FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tahmadov
Staff
Staff

Description
In Full Mode SSL Offloading, there are two separated SSL/TLS connections.
The first SSL/TLS  connection is between a Client and the FortiGate, the second SSL/TLS connection is between the FortiGate and the Server.
For the first connection, the FortiGate is acting as an SSL/TLS server, but for the second connection, the FortiGate is acting as an SSL/TLS client.


There must be at least one matched SSL/TLS version between SSL/TLS client and server on both connections. Otherwise the connection will be terminated.

Default Minimum and Maximum SSL/TLS Versions:

#”client” means it is same with Client to FortiGate connection settings


v5.6:

Client <-> FortiGate:
Minimum Version: TLSv1.0
Maximum Version: TLSv1.2
FortiGate <-> Server:
Minimum Version: client
Maximum Version: client

v6.0:
Client <-> FortiGate:
Minimum Version: TLSv1.1
Maximum Version: TLSv1.2
FortiGate <-> Server:
Minimum Version: client
Maximum Version: client

v6.2:

Client <-> FortiGate:
Minimum Version: TLSv1.1
Maximum Version: TLSv1.2
FortiGate <-> Server:
Minimum Version: client
Maximum Version: client

During upgrade to v6.0 or v6.2, the default minimum version of SSL/TLS will change automatically to TLSv1.1. If the internal server or a client does not support a SSL/TLS 1.1 or upper version, the connection will be terminated.
If it is not possible to change in the server or client site, the settings could be change by the following commands.


Solution


Available options for “ssl-min-version” and “ssl-max-version”:
        ssl-3.0    SSL 3.0.
        tls-1.0    TLS 1.0.
        tls-1.1    TLS 1.1.
        tls-1.2    TLS 1.2.
        tls-1.3    TLS 1.3.   # Only available in FortiOS v6.2.x

Available options for “ssl-server-min-version” and “ssl-server-max-version”:
        ssl-3.0    SSL 3.0.
        tls-1.0    TLS 1.0.
        tls-1.1    TLS 1.1.
        tls-1.2    TLS 1.2.
        tls-1.3    TLS 1.3.   # Only available in FortiOS v6.2.x
        client     Use same value as client configuration.
# config firewall vip
    edit "Virtual_Server_01"
        set type server-load-balance
        set extip 203.0.113.1
        set extintf "wan1"
        set server-type https
        set extport 443
        config realservers
            edit 1
                set ip 10.0.0.100
                set port 443
            next
        end
        set ssl-mode full
        set ssl-certificate "Fortinet_Factory"
        set ssl-min-version tls-1.1
        set ssl-max-version tls-1.2
        set ssl-server-min-version client
        set ssl-server-max-version client
    next
end


# config firewall policy
    edit 100
        set name "Web_Server_Access"
        set uuid d9a6d06a-e523-51e9-9bba-4db84bebfef1
        set srcintf "port25"
        set dstintf "port32"
        set srcaddr "all"
        set dstaddr "Virtual_Server_01"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set logtraffic all
        set fsso disable
    next
end

Related Articles

Technical Note: HTTPS/SSL load balance and SSL offloading option missing in GUI

Contributors