Description
In Full Mode SSL Offloading, there are two separated SSL/TLS connections.
The first SSL/TLS connection is between a Client and the FortiGate, the second SSL/TLS connection is between the FortiGate and the Server.
For the first connection, the FortiGate is acting as an SSL/TLS server, but for the second connection, the FortiGate is acting as an SSL/TLS client.
There must be at least one matched SSL/TLS version between SSL/TLS client and server on both connections. Otherwise the connection will be terminated.
Default Minimum and Maximum SSL/TLS Versions:
#”client” means it is same with Client to FortiGate connection settings
v5.6:
Client <-> FortiGate:
Minimum Version: TLSv1.0
Maximum Version: TLSv1.2
FortiGate <-> Server:
Minimum Version: client
Maximum Version: client
v6.0:
Client <-> FortiGate:
Minimum Version: TLSv1.1
Maximum Version: TLSv1.2
FortiGate <-> Server:
Minimum Version: client
Maximum Version: client
v6.2:
Client <-> FortiGate:
Minimum Version: TLSv1.1
Maximum Version: TLSv1.2
FortiGate <-> Server:
Minimum Version: client
Maximum Version: client
During upgrade to v6.0 or v6.2, the default minimum version of SSL/TLS will change automatically to TLSv1.1. If the internal server or a client does not support a SSL/TLS 1.1 or upper version, the connection will be terminated.
If it is not possible to change in the server or client site, the settings could be change by the following commands.
Solution
Available options for “ssl-min-version” and “ssl-max-version”:
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3. # Only available in FortiOS v6.2.x
Available options for “ssl-server-min-version” and “ssl-server-max-version”:
ssl-3.0 SSL 3.0.
tls-1.0 TLS 1.0.
tls-1.1 TLS 1.1.
tls-1.2 TLS 1.2.
tls-1.3 TLS 1.3. # Only available in FortiOS v6.2.x
client Use same value as client configuration.
# config firewall vip
edit "Virtual_Server_01"
set type server-load-balance
set extip 203.0.113.1
set extintf "wan1"
set server-type https
set extport 443
config realservers
edit 1
set ip 10.0.0.100
set port 443
next
end
set ssl-mode full
set ssl-certificate "Fortinet_Factory"
set ssl-min-version tls-1.1
set ssl-max-version tls-1.2
set ssl-server-min-version client
set ssl-server-max-version client
next
end
# config firewall policy
edit 100
set name "Web_Server_Access"
set uuid d9a6d06a-e523-51e9-9bba-4db84bebfef1
set srcintf "port25"
set dstintf "port32"
set srcaddr "all"
set dstaddr "Virtual_Server_01"
set action accept
set schedule "always"
set service "HTTPS"
set logtraffic all
set fsso disable
next
end
Related Articles
Technical Note: HTTPS/SSL load balance and SSL offloading option missing in GUI
