Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Andrew3791
New Contributor

Not able to Disable SSL Offloading on Load Balanced Virtual Server

Hi all, I need to be able to disable SSL Offloading for a Load Balanced Virtual Server so that the SSL session terminates on each of the Real Servers and not on the FGT units. There is no way in the Web manager to disable this for HTTPS or SSL types, and seemingly no CLI option either. This seems odd as I can imagine many situations where you would not want inspection. Our use case is compliance where for audit reasons we do not want this data visible to the Firewall. I am hoping I can achieve this, please help and thanks in advance.
3 REPLIES 3
ede_pfau
SuperUser
SuperUser

hi, welcome to the forums. SSL offloading is a global option. If you have the CLI Guide for your version of FortiOS at hand you may search for " ssl-" or the like. It might be CLI only. I suspect it in ' config global' or ' config settings' but I' m not able to reach a FGT right now (it' s Sunday today). BTW this option should default to ' disable' as not all Fortigates have the hardware for SSL acceleration.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
ede_pfau
SuperUser
SuperUser

OK I' ve looked it up. It' s not a global option but one that pertains to an SSL VIP only.
 config firewall vip
    edit <name_str>
       set ssl-mode {full | half}
From the CLI Guide v4.3:
ssl-mode {full | half} Select whether or not to accelerate SSL communications with the destination by using the FortiGate unit to perform SSL operations, and indicate which segments of the connection will receive SSL offloading. Accelerating SSL communications in this way is also called SSL offloading. • full: Select to apply SSL acceleration to both parts of the connection: the segment between the client and the FortiGate unit, and the segment between the FortiGate unit and the server. The segment between the FortiGate unit and the server will use encrypted communications, but the handshakes will be abbreviated. This results in performance which is less than the option half, but still improved over communications without SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the server’s configuration. • half: Select to apply SSL only to the part of the connection between the client and the FortiGate unit. The segment between the FortiGate unit and the server will use clear text communications. This results in best performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator. SSL 3.0 and TLS 1.0 are supported. This option appears only if server-type is ssl or https.
As far as I understand this you could try to set ssl-mode to ' full' to encrypt the traffic between FGT and server. If that is not what you want, try to change the VIP ' server-type' to ' http' or ' tcp' .
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Andrew3791

Thanks for the information. This seems odd to me that it cannot be disabled, but we are investigating using TCP with a method of Source IP Hash to gain some sort of persistence between Src and Dst systems (short of Real server status change), or else just accept this and load certificates and use SSL Offloading. I was confident this would be a configurable option to be disabled but alas it seems not, unless anyone knows a means of turning this off? Thanks Ede_Pfau for your help on this. Btw, this CLI setting seems the same as the drop-down on the Web admin. Thanks.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors