business operations.
Server load balancing offloads most SSL/TLS versions including SSL 3.0, TLS 1.0, and TLS 1.2, and supports full mode or half mode SSL offloading with DH key sizes up to 4096 bits.
FortiGate SSL offloading allows the application payload to be inspected before it reaches the servers.
This prevents intrusion attempts, blocks viruses, stops unwanted applications, and prevents data leakage.
SSL/TLS content inspection supports TLS versions 1.0, 1.1, and 1.2 and SSL versions 1.0, 1.1, 1.2, and 3.0

Method 1 - Normal VIP with custom SSL inspection profile.

1) Create a Virtual IP for the web service.
# config firewall vip
    edit "web"
        set extip 10.56.243.162
        set extintf "any"
        set mappedip "10.101.0.52"              <----- Web server internal IP.
    next
end
2) Import the server certificate into FortiGate under System -> Certificate and then define the certificate below.
# config firewall ssl-server
    edit "websrv"
        set ip 10.101.0.52                      <----- Web server internal IP.
        set ssl-mode half
        set ssl-cert "wildcard_lab_com_au"
    next
end
3) Create a custom deep inspection profile.
# config firewall ssl-ssh-profile
    edit "custom-deep-inspection"
        set comment "Customizable deep inspection profile."
        config https
            set ports 443
        end
        config ftps
            set ports 990
        end
        config imaps
            set ports 993
        end
        config pop3s
            set ports 995
        end
        config smtps
            set ports 465
        end
        config ssh
            set ports 22
        end
        set use-ssl-server enable               <----- Ensure to enable this setting.
    next
end
4) Create firewall policy with destinated VIP and custom SSL inspection profile.
# config firewall policy
    edit 2
        set srcintf "port10"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "web"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set utm-status enable
        set logtraffic all
        set webcache enable
        set webcache-https enable
        set fsso disable
        set ssl-ssh-profile "custom-deep-inspection"
        set nat enable
    next
end
Method 2 - Server Load balance (SSL-mode half).

1) Create Server load balance object.
# config firewall vip
    edit "Web"
        set type server-load-balance
        set extip 10.56.243.162
        set extintf "any"
        set server-type https
        set extport 443
        config realservers
            edit 1
                set ip 10.101.0.52               <----- Web server internal IP.
                set port 80
            next
        end
        set ssl-certificate "wildcard_lab_com_au"
    next
end
2) Create new firewall policy with destinated VIP.
# config firewall policy
    edit 2
        set srcintf "port10"
               set dstintf "port2"
        set srcaddr "all"
        set dstaddr "Web"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set utm-status enable
        set logtraffic all
        set webcache enable
        set webcache-https enable
        set fsso disable
        set ssl-ssh-profile "deep-inspection"
        set nat enable
    next
end

Related Articles

Technical Note: HTTPS/SSL load balance and SSL offloading option missing in GUI

Contributors