Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
szuko
New Contributor III

SSL-Offloading

HI , I recently got into firewalls,  I have Fortigate 200F, I want to do SSL-offloading with  it if possible ?

my question is , is it possible to do it with Fortigate and if yes , then what makes it different from Fortiweb ? when i can offload traffic on my Fortigate and inspect it ? 

1 Solution
AlexC-FTNT

There is a little difference regarding offloading. When you do that in FortiGate on a regular traffic policy, the traffic is decrypted in order to be scanned, and re-encrypted on the way to the local server. SSL offloading means that the last part of the communication (LAN segment) is not encrypted (so the servers don't require extra resources to decrypt the traffic). This is maybe better described here:
https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/341240/offloading-vs-inspecti...

 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

4 REPLIES 4
AlexC-FTNT
Staff
Staff

FortiWeb is doing application level inspection (a more focused aim than FortiGate). SSL offloading means removing the encryption from the traffic. You can do that with FortiGate through a VIP - Server Load balancing. Some info here:

http://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
szuko
New Contributor III

thanks for reply , if you put the SSL inspection on deep packet inspection isnt it same thing ? meaning doing Application level inspection ?

AlexC-FTNT

There is a little difference regarding offloading. When you do that in FortiGate on a regular traffic policy, the traffic is decrypted in order to be scanned, and re-encrypted on the way to the local server. SSL offloading means that the last part of the communication (LAN segment) is not encrypted (so the servers don't require extra resources to decrypt the traffic). This is maybe better described here:
https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/341240/offloading-vs-inspecti...

 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
fortimaster

Hi,  Im concerned about the connection, to the final server, when you use a Fortigate with full offloading or not, using a virtual server. I would like to emulate a reverse proxy to connect to internal servers (not DMZ servers). I would like to know if the final connection to the real server is established by Fortigate or from the internet client. I'm not sure about this. I've posted that:

https://community.fortinet.com/t5/Support-Forum/Fortigate-SSL-Offloading-with-SNI/m-p/348745#M253392

 

Do you know if the TCP connection is stablished  from Fortigate? I'm not sure if in both cases it works like a real reverse proxy.

Thanks ¡¡¡¡

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors