Hi all,
I am new to Fortinet which I would like to ask for advise and help regarding request on enabling SSL Offloading on the Fortigate Firewall (100D). Which requires tests to ensure the capability of SSL Offloading on the firewall
Advise and help is needed! Thank You!
Hi,
Welcome to the Forums.
SSL Offlading requires the loadbalancing feature enabled (System --> Feature Visibility --> Loadbalance) You can use the default SSL certificates, but they will generate errors in the browser (I assume for testing it's ok)
otherwise you can import your own certificates (System --> Certificates) Create one ore more virtual servers and one or more policies to allow https
http://help.fortinet.com/...db-ssl-tls-offload.htm
________________________________________________________
--- NSE 4 ---
________________________________________________________
mgrosni wrote:Hi,
Welcome to the Forums.
SSL Offlading requires the loadbalancing feature enabled (System --> Feature Visibility --> Loadbalance) You can use the default SSL certificates, but they will generate errors in the browser (I assume for testing it's ok)
otherwise you can import your own certificates (System --> Certificates) Create one ore more virtual servers and one or more policies to allow https
http://help.fortinet.com/...db-ssl-tls-offload.htm
Hi Markus,
How can I solve the errors generated by browser by using the default SSL certificates? Is the default SSL certificates only for testing purposes? And also is it a 'must' to configure virtual servers to allow https connection to browser?
Hi Royston To clarify, do you want Server SSL Offloading (e.g. connections from Internet to your https server), or do you want to inspect https traffic coming from client to Internet?
If you want to inspect client traffic, you don't need virtual server. For Client inspection you have to configure UTM with SSL Inspection. Some explanation for Client Inspection http://cookbook.fortinet.com/preventing-certificate-warnings-54/
________________________________________________________
--- NSE 4 ---
________________________________________________________
mgrosni wrote:Hi Royston To clarify, do you want Server SSL Offloading (e.g. connections from Internet to your https server), or do you want to inspect https traffic coming from client to Internet?
If you want to inspect client traffic, you don't need virtual server. For Client inspection you have to configure UTM with SSL Inspection. Some explanation for Client Inspection http://cookbook.fortinet.com/preventing-certificate-warnings-54/
Hi Markus,
Thank you for the reply. I am working on SSL offloading for incoming traffic from internet to https server, not the client inspection part. It would be great if more advise & help are provided for me to workaround!
Basically you need a loadbalanced virtual server, ssl certificate and policy
this is an example from owa
virtual server cli --> config firewall vip edit "vvOwa" set comment "outlookWebAccess" set type server-load-balance set extip "your external ip where your server should listen" set extintf "any" set server-type https set http-ip-header enable set extport "your external port e.g. 443 for ssl" config realservers edit 1 set ip "your internal server ip" set port "your server port" next end set http-multiplex enable set ssl-mode full set ssl-certificate "your ssl cert"
policy
cli --> conf firewall policy --> edit #nr set name "wan2owa" set srcintf "your source interface" set dstintf "your destination interface" set srcaddr "all" set dstaddr "vvOwa" set action accept set schedule "always" set service "HTTPS" set utm-status enable set comments "owa"
For the "cert" you can import your ssl domain/wildcard cert that matches the domain under which the server should be accessible, or user the "default" fortigate certificate (throws error, but could be easily used for testing ssl offload). If you want import your SSL certificates go to System --> Certificates --> Import --> Local Certificates. some help and examples http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-load-balancing-52/ldb-ssl-tls-offload...
________________________________________________________
--- NSE 4 ---
________________________________________________________
mgrosni wrote:Basically you need a loadbalanced virtual server, ssl certificate and policy
this is an example from owa
virtual server cli --> config firewall vip edit "vvOwa" set comment "outlookWebAccess" set type server-load-balance set extip "your external ip where your server should listen" set extintf "any" set server-type https set http-ip-header enable set extport "your external port e.g. 443 for ssl" config realservers edit 1 set ip "your internal server ip" set port "your server port" next end set http-multiplex enable set ssl-mode full set ssl-certificate "your ssl cert"
policy
cli --> conf firewall policy --> edit #nr set name "wan2owa" set srcintf "your source interface" set dstintf "your destination interface" set srcaddr "all" set dstaddr "vvOwa" set action accept set schedule "always" set service "HTTPS" set utm-status enable set comments "owa"
For the "cert" you can import your ssl domain/wildcard cert that matches the domain under which the server should be accessible, or user the "default" fortigate certificate (throws error, but could be easily used for testing ssl offload). If you want import your SSL certificates go to System --> Certificates --> Import --> Local Certificates. some help and examples http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-load-balancing-52/ldb-ssl-tls-offload...
thanks Markus! As of now, I will temporary use the ssl default certificate to do some tests on my end before i implement on the actual network server.
I suggest to use / create a specific (protecting ssl server) profile
Go to Security Profiles --> SSL/SSH Inspection and create a new SSL Profile with SSL Inspection Option "Protecting SSL Server"
________________________________________________________
--- NSE 4 ---
________________________________________________________
I suggest to use / create a specific (protecting ssl server) profile Go to Security Profiles --> SSL/SSH Inspection and create a new SSL Profile with SSL Inspection Option "Protecting SSL Server"
________________________________________________________
--- NSE 4 ---
________________________________________________________
mgrosni wrote:Basically you need a loadbalanced virtual server, ssl certificate and policy
this is an example from owa
virtual server cli --> config firewall vip edit "vvOwa" set comment "outlookWebAccess" set type server-load-balance set extip "your external ip where your server should listen" set extintf "any" set server-type https set http-ip-header enable set extport "your external port e.g. 443 for ssl" config realservers edit 1 set ip "your internal server ip" set port "your server port" next end set http-multiplex enable set ssl-mode full set ssl-certificate "your ssl cert"
policy
cli --> conf firewall policy --> edit #nr set name "wan2owa" set srcintf "your source interface" set dstintf "your destination interface" set srcaddr "all" set dstaddr "vvOwa" set action accept set schedule "always" set service "HTTPS" set utm-status enable set comments "owa"
For the "cert" you can import your ssl domain/wildcard cert that matches the domain under which the server should be accessible, or user the "default" fortigate certificate (throws error, but could be easily used for testing ssl offload). If you want import your SSL certificates go to System --> Certificates --> Import --> Local Certificates. some help and examples http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-load-balancing-52/ldb-ssl-tls-offload...
For the 'set ssl-mode full' being used, is it highly recommended to use full mode instead of half-mode for ssl offload?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1787 | |
1117 | |
768 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.