Deep SSL Inspection + WAF for Internal Server via DNAT - Not Working

terasto · ‎11-27-2025

Hi all,

Need help with FortiGate 7.4 SSL inspection setup:

Setup:

Internal API: 10.10.10.99:8000 (HTTPS)
External access: 3.3.3.33:8000 → DNAT to internal
Corporate CA certificates imported to FortiGate
SSL/SSH profile: "Protecting SSL Server" mode
WAF profile: Monitor mode
Policy: Proxy inspection mode with SSL + WAF profiles

Issue: Traffic passes through but SSL inspection doesn't work - no SSL logs, WAF not inspecting content.

Has anyone configured "Protecting SSL Server" for inbound API traffic? What's the correct architecture?

Thanks!

AEK · ‎11-27-2025

Hi Terasto

I'm not aware that FGT's WAF can protect API server. I'm actually pretty certain it doesn't.

You need a dedicated WAF that does API protection, like FortiWeb.

AEK

terasto · ‎11-28-2025

Hi AEK!
Okay, let's say I don't need to protect the API service, but I need to use the built-in WAF functionality on the firewall specifically in the scheme (Protecting SSL Server) that I described earlier. I'm wondering, should I enable IPS? It seems like it has some basic attack scenarios for web services that it can block.

AEK · ‎11-29-2025

Hi Terasto

Here are the recommended steps.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-configuration-for-HTTPS-Virtua...

AEK

Deep SSL Inspection + WAF for Internal Server via DNAT - Not Working

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website