SSL inspection/offloading in different deployment modes
I have been studying Fortiweb and some questions arise to me when I came to the SSL point.
Firstly, what is the key difference between the transparent mode and the True transparent mode?
Secondly, I understood that in SSL inspection, Fortiweb does not need to terminate the SSL sessions with both clients and server, it just decrypts and re-encrypts the traffic on the flow using the server private key.
Reviewing the "Seamless PKI integration", it looks like Fortiweb must terminate the SSL session, and hence it is kind of offloading with the addition of SSL session to the real server.
Here I have two questions,
1- as FortiWeb generate and re-sign a client certificate when communicating with the backend server, a CA certificate with its private key must be imported to FortiWeb, and this CA must be trusted by the backend server (is that correct?)
2- while it is mentioned in the below link that True transparent mode is supported, why in feature comparion it is mentioned that SSL offloading is not supported in the True transparent mode?
In Transparent mode, FortiWeb acts as a reverse proxy. It terminates the client's SSL connection, inspects the traffic, and then establishes a new SSL connection to the backend server. The client and server are unaware that FortiWeb is in the middle, but FortiWeb does change the source IP address of the traffic to its own IP address before forwarding it to the server.
In True Transparent Mode, FortiWeb does not change the source IP address of the traffic. It simply forwards the packets between the client and server without modifying them. This is useful in scenarios where it's important for the backend server to see the original client's IP address.
FortiWeb can decrypt and re-encrypt traffic without terminating the SSL session by using the server's private key. This allows it to inspect the traffic for threats without the need for SSL termination. In Seamless PKI Integration mode, FortiWeb does terminate the SSL session. It acts as an SSL offloader, taking on the computational burden of SSL encryption and decryption. This frees up resources on the backend server. Yes, you're correct. If FortiWeb is generating and re-signing a client certificate when communicating with the backend server, a CA certificate and its private key must be imported into FortiWeb. This CA must be trusted by the backend server to validate the re-signed certificate. The reason SSL offloading is not supported in True Transparent Mode is that SSL offloading requires the termination of the SSL session, something that True Transparent Mode is designed to avoid. In True Transparent Mode, FortiWeb is simply forwarding packets without modifying them or terminating the SSL session, so it can't offload the SSL processing from the backend server.
Your Question 1: Yes, if FortiWeb is to generate and re-sign a client certificate when communicating with the backend server, it would need a CA certificate and its associated private key. This CA would have to be trusted by the backend server to validate and trust the re-signed certificate.
Your Question 2: The discrepancy you mentioned might be due to specific limitations or the way "True Transparent Mode" works. In "True Transparent Mode", since FortiWeb aims to be completely transparent, performing SSL offloading—which inherently changes the nature of the connection—could contradict this mode's intended operation. If SSL offloading is performed, the server would see the connection as coming directly from FortiWeb, not the original client, which goes against the nature of True Transparent Mode.
Always remember that while FortiWeb offers many modes and features, the specific use case, security requirements, and network architecture will dictate which mode and feature set are best for a given deployment. It's also essential to be aware of the exact version of FortiWeb and refer to the appropriate documentation for that version. Fortinet's documentation and product features may evolve over time. If there are discrepancies or uncertainties, consulting directly with Fortinet's technical support or documentation would be beneficial.
l True Transparent Proxy—FortiWeb transparently proxies the traffic arriving on a network port that belongs to a Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. FortiWeb logs, blocks, or modifies violations according to the matching policy and its protection profile. This mode supports user authentication via HTTP but not HTTPS. l Transparent Inspection—FortiWeb asynchronously inspects traffic arriving on a network port that belongs to a Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. (Because it is asynchronous, it minimizes latency.) FortiWeb logs or blocks traffic according to the matching policy and its protection profile, but does not otherwise modify it. (It cannot, for example, offload SSL, load-balance connections, or support user authentication. Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than Alert cannot be guaranteed to be successful in Transparent Inspection mode. The FortiWeb appliance will attempt to block traffic that violates the policy. However, due to the nature of asynchronous inspection, the client or server may have already received the traffic that violated the policy.
It looks like the true transparent is closer in behaviour to reverse proxy.
While transparent mode is described by being asynchronous
It said that true transparent "proxies" the traffic. While Transparent "asynchronously inspect it.
In the TI (Transparent Inspection) mode the FortiWeb doesn't act as proxy, it only inspects the traffic that flows through it. If it detects violation of configured security policy it attempts to terminate the TCP session by sending TCP RST packet to the client or server.
In TTP (True Transparent Proxy) mode the FortiWeb acts as proxy for the traffic. It is endpoint for traffic that comes from client and it initiates new session to the server. If it detects violation of configured server policy it will terminate the session on itself and the traffic will not be passed to the other end.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.