Fortinet Community

slemke · ‎04-11-2023

Hello everybody,

we are actually using on a Fortigate (running 7.0.x OS) the SSL Offloading Feature for checking inbound-Traffic (!) to an Web-Server located in our dmz:

config firewall vip
edit "Loadbalancer SSL www.example.org"
set comment "for IPS on SSL"
set type server-load-balance
set extip 1.2.3.4
set extintf "wan1"
set server-type https
set monitor "192.168.1.22"
set extport 443
config realservers
edit 1
set ip 192.168.1.22
set port 443
next
end
set ssl-mode full
set ssl-certificate "www_example_org 03-23"
set ssl-client-renegotiation deny
set ssl-client-session-state-type disable
next
end

config firewall policy
edit 99
set srcintf "wan1"
set dstintf "dmz"
set action accept
set srcaddr "all"
set dstaddr "Loadbalancer SSL www.example.org"
set schedule "always"
set service "HTTPS" "HTTP"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "my_certificate-inspection"
set ips-sensor "my_protect_server"
set application-list "my_app_protect_server"
set logtraffic all
next
end

The "www_example_org 03-23" is an officially issued certificate for my website ("www.example.org").

Ths configuration is realized in this way because I want the Fortigate to inspect the traffic (see my_app_protect_server and my_protect_server). Therefore the Fortigate needs to "crack" the connection and re-encrypt it using the official certificate.

Up to here everything is fine and working.

My goal is to host multiple websites on one public ip (in the example 1.2.3.4) - e.g. www.example1.org, www.example2.org and so on. I need this because of limited public IPs on my wan-side.

Therefore I need to use SNI - but I do not have either an idea if this is possible with the Fortigate nor how to configure this. Simply using more than one "realserver" will not solve the problem, I can only use one certificate for re-encrypt the traffic (set ssl-certificate "www_example_org 03-23").

I have found this: https://community.fortinet.com/t5/Support-Forum/server-load-balancing-finally-works-since-FOS-6-4/m-...
At the missing features "SNI" is mentioned - is this right? Is it also true for the latest FortiOS versions?

Can anybody assist me here?

Sebastian

lol · ‎04-12-2023

Hello,

This can be achieved with "set ldb-method http-host" and setting "set http-host your.fqdn" in your VIP object config.

example:

config firewall vip
edit "SNI_based_virtual_hosts"
set type server-load-balance
set extintf "wan1"
set server-type https
set ldb-method http-host <---
set persistence http-cookie <---
set extport 443
config realservers
edit 1
set ip 10.0.0.1
set port 443
set http-host "a.fqdn.com" <---
next
edit 2
set ip 10.0.0.2
set port 443
set http-host "b.fqdn.com" <---
next
end
set ssl-mode full
set ssl-certificate "wildcard_or_san.fqdn.com"
set ssl-server-algorithm high
set ssl-server-min-version tls-1.1
set ssl-server-max-version tls-1.2
next
end

note:

The only issue here is the certificate.
It should either be a wildcard certificate for the CN of the whole domain, i.e. *.fdqn.com
Or it needs to include all the SNIs as SAN objects (subject alternative names), i.e. a.fqdn.com, b.fqdn.com, etc

Regards

View solution in original post

rosatechnocrat · ‎04-12-2023

Hi Yes, SNI field is supported in version 7.0 onwards. You can modify the SSL-SSH profile to have SNI.

config firewall ssl-ssh-profile
    edit "multi-cert"
        set server-cert-mode replace
        set server-cert "bbb" "aaa"
    next
end

For more details you can look below article.

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/850344/define-multiple-certificates-...

Regards
ROSA Technocrat - Also on youtube

Please Subscribe

slemke · ‎04-21-2023

Hi!

this did not work, my backend Server complains about a mismatch between SNI und HTTP-Header:

Hostname www.example1.org provided via SNI and hostname www.example2.org provided via HTTP are different

The method @lol described has worked.

But it´s not a complete SNI - I would expect the Fortigate sets both (SNI und HTTP Post header) correctly?

When interested I can supply complete config-snippets.

Sebastian

lol · ‎04-12-2023

Hello,

This can be achieved with "set ldb-method http-host" and setting "set http-host your.fqdn" in your VIP object config.

example:

config firewall vip
edit "SNI_based_virtual_hosts"
set type server-load-balance
set extintf "wan1"
set server-type https
set ldb-method http-host <---
set persistence http-cookie <---
set extport 443
config realservers
edit 1
set ip 10.0.0.1
set port 443
set http-host "a.fqdn.com" <---
next
edit 2
set ip 10.0.0.2
set port 443
set http-host "b.fqdn.com" <---
next
end
set ssl-mode full
set ssl-certificate "wildcard_or_san.fqdn.com"
set ssl-server-algorithm high
set ssl-server-min-version tls-1.1
set ssl-server-max-version tls-1.2
next
end

note:

The only issue here is the certificate.
It should either be a wildcard certificate for the CN of the whole domain, i.e. *.fdqn.com
Or it needs to include all the SNIs as SAN objects (subject alternative names), i.e. a.fqdn.com, b.fqdn.com, etc

Regards

slemke · ‎04-21-2023

Hi!

Thanks a lot, that works. I have to use two internal IP-adresses - but that´s not the problem. The problem - only using one external adress - was solved.
The SSL-Certificate was a Wildcard-Cert - so, this was fine.

I guess this is the only way to solve this (see above post from @rosatechnocrat) ? Are there any plans to implement SNI "fully"? Or is it a feature fo which FortiWeb must be used.

Thanks again,

Sebastian

Fortinet Community

Fortigate SSL Offloading with SNI