Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kamarale
New Contributor

Created on ‎03-20-2025 06:58 AM

SSL inbound deep inspection

Hello,

I have these 2 doubts:

 

1- If I want to protect a web server NATed to internet , I can do this only with a normal VIP and SSL inspection , right?

I mean I do NOT need to enable Load Balance feature like this example:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Inbound-SSL-Deep-Inspection/ta...

 

 

2- And if I want to protect for example an email server (encrypted traffic) in the SSL inspection profile ,under 

"Protocol Port Mapping" I have these 2 choices right:

   - select "Inspect all ports"

 or

 - on "HTTPS" add the ports that I want (i.e 25,587,465)

With any of these 2 I would be protecting my email server from malware and other attacks (with AV/IPS profiles) right?

 

Thank you in advace

Regards

 

 

 

 

Labels:
120
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎03-21-2025 01:10 PM Edited on ‎03-21-2025 01:11 PM

Hi Kamarale

  1. VS is somehow an advanced version of VIP and it offers more features, so I always use VS with deep inspection and WAF profile when I don't have dedicated WAF, and I always use VIP without deep inspection when I have dedicated WAF
  2. When you want to protect a mail server (25, 587 & 465) and you don't have a dedicated mail gateway, I think the right thing to do is to inspect all port, while in the firewall rule you allow ports 25, 587 & 465 (didn't test it but I think this will work for STARTTLS as well), and you will be able to protect against malware, spam and attacks
AEK
AEK
74
0 Kudos
kamarale
New Contributor
In response to AEK

Created on ‎03-21-2025 02:02 PM

Hello AEK, thank you for the reply.

Just to undestand it correctly. What would I gain if I use VS vs VIP if I am only protecting 1 web server (http/https)? I mean I am not interested in LB.

Normal VIP with inbound SSL inspection vs VirtualServer with inbound SSL inspection

 

Thank you

Regards

 

62
0 Kudos
AEK
SuperUser
SuperUser
In response to kamarale

Created on ‎03-22-2025 02:14 AM

Hi Kamarale

Honestly when I protect Web servers with FGT's WAF I didn't try it with VIP, I always do it with VS, since this is the recommendation from Fortinet. I even don't know if it will fully work with VIP.

But at least with VS you can select SSL offloading mode (Client-FGT or Full), preserve client IP, redirect HTTP to HTTPS, and some HTTP header manipulation.

AEK
AEK
37
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.