- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FortiADC use SNI value without ClientSSL profile
Is it possible to use the SNI value (for a whitelisting) in scripting without terminating SSL on the FortiADC?
It seems there is only the CLIENT_HANDSHAKE event, but this requires a clientssl-profile. With F5 iRules there is an additional event CLIENTSSL_CLIENTHELLO, which works without a clientssl-profile. Here only a SSL-persistence profile is required.
Is this somehow also possible with FortiADC?
Thank you!
Regards Stefan :)
- Labels:
-
FortiADC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Stefan,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Stefan,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Stefen,
I have found this documentation:
https://docs.fortinet.com/document/fortiadc/7.2.0/handbook/717770/configuring-client-ssl-profiles
Could you please tell me if it is helping?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Anthony,
thanks for sharing this documentation link, but I think using a clientSSL -profile always requires the server-certificate. And that's exactly what I'd like to avoid.
I just want the FortiADC to "read" the SNI field from the ssl_clienthello packet. I think this is, similar to F5, only possible via additional scripting, which FortiADC also supports. But as of now I see only the CLIENT_HANDSHAKE event, which only triggers when terminating SSL. Or in other words, can I use the required SSL:sni() command (to "read" the required value) in any other event WITHOUT terminating SSL?
If not, could this be an idea for upcoming features? Is there an option to request this?
Thank you!
Regards Stefan :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Stefan :)!,
Thanks a lot for your answer.
Oh ok, I will then find an expert who will reply to you!
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Stefan,
I have found an expert and he will answer soon :)!
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Stefan,
And hiere the answer:
"we reviewed the current document, but were unable to find information on the specific requirement by the user (similar to F5 SSL-persistence profile). we may need to ask the userto raise a TAC ticket, to futher check with our Devs."
Could you please Stefan, oen a ticket with our TAC?
Thanks a lot in advance.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Anthony,
may I ask you how to raise a TAC-ticket? Can I do this online or do I have to call somewhere?
Thank you!
Regards Stefan :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Stefan,
Sure :)!
Please login to this URL:
https://support.fortinet.com/welcome/#/
And follow the path :)!
Regards,
