HI , I recently got into firewalls, I have Fortigate 200F, I want to do SSL-offloading with it if possible ?
my question is , is it possible to do it with Fortigate and if yes , then what makes it different from Fortiweb ? when i can offload traffic on my Fortigate and inspect it ?
Solved! Go to Solution.
There is a little difference regarding offloading. When you do that in FortiGate on a regular traffic policy, the traffic is decrypted in order to be scanned, and re-encrypted on the way to the local server. SSL offloading means that the last part of the communication (LAN segment) is not encrypted (so the servers don't require extra resources to decrypt the traffic). This is maybe better described here:
https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/341240/offloading-vs-inspecti...
FortiWeb is doing application level inspection (a more focused aim than FortiGate). SSL offloading means removing the encryption from the traffic. You can do that with FortiGate through a VIP - Server Load balancing. Some info here:
http://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server
thanks for reply , if you put the SSL inspection on deep packet inspection isnt it same thing ? meaning doing Application level inspection ?
There is a little difference regarding offloading. When you do that in FortiGate on a regular traffic policy, the traffic is decrypted in order to be scanned, and re-encrypted on the way to the local server. SSL offloading means that the last part of the communication (LAN segment) is not encrypted (so the servers don't require extra resources to decrypt the traffic). This is maybe better described here:
https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/341240/offloading-vs-inspecti...
Hi, Im concerned about the connection, to the final server, when you use a Fortigate with full offloading or not, using a virtual server. I would like to emulate a reverse proxy to connect to internal servers (not DMZ servers). I would like to know if the final connection to the real server is established by Fortigate or from the internet client. I'm not sure about this. I've posted that:
https://community.fortinet.com/t5/Support-Forum/Fortigate-SSL-Offloading-with-SNI/m-p/348745#M253392
Do you know if the TCP connection is stablished from Fortigate? I'm not sure if in both cases it works like a real reverse proxy.
Thanks ¡¡¡¡
@fortimaster - once a subject is solved, nobody checks it. Please post it as new topic, instead of hijacking other subjects. Your question is not really related to what was asked here, or the other subject you posted in
You are right Alex. Im going to open a new post.
Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.