I try to solve a (maybe) edge case for a customer:
The Customer has multiple Website behind a Fortigate which he would like to make public available:
There is only 1 public IP Address. All the Website should be available on Port 443 (HTTPS).
The Websites should be protected by WAF.
What I have tried:
I can make the first two Websites (web1, web2) available with "Virtual Servers" and by using a Wildcard (public signed) certificate. Then I used a Firewall Rule with a Web Application Firewall Profile to secure the Servers. But then web3 cannot be added because it is using a different Domain.
I also tried it with ZTNA, Proxy Policy and by disabling the Client Certificate requirement by setting "set client-cert disable". This way I was able to publish all of the 3 Domains. But that way i cannot use any protection as Web Application Firewall cannot be used together with ZTNA as far as i know.
Also, i noticed, that when using a HTTPS-Real-Server, that the real certificate of the Server is showing up instead the certificate i selected in the ZTNA-Real-Server assignment.
Any suggestion how to solve this case without using a FortiWeb?
Regards,
Michael
Solved! Go to Solution.
For everyone else looking for a solution, I solved this by creating a Multidomain Wildcard SAN Certificate.
With that, it is possible to use the Virtual Server and WAF for all Domains.
First i didn‘t want to use a Certificate like that, because they are expensive.
I‘m now using the Powershell Module „Posh-Acme“ together with the integrated Cloudflare Plugin in the Module to automatically generate a Multidomain Wildcard SAN Certificate. The Renewal Process is also automated.
After generating/renewing, I use the PowerShell Module „Posh-SSH“ to connect to the Fortigate and Upload the Certificate via a TFTP-Server (pfx file). Then I can use native Fortigate Commands, also with Posh-SSH, to assign the Certificate to all Services (everything automated).
Initialy i thought that would not be suiteable for production, but it was so easy to crate a script with the two PowerShell modules, and the Certificate can be monitored by PRTG, so I get an alert if something failes.
I tried to do the same.. If you don't use a dedicated WAF, I think your solution with FortiGate is to use a second public IP for web3.
Thanks AEK. I hoped that there will be some "magic" I had missed, but doesn't seem so.
For everyone else looking for a solution, I solved this by creating a Multidomain Wildcard SAN Certificate.
With that, it is possible to use the Virtual Server and WAF for all Domains.
First i didn‘t want to use a Certificate like that, because they are expensive.
I‘m now using the Powershell Module „Posh-Acme“ together with the integrated Cloudflare Plugin in the Module to automatically generate a Multidomain Wildcard SAN Certificate. The Renewal Process is also automated.
After generating/renewing, I use the PowerShell Module „Posh-SSH“ to connect to the Fortigate and Upload the Certificate via a TFTP-Server (pfx file). Then I can use native Fortigate Commands, also with Posh-SSH, to assign the Certificate to all Services (everything automated).
Initialy i thought that would not be suiteable for production, but it was so easy to crate a script with the two PowerShell modules, and the Certificate can be monitored by PRTG, so I get an alert if something failes.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.