Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
solae
New Contributor II

Map multiple Website with multiple Domains and Subdomains to multiple Servers (WAF / ZTNA)

I try to solve a (maybe) edge case for a customer:

 

The Customer has multiple Website behind a Fortigate which he would like to make public available:

  • web1.domain1.tld
  • web2.domain1.tld
  • web3.domain2.tld

There is only 1 public IP Address. All the Website should be available on Port 443 (HTTPS).

The Websites should be protected by WAF.

 

What I have tried:

I can make the first two Websites (web1, web2) available with "Virtual Servers" and by using a Wildcard (public signed) certificate. Then I used a Firewall Rule with a Web Application Firewall Profile to secure the Servers. But then web3 cannot be added because it is using a different Domain.

 

I also tried it with ZTNA, Proxy Policy and by disabling the Client Certificate requirement by setting "set client-cert disable". This way I was able to publish all of the 3 Domains. But that way i cannot use any protection as Web Application Firewall cannot be used together with ZTNA as far as i know.

Also, i noticed, that when using a HTTPS-Real-Server, that the real certificate of the Server is showing up instead the certificate i selected in the ZTNA-Real-Server assignment.

 

Any suggestion how to solve this case without using a FortiWeb?

 

Regards,

Michael

1 Solution
solae
New Contributor II

For everyone else looking for a solution, I solved this by creating a Multidomain Wildcard SAN Certificate.

With that, it is possible to use the Virtual Server and WAF for all Domains.

 

First i didn‘t want to use a Certificate like that, because they are expensive.

I‘m now using the Powershell Module „Posh-Acme“ together with the integrated Cloudflare Plugin in the Module to automatically generate a Multidomain Wildcard SAN Certificate. The Renewal Process is also automated.

After generating/renewing, I use the PowerShell Module „Posh-SSH“ to connect to the Fortigate and Upload the Certificate via a TFTP-Server (pfx file). Then I can use native Fortigate Commands, also with Posh-SSH, to assign the Certificate to all Services (everything automated).

 

Initialy i thought that would not be suiteable for production, but it was so easy to crate a script with the two PowerShell modules, and the Certificate can be monitored by PRTG, so I get an alert if something failes.

View solution in original post

3 REPLIES 3
AEK
SuperUser
SuperUser

I tried to do the same.. If you don't use a dedicated WAF, I think your solution with FortiGate is to use a second public IP for web3.

AEK
AEK
solae
New Contributor II

Thanks AEK. I hoped that there will be some "magic" I had missed, but doesn't seem so.

solae
New Contributor II

For everyone else looking for a solution, I solved this by creating a Multidomain Wildcard SAN Certificate.

With that, it is possible to use the Virtual Server and WAF for all Domains.

 

First i didn‘t want to use a Certificate like that, because they are expensive.

I‘m now using the Powershell Module „Posh-Acme“ together with the integrated Cloudflare Plugin in the Module to automatically generate a Multidomain Wildcard SAN Certificate. The Renewal Process is also automated.

After generating/renewing, I use the PowerShell Module „Posh-SSH“ to connect to the Fortigate and Upload the Certificate via a TFTP-Server (pfx file). Then I can use native Fortigate Commands, also with Posh-SSH, to assign the Certificate to all Services (everything automated).

 

Initialy i thought that would not be suiteable for production, but it was so easy to crate a script with the two PowerShell modules, and the Certificate can be monitored by PRTG, so I get an alert if something failes.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors