Is it possible to use the SNI value (for a whitelisting) in scripting without terminating SSL on the FortiADC?
It seems there is only the CLIENT_HANDSHAKE event, but this requires a clientssl-profile. With F5 iRules there is an additional event CLIENTSSL_CLIENTHELLO, which works without a clientssl-profile. Here only a SSL-persistence profile is required.
Is this somehow also possible with FortiADC?
Thank you!
Regards Stefan :)
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Stefan,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Stefan,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hello Stefen,
I have found this documentation:
https://docs.fortinet.com/document/fortiadc/7.2.0/handbook/717770/configuring-client-ssl-profiles
Could you please tell me if it is helping?
Regards,
Dear Anthony,
thanks for sharing this documentation link, but I think using a clientSSL -profile always requires the server-certificate. And that's exactly what I'd like to avoid.
I just want the FortiADC to "read" the SNI field from the ssl_clienthello packet. I think this is, similar to F5, only possible via additional scripting, which FortiADC also supports. But as of now I see only the CLIENT_HANDSHAKE event, which only triggers when terminating SSL. Or in other words, can I use the required SSL:sni() command (to "read" the required value) in any other event WITHOUT terminating SSL?
If not, could this be an idea for upcoming features? Is there an option to request this?
Thank you!
Regards Stefan :)
Dear Stefan :)!,
Thanks a lot for your answer.
Oh ok, I will then find an expert who will reply to you!
Regards,
Hello Stefan,
I have found an expert and he will answer soon :)!
Regards
Hi Stefan,
And hiere the answer:
"we reviewed the current document, but were unable to find information on the specific requirement by the user (similar to F5 SSL-persistence profile). we may need to ask the userto raise a TAC ticket, to futher check with our Devs."
Could you please Stefan, oen a ticket with our TAC?
Thanks a lot in advance.
Regards,
Dear Anthony,
may I ask you how to raise a TAC-ticket? Can I do this online or do I have to call somewhere?
Thank you!
Regards Stefan :)
Dear Stefan,
Sure :)!
Please login to this URL:
https://support.fortinet.com/welcome/#/
And follow the path :)!
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1703 | |
1092 | |
752 | |
446 | |
229 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.