SSL-Offloading

szuko · ‎01-11-2022

HI , I recently got into firewalls, I have Fortigate 200F, I want to do SSL-offloading with it if possible ?

my question is , is it possible to do it with Fortigate and if yes , then what makes it different from Fortiweb ? when i can offload traffic on my Fortigate and inspect it ?

AlexC-FTNT · ‎01-12-2022

There is a little difference regarding offloading. When you do that in FortiGate on a regular traffic policy, the traffic is decrypted in order to be scanned, and re-encrypted on the way to the local server. SSL offloading means that the last part of the communication (LAN segment) is not encrypted (so the servers don't require extra resources to decrypt the traffic). This is maybe better described here:
https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/341240/offloading-vs-inspecti...

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

View solution in original post

AlexC-FTNT · ‎01-12-2022

FortiWeb is doing application level inspection (a more focused aim than FortiGate). SSL offloading means removing the encryption from the traffic. You can do that with FortiGate through a VIP - Server Load balancing. Some info here:

http://docs.fortinet.com/document/fortigate/6.2.0/cookbook/713497/virtual-server

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

szuko · ‎01-12-2022

thanks for reply , if you put the SSL inspection on deep packet inspection isnt it same thing ? meaning doing Application level inspection ?

AlexC-FTNT · ‎01-12-2022

There is a little difference regarding offloading. When you do that in FortiGate on a regular traffic policy, the traffic is decrypted in order to be scanned, and re-encrypted on the way to the local server. SSL offloading means that the last part of the communication (LAN segment) is not encrypted (so the servers don't require extra resources to decrypt the traffic). This is maybe better described here:
https://docs.fortinet.com/document/fortiweb/6.3.0/administration-guide/341240/offloading-vs-inspecti...

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

fortimaster · ‎10-12-2024

Hi, Im concerned about the connection, to the final server, when you use a Fortigate with full offloading or not, using a virtual server. I would like to emulate a reverse proxy to connect to internal servers (not DMZ servers). I would like to know if the final connection to the real server is established by Fortigate or from the internet client. I'm not sure about this. I've posted that:

https://community.fortinet.com/t5/Support-Forum/Fortigate-SSL-Offloading-with-SNI/m-p/348745#M253392

Do you know if the TCP connection is stablished from Fortigate? I'm not sure if in both cases it works like a real reverse proxy.

Thanks ¡¡¡¡

AlexC-FTNT · ‎10-14-2024

@fortimaster - once a subject is solved, nobody checks it. Please post it as new topic, instead of hijacking other subjects. Your question is not really related to what was asked here, or the other subject you posted in

- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -

fortimaster · ‎10-14-2024

You are right Alex. Im going to open a new post.

Thanks.

SSL-Offloading

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website