Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ITerateDaily
New Contributor

Created on ‎06-04-2025 07:19 AM Edited on ‎06-04-2025 07:47 AM

Confused on SSL Inspection for our internally hosted web server

Hello,


I'm new to FortiGates, moving off of SonicWALL. I'm trying to set myself up for success, and not setting myself up for failure.

I have a FortiGate 600F, and 2 web servers that are hosted internally. These web servers are accessed by many users daily, across many different countries, so I'm concerned about security.

Since we operate two web servers and our websites are customized for a wide range of clients, we manage numerous unique URLs. To streamline this, we use a wildcard domain certificate..

 

Right now, I have a basic policy. Incoming WAN interfaces to VIP, with HTTP/HTTPs services, and NAT enabled, no security profiles. 

I think its wise to setup at a basic, IPS and WAF security profiles. As default, SSL inspection "no-inspection" is selected, and gives the standard message " The no-inspection profile doesn't perform SSL inspection, so it shouldn't be selected with other UTM profiles or features that require SSL inspection."

What is the correct approach to configuring the SSL Inspection profile, and certificate, since I can't control external endpoints and their certificates?

559
0 Kudos
4 REPLIES 4
Yurisk
SuperUser
SuperUser

Created on ‎06-04-2025 08:03 AM Edited on ‎06-04-2025 08:53 AM

Hi, most suitable I guess would be to configure instead of usual port-forwarding VIP the Virtual Server (it is not shown in menu by default - so go to System -> Feature Visibility and enable Load Balance). In such configuration you can supply the Virtual Server your wildcard certificate and it will do Deep Inspection by decrypting the incoming packets and sending them to the real servers as regular HTTP (SSL offloading) or you can do FGT -> Internal servers SSL encryption as well. 

Some info to start with https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-configuration-for-HTTPS-Virtua...

 

https://yurisk.info
https://yurisk.info
541
0 Kudos
ITerateDaily
New Contributor
In response to Yurisk

Created on ‎06-04-2025 08:43 AM

This was a great article, thank you for providing this. I am in the process of working through this, and adjusting. I did create the SSH/SSL profile, in step 3 exactly like they did, with the wildcard cert in it, and I do get a "This SSL profile uses full SSL inspection. End users will likely see certificate warnings unless the certificate is installed in their browser." error. Should it be assumed since the traffic is decrypted at the virtual server level, this warning can be disregarded? 

534
0 Kudos
Yurisk
SuperUser
SuperUser
In response to ITerateDaily

Created on ‎06-04-2025 08:56 AM

Talking of SSL Inspection profile, which means you are using regular VIP, you would need to set  "Protecting SSL Server" , not the option you picked, and specify your wildcard certificate. 

 
 

 

https://yurisk.info
https://yurisk.info
528
0 Kudos
ITerateDaily
New Contributor
In response to Yurisk

Created on ‎06-04-2025 09:07 AM

Hi,

 

Yes this is what I am doing. (I blocked out some info for my own safety)

 

Here is the SSL Profile

 

FortiGate SSL Inspection.jpg 

 

 

Virtual server configuration

Virtual Server.jpg

 

Policy error

Policy info.jpg

 

525
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.