Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Reverse Proxy (Load Balancer) + Deep inspection - Why?

I am just curious about why we need to add a deep inspection security profile if we are configuring the FortiGate as reverse proxy. So I have to specify a certificate in the Virtual Server, and also a certiicate in the deep inspection profile if I follow this Fortinet guide:


Method 2 - Server Load balance (SSL-mode half). 1) Create Server load balance object.

# config firewall vip     edit "Web"         set type server-load-balance         set extip         set extintf "any"         set server-type https         set extport 443         config realservers             edit 1                 set ip                                set port 80             next         end         set ssl-certificate "wildcard_lab_com_au"     next end

2) Create new firewall policy with destinated VIP.

# config firewall policy     edit 2         set srcintf "port10"                set dstintf "port2"         set srcaddr "all"         set dstaddr "Web"         set action accept         set schedule "always"         set service "HTTP" "HTTPS"         set utm-status enable         set logtraffic all         set webcache enable         set webcache-https enable         set fsso disable         set ssl-ssh-profile "deep-inspection"         set nat enable     next end


Does someone know the reason behind this configuration? If the incoming traffic is being decrypted thanks to the virtual server, why do we need to add a deep-inspection profile too? Plus, does someone know what would happen if I would choose different certificates for the virtual server and for the deep-inspection security profile? Thanks.



EDIT: Ok, I have just realized that the deep inspection in this example is for the traffic originated from real server (Server -> Internet), and it differs from "Protecting SSL Server" inspection profile.

Top Kudoed Authors