- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL inspection/offloading in different deployment ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL inspection/offloading in different deployment modes
Hello team,
I have been studying Fortiweb and some questions arise to me when I came to the SSL point.
Firstly, what is the key difference between the transparent mode and the True transparent mode?
Secondly, I understood that in SSL inspection, Fortiweb does not need to terminate the SSL sessions with both clients and server, it just decrypts and re-encrypts the traffic on the flow using the server private key.
Reviewing the "Seamless PKI integration", it looks like Fortiweb must terminate the SSL session, and hence it is kind of offloading with the addition of SSL session to the real server.
Here I have two questions,
1- as FortiWeb generate and re-sign a client certificate when communicating with the backend server, a CA certificate with its private key must be imported to FortiWeb, and this CA must be trusted by the backend server (is that correct?)
2- while it is mentioned in the below link that True transparent mode is supported, why in feature comparion it is mentioned that SSL offloading is not supported in the True transparent mode?
Seamless PKI integration | FortiWeb 7.2.4 | Fortinet Document Library
Thank you.
Labels:
- Labels:
-
FortiWeb
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Akmostafa ,
In Transparent mode, FortiWeb acts as a reverse proxy. It terminates the client's SSL connection, inspects the traffic, and then establishes a new SSL connection to the backend server. The client and server are unaware that FortiWeb is in the middle, but FortiWeb does change the source IP address of the traffic to its own IP address before forwarding it to the server.
In True Transparent Mode, FortiWeb does not change the source IP address of the traffic. It simply forwards the packets between the client and server without modifying them. This is useful in scenarios where it's important for the backend server to see the original client's IP address.
FortiWeb can decrypt and re-encrypt traffic without terminating the SSL session by using the server's private key. This allows it to inspect the traffic for threats without the need for SSL termination. In Seamless PKI Integration mode, FortiWeb does terminate the SSL session. It acts as an SSL offloader, taking on the computational burden of SSL encryption and decryption. This frees up resources on the backend server. Yes, you're correct. If FortiWeb is generating and re-signing a client certificate when communicating with the backend server, a CA certificate and its private key must be imported into FortiWeb. This CA must be trusted by the backend server to validate the re-signed certificate. The reason SSL offloading is not supported in True Transparent Mode is that SSL offloading requires the termination of the SSL session, something that True Transparent Mode is designed to avoid. In True Transparent Mode, FortiWeb is simply forwarding packets without modifying them or terminating the SSL session, so it can't offload the SSL processing from the backend server.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
-
-
Your Question 1: Yes, if FortiWeb is to generate and re-sign a client certificate when communicating with the backend server, it would need a CA certificate and its associated private key. This CA would have to be trusted by the backend server to validate and trust the re-signed certificate.
-
Your Question 2: The discrepancy you mentioned might be due to specific limitations or the way "True Transparent Mode" works. In "True Transparent Mode", since FortiWeb aims to be completely transparent, performing SSL offloading—which inherently changes the nature of the connection—could contradict this mode's intended operation. If SSL offloading is performed, the server would see the connection as coming directly from FortiWeb, not the original client, which goes against the nature of True Transparent Mode.
-
Always remember that while FortiWeb offers many modes and features, the specific use case, security requirements, and network architecture will dictate which mode and feature set are best for a given deployment. It's also essential to be aware of the exact version of FortiWeb and refer to the appropriate documentation for that version. Fortinet's documentation and product features may evolve over time. If there are discrepancies or uncertainties, consulting directly with Fortinet's technical support or documentation would be beneficial.
Siddhanth Poojary
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks team.
Quoting the below from the admin guide:
l True Transparent Proxy—FortiWeb transparently proxies the traffic arriving on a network port that belongs to a
Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. FortiWeb logs, blocks, or
modifies violations according to the matching policy and its protection profile. This mode supports user
authentication via HTTP but not HTTPS.
l Transparent Inspection—FortiWeb asynchronously inspects traffic arriving on a network port that belongs to a
Layer 2 bridge, applies the first applicable policy, and lets permitted traffic pass through. (Because it is
asynchronous, it minimizes latency.) FortiWeb logs or blocks traffic according to the matching policy and its
protection profile, but does not otherwise modify it. (It cannot, for example, offload SSL, load-balance connections,
or support user authentication.
Unlike in Reverse Proxy mode or True Transparent Proxy mode, actions other than
Alert cannot be guaranteed to be successful in Transparent Inspection mode. The
FortiWeb appliance will attempt to block traffic that violates the policy. However, due
to the nature of asynchronous inspection, the client or server may have already
received the traffic that violated the policy.
It looks like the true transparent is closer in behaviour to reverse proxy.
While transparent mode is described by being asynchronous
It said that true transparent "proxies" the traffic. While Transparent "asynchronously inspect it.
So what does this mean?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Akmostafa ,
In the TI (Transparent Inspection) mode the FortiWeb doesn't act as proxy, it only inspects the traffic that flows through it. If it detects violation of configured security policy it attempts to terminate the TCP session by sending TCP RST packet to the client or server.
In TTP (True Transparent Proxy) mode the FortiWeb acts as proxy for the traffic. It is endpoint for traffic that comes from client and it initiates new session to the server. If it detects violation of configured server policy it will terminate the session on itself and the traffic will not be passed to the other end.
Regards,
Ondrej
Related Posts
- FortiClient 7.2.4 installer with deployed EMS... 123 Views
- Windows Deployment Services not working in... 154 Views
- Deployments and reboots. 87 Views
- FortiClient EMS Server update port only... 162 Views
- FNAC persistence agent deployments 329 Views
Labels
-
FortiGate
6,534 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.