Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sklotz
New Contributor II

FortiADC use SNI value without ClientSSL profile

Is it possible to use the SNI value (for a whitelisting) in scripting without terminating SSL on the FortiADC?

It seems there is only the CLIENT_HANDSHAKE event, but this requires a clientssl-profile. With F5 iRules there is an additional event CLIENTSSL_CLIENTHELLO, which works without a clientssl-profile. Here only a SSL-persistence profile is required.

Is this somehow also possible with FortiADC?

Thank you!

 

Regards Stefan :)

10 REPLIES 10
Anthony_E
Community Manager
Community Manager

Hello Stefan,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Stefan,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Stefen,

 

I have found this documentation:

 

https://docs.fortinet.com/document/fortiadc/7.2.0/handbook/717770/configuring-client-ssl-profiles

 

Could you please tell me if it is helping?

 

Regards,

Anthony-Fortinet Community Team.
sklotz
New Contributor II

Dear Anthony,

thanks for sharing this documentation link, but I think using a clientSSL -profile always requires the server-certificate. And that's exactly what I'd like to avoid.

I just want the FortiADC to "read" the SNI field from the ssl_clienthello packet. I think this is, similar to F5, only possible via additional scripting, which FortiADC also supports. But as of now I see only the CLIENT_HANDSHAKE event, which only triggers when terminating SSL. Or in other words, can I use the required SSL:sni() command (to "read" the required value) in any other event WITHOUT terminating SSL?

If not, could this be an idea for upcoming features? Is there an option to request this?

Thank you!

 

Regards Stefan :)

Anthony_E
Community Manager
Community Manager

Dear Stefan :)!,

 

Thanks a lot for your answer.

Oh ok, I will then find an expert who will reply to you!

 

Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Stefan,

 

I have found an expert and he will answer soon :)!

 

Regards

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hi Stefan,

 

And hiere the answer:

 

"we reviewed the current document, but were unable to find information on the specific requirement by the user (similar to F5 SSL-persistence profile). we may need to ask the userto raise a TAC ticket, to futher check with our Devs."

 

Could you please Stefan, oen a ticket with our TAC?

 

Thanks a lot in advance.

 

Regards,

Anthony-Fortinet Community Team.
sklotz
New Contributor II

Dear Anthony,

may I ask you how to raise a TAC-ticket? Can I do this online or do I have to call somewhere?
Thank you!

Regards Stefan :)

Anthony_E
Community Manager
Community Manager

Dear Stefan,

 

Sure :)!

 

Please login to this URL:

 

https://support.fortinet.com/welcome/#/

 

And follow the path :)!

 

Regards,

Anthony-Fortinet Community Team.
Top Kudoed Authors