Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Deepak_Girimaji_FTNT
Staff
Staff

Created on ‎06-08-2022 12:10 AM Edited on ‎02-14-2025 05:46 AM By Community Manager

Article Id 214062

Technical Tip: Server Name Indication (SNI)

Description

 

This article describes how to allow FortiWeb to support multiple server certificates.

 

Scope

 

FortiWeb v7.0.X and later.

 

Solution

 

To allow FortiWeb to support multiple certificates, the Server Name Indication (SNI) configuration is needed. 


Step 1: SNI policy configuration.

  1. Go to Server Objects -> Certificates -> Local.
  2. Import all the server certificates.
  3. Go to Server Objects -> Certificates -> Inline SNI.
  4. Create a profile, and under this profile, again select on  'Create new'.
  5. Specify the domain, select the local certificates and corresponding Intermediate CA group if any.

 

Repeat Step 4 and 5 to add all the server certificates (which are hosted on a single server) in the SNI group.

Reference: Section 'To create an inline Server Name Indication (SNI) configuration' from the following links:

How to offload or inspect HTTPS v7.0.10

How to offload or inspect HTTPS v7.2.10

How to offload or inspect HTTPS v7.4.6

Step 2: Server policy configuration for SNI.

  1. Once selected HTTPS service in the server policy, 'Advanced SSL settings' will be visible.
  2. Select 'Advanced SSL settings'.
  3. Enable 'Enable Server Name Indication(SNI)'.
  4. Under 'SNI Policy', select the new SNI group configured using all the server certificates.
  5. Select OK.


Step 3: (This is necessary if the real server allows only HTTPS service).

  1. Go to Server Objects > Server Pool.
  2. Edit the appropriate server pool entry.
  3. 'Double-click' the pool member.
  4. Enable 'Enable Server Name Indication(SNI) Forwarding' under 'Advanced SSL settings'.


CLI syntax:


config server-policy server-pool
    edit "<server-pool_name>"

        config pserver-list
            edit <entry_index>

                set server-side-sni enable

            next

        end

    next

end

 

Note:

Server-side SNI would be necessary if the backend connection is over HTTPS. As the server has multiple certificates, it should know which certificate should be presented during the SSL handshake.

With the above configuration, FortiWeb forwards the request from the client to the server with SNI extension which is verified by the server to present the appropriate certificate.

Related document:

Defining your web servers

7156
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.