I am just curious about why we need to add a deep inspection security profile if we are configuring the FortiGate as reverse proxy. So I have to specify a certificate in the Virtual Server, and also a certiicate in the deep inspection profile if I follow this Fortinet guide:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD49325
Method 2 - Server Load balance (SSL-mode half). 1) Create Server load balance object.
# config firewall vip edit "Web" set type server-load-balance set extip 10.56.243.162 set extintf "any" set server-type https set extport 443 config realservers edit 1 set ip 10.101.0.52 set port 80 next end set ssl-certificate "wildcard_lab_com_au" next end
2) Create new firewall policy with destinated VIP.
# config firewall policy edit 2 set srcintf "port10" set dstintf "port2" set srcaddr "all" set dstaddr "Web" set action accept set schedule "always" set service "HTTP" "HTTPS" set utm-status enable set logtraffic all set webcache enable set webcache-https enable set fsso disable set ssl-ssh-profile "deep-inspection" set nat enable next end
Does someone know the reason behind this configuration? If the incoming traffic is being decrypted thanks to the virtual server, why do we need to add a deep-inspection profile too? Plus, does someone know what would happen if I would choose different certificates for the virtual server and for the deep-inspection security profile? Thanks.
EDIT: Ok, I have just realized that the deep inspection in this example is for the traffic originated from real server (Server -> Internet), and it differs from "Protecting SSL Server" inspection profile.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.