# config firewall vip2) Import the server certificate into FortiGate under System -> Certificate and then define the certificate below.
edit "web"
set extip 10.56.243.162
set extintf "any"
set mappedip "10.101.0.52" <----- Web server internal IP.
next
end
# config firewall ssl-server3) Create a custom deep inspection profile.
edit "websrv"
set ip 10.101.0.52 <----- Web server internal IP.
set ssl-mode half
set ssl-cert "wildcard_lab_com_au"
next
end
# config firewall ssl-ssh-profile4) Create firewall policy with destinated VIP and custom SSL inspection profile.
edit "custom-deep-inspection"
set comment "Customizable deep inspection profile."
config https
set ports 443
end
config ftps
set ports 990
end
config imaps
set ports 993
end
config pop3s
set ports 995
end
config smtps
set ports 465
end
config ssh
set ports 22
end
set use-ssl-server enable <----- Ensure to enable this setting.
next
end
# config firewall policyMethod 2 - Server Load balance (SSL-mode half).
edit 2
set srcintf "port10"
set dstintf "port2"
set srcaddr "all"
set dstaddr "web"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set utm-status enable
set logtraffic all
set webcache enable
set webcache-https enable
set fsso disable
set ssl-ssh-profile "custom-deep-inspection"
set nat enable
next
end
# config firewall vip2) Create new firewall policy with destinated VIP.
edit "Web"
set type server-load-balance
set extip 10.56.243.162
set extintf "any"
set server-type https
set extport 443
config realservers
edit 1
set ip 10.101.0.52 <----- Web server internal IP.
set port 80
next
end
set ssl-certificate "wildcard_lab_com_au"
next
end
# config firewall policy
edit 2
set srcintf "port10"
set dstintf "port2"
set srcaddr "all"
set dstaddr "Web"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set utm-status enable
set logtraffic all
set webcache enable
set webcache-https enable
set fsso disable
set ssl-ssh-profile "deep-inspection"
set nat enable
next
end
Related Articles
Technical Note: HTTPS/SSL load balance and SSL offloading option missing in GUI
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.