- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL Chain Broken on Fortigate to Fortiweb Setup
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL Chain Broken on Fortigate to Fortiweb Setup
I got an odd situation with our SSL certificate.
Webserver under Fortiweb and FortiGate are configured, https website is working properly. Except for CA chain is broken. When using SSL checker tools, CA could not be seen. I might miss something on my configuration that CA could not be read.
May I know how do you usually setup your SSL cert with FG and Fweb?
We have multiple domains for a single Public IP and utilized SNI for those different websites.
Our setup is that Fortigate is configured with VIP going to the Fortiweb, with SSL inspection configured to 'Protecting SSL Server'. Local cert and CA Intermediate cert is uploaded correctly.
Then on the Fortweb side, we used SNI to handle the different cert of differnt domains. Meaning we also uploaded the local certificates, as well as the CA. Well all websites are working and no SSL error when visiting the sites. But if you run any SSL tools, CA chain is broken.
I tried different setup, and here's what I got. On Fortigate, If I change the SSL Inspection from 'Protecting SSL Server' to 'Multiple Clients Connecting to Multiple Server', CA Chain is restored. This would be my goal... But, with this setup different problem arose. Now all web visitors' Public IP traversing to the FortiWeb is not logging properly (logs the internal IP of Fortigate instead). Which I think means the SSL inspection is now not working on the Fortiweb. (By the way we have X-forwarded-for setting, which works well when 'Protecting SSL server' is enabled)
End goal should be: Certs and CA Chain working correctly, without compromising the logging of web visitor's Public IP. Appreciate any insight on how you would normally setup this. Already troubleshooting if for days with no luck.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried to configure FortiWeb under Virtual Servers in FGT? It will do the SSL offload without configuring a VIP and without using any SSL Inspection profile for the Firewall Policy.
I've been also testing with VIP but couldn't make it work.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll try this, I'll let you know if this is successul. Though one thing to note is that our setup is quite tricky. As mentioned on my initial post, we are using SNI for mutiple domains, but our public IP is only one. Having 'Virtual Server' with 'Full SSL Offloading' might request for a cert. And I think Full SSL could only use one certificate. Where as VIP on Protecting SSL could use up to 10 certifcates.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your problem seems to stem from some tricky issues in the SSL certificate chain and the interplay between the FortiGate and FortiWeb products. It looks like you have two primary goals:
1. Restore the SSL Certificate Authority (CA) Chain.
2. Maintain proper logging of visitor IP addresses.
When you change the SSL Inspection on FortiGate from "Protecting SSL Server" to "Multiple Clients Connecting to Multiple Server", the SSL CA Chain issue is resolved but it brings up another issue with logging the original client's IP address on FortiWeb. The "Multiple Clients Connecting to Multiple Server" mode will cause FortiGate to decrypt then re-encrypt traffic, changing the client IP seen by FortiWeb to FortiGate's internal IP. That's why you're seeing the internal IP of FortiGate in the logs.
Here are a few suggestions to troubleshoot and possibly solve your problem:
1. **Verify SSL Certificates**: Ensure that the correct SSL certificates (including intermediate certificates) are installed correctly on both FortiGate and FortiWeb. This is crucial for the SSL chain to be recognized correctly. You mentioned that they're uploaded correctly, but it might be worth double-checking.
2. **Deep Packet Inspection (DPI) SSL**: Instead of using "Multiple Clients Connecting to Multiple Server" or "Protecting SSL Server", you can try enabling Deep Packet Inspection (DPI) SSL on FortiGate. With DPI SSL, FortiGate can decrypt SSL traffic for inspection and then re-encrypt it, forwarding it to the server in its original form. However, you should be aware that this could impact performance.
3. **X-Forwarded-For (XFF) Headers**: If the original client IP is getting lost due to the SSL inspection settings on FortiGate, using X-Forwarded-For (XFF) headers might be a way to maintain visibility of the original client IP. You mentioned that you have X-Forwarded-For setting, but check if it's working as expected. It's possible that your FortiWeb isn't correctly configured to use these headers, or that they're being overwritten or removed.
4. **Contact Support**: Given the complexity of this issue and the many factors at play, it might be best to contact Fortinet's support for help with this specific configuration.
Remember that each setup can vary significantly depending on the specifics of your network architecture and your security requirements, so what works in one case might not work in another. Always make sure to thoroughly test any changes in a controlled environment before deploying them to your live systems.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On your suggestion #2, can you futher guide on how I can do the settings on Fortigate? I believe the Inbound DPI for FG is "Protecting SSL Server", but I might be wrong.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You ideal setup should be Fortigate having VIP to translate your Public IP to Private Virtual IP on FortiWeb. FortiWeb being your Web Application Firewall decrypting SSL Connection using SNI based Certificate (with Complete Certificate Chain) for HTTP traffic inspection for Web Attacks.
So may I ask, why you enable SSL Inspection in Fortigate for your Published Web application (HTTP/S) if you FortiWeb is capable to perform the Filtering and blocking Web attacks.
Best Regards,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Saneeshpv,
Thank you for the response, would you mean I should disable SSL inspection on Fortigate? I did try to use the no-inspection, but for some reason other issue arises when there is no SSL inspection, Real IP of web visitor is not logging correctly even though x-forwarded-for is enabled. Seems it needs SSL inspection to get the Public IP of https web visitor. Would there be any appropriate setup for this?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Again, why you are not allowing the Client Public IP address all the way to FortiWeb? Usually you only change the Destination IP from Public IP to FortiWeb Virtual IP, but the Source IP of the Client will remain unchanged and on the FortiWeb you enable X-Forwarded-For Header insertion so that your actual server will be able to know about the client IP address. (for accounting and logging purpose).
########
| Add X-Forwarded-For: |
Enable to include the If the HTTP client or web proxy does not provide the header, FortiWeb adds it, using the source IP address of the connection. If the HTTP client or web proxy already provides the header, it appends the source IP address to the header's list of IP addresses. This option can be useful if your web servers log or analyze clients’ public IP addresses, if they support the
|
Please refer attached.
Best Regards,
Created on 07-31-2023 06:48 AM Edited on 07-31-2023 06:50 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Saneeshpv,
There are alot of things to consider on why we need a Fortigate on top of Fortiweb. IPS is one, as it is only offered by Fortigate as the Firewall. We have also other ports aside from http/https that needs to be protected. We are following the ideal security practice on protecting our server thru Firewall and WAF. We cannot afford to just have WAF for security for a single Public IP.
As mentioned, x-forwared-for is already in place on Fortiweb. Which only works side-by-side when SSL inspection is enabled on Fortiweb,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dairu,
If you are forwarding traffic to FortiWeb, FortiWeb will only support HTTP based application. You need to enable SSL inspection on FortiWeb which is correct but not on the Fortigate. For IPS you can enable with out SSL inspection in Fortigate and for application level attack mitigation you are using FortiWeb which is capable enough to block all the OWASP top 10 Web attacks and you can also integrate AV/FortiSandbox for deep file analysis with FortiWeb and it also has its Application level DDOS and Bot defense mechanism in place with the advanced AI based Machine learning capabilities to analyze application request. So in any case I don't see any specific requirement for SSL inspection in Fortigate for Inbound Application Publishing when using FortiWeb.
Not sure If I am able to clarify things, if not please let me know your specific protocol use case and scenario which you are trying to achieve here.
Best Regards,
Related Posts
- FortiGate ethernet broken with HA 774 Views
- FortiGate Transparent Proxy 163 Views
- FortiGate/FortiAp Rolling Upgrade does not work? 389 Views
- Map multiple Website with multiple Domains... 535 Views
- SSL Inspection - Certificate Issue 377 Views
Labels
-
FortiGate
6,528 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.