Hi all,
I have read some post to try to configure my fortigate 600E like a reverse proxy. The posts are closed, and that is the reason why I opening this.. I would like to emulate a reverse proxy to connect to internal servers (not DMZ servers) using my external firewall. I would like to know if the final connection to the real servers, is established by Fortigate or from the internet client. I'm not sure about this. I've posted that:
https://community.fortinet.com/t5/Support-Forum/Fortigate-SSL-Offloading-with-SNI/m-p/348745#M253392
Do you know if the TCP connection is stablished from Fortigate? I'm not sure if in both cases it works like a real reverse proxy. I don't want direct TCP connections to the real servers from internet clients
Thanks ¡¡¡
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you're using Virtual Server feature, the traffic is proxied unconditionally. That's the end of it.
Ports and IPs don't matter. Depending on further options, the srcip may be forced to change to FortiGate's egress intf IP, but that's a consequence of those options, not of the traffic being proxied in general.
(FYI the FortiGate typically tries to preserve the srcport of the original session, as long as it doesn't conflict with another existing session)
Created on 10-17-2024 06:54 AM Edited on 10-17-2024 06:54 AM
Thanks for your help¡
From my lack of knowledge a virtual server it is similar to a load balancer. But I thought that it doesn't proxi connections, normally. I know that similar ports and IP could not mean that traffic is not proxied, but I tried to check using these references, cause I don't know how to can granteed that final clients cannot connect to final server directly. In the other hand I have not check "original source"client in the virtual server and I can see it.
If I check fortigate sessions I see a direct client server connection stablished. Doing a debug I have same feeling.
pminarik, there is a form to check that? Im concerned cause final servers are not in DMZ (that's why I want a reverse proxy).
VIPs of type server-load-balance (aka "Virtual Server" in GUI), are always processed by the wad process (~primarily for proxying traffic), and can only be used in firewall policies set to proxy-mode inspection.
> If I check fortigate sessions I see a direct client server connection stablished
What do you mean by that?
I'm also strugging to understand what it is you are truly after. All of the traffic will be going through the FortiGate anyway, whether that superficially "appears" as if proxied (proxy-mode inspection), or not (flow-mode inspection; even though flow-mode deep SSL-inspection is obviously proxied by definition!).
> If I check fortigate sessions I see a direct client server connection stablished
What I mean is that I don't see two connections (firewall->client and Firewall-->server). What I see is: Client-->Server and, cause for this reason I'm not sure if tcp connection is stablishes directly from client or not to final server.
What do you mean by that?
I'm also strugging to understand what it is you are truly after. All of the traffic will be going through the FortiGate anyway, whether that superficially "appears" as if proxied (proxy-mode inspection), or not (flow-mode inspection; even though flow-mode deep SSL-inspection is obviously proxied by definition!).
I know that when policy is in proxy mode it buffers packet and inspects it better and with more capabilities than flow mode. But I'm not sure if "proxy mode" enabled in a policy means that traffic leaves fortigate in a new TCP session (like a proxy acts). I thought not.
Also I know how deep inspection decrypts paquet and establishes different sessions between client and servers, but that not mean (in my opinion) that traffic is proxified (cause of that you can use , or not, deep inspection in a firewall proxy policys).
That I want is a reverse proxy web, to protect my final servers from direct client connections and to protect them cause they are not allowed in DMZ. If they were in a dmz I wouldn't mind. I don't want the end servers to receive direct traffic even if they pass through the firewall which, logically, will analyse the traffic and distribute it.
finalclient <-->reverse proxy <-->final server
As I have doubts, I ask you.
Thanks ¡¡¡
A session inspected by proxy-mode inspection shows only one entry in "diag sys session list", yet it is still proxied.
Created on 10-17-2024 08:49 AM Edited on 10-17-2024 08:50 AM
Thanks pminarik. In that case the answer is "yes, with Virtual server in policy in proxy mode, you can do a reverse proxy, the clients doesn't stablish direct connections to final servers in any case. The connections are from fortigate (reverse proxy) to clients".
Thanks for your help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.