Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Understanding traffic flow with SSL Protecting Server option

Dear all,


A quick question. FortiGate E series.


I have utilized the HTTPS Virtual Server/SSL Protecting Server option with the full encryption option on a server in our DMZ.


This particular web server needs to be accessible by a select group of internet based IP ranges and the internal network.


I have done this:


IP on WAN interface range -> HTTPS Virtual server on 443 with cert (Full mode) -> Internal server on DMZ  network listening on 443


I have then created a firewall rule which references the "From" as the WAN zone with the Internet based IP ranges as the "Source Address", "To" as the DMZ zone referencing the virtual server object as the "Destination".


This is working.


I then decided to utilise the same approach (Allowing the FortiGate to decrypt/inspect the HTTPS traffic) with the traffic sourced from the internal network. 


To do this I changed the internal DNS such that the web hostname now resolves to the external WAN interface virtual server IP address, and then I had to add the internal network range to the above firewall rule.


This also works - however I am confused how the firewall is allowing this as the traffic did not come from WAN zone as such for the source - it came from the internal interface?



I guess you are probably using hairpin NAT without knowing: outgoing traffic is NATted and then DNATted before reaching the internal server, and your listening interface is "any".

That would explain your case.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors