Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

VS SSL offloading with deep inspection

Hi FortiGate admins

Even when it works well we usually feel the need to understand how it works.

A common scenario when we publish a HTTPS Web server through a VS (for load-balancing and/or HTTP host based routing) and a proxy inspection firewall policy with deep inspection (for WAF & IPS inspection), using the same certificate like described in the article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Inbound-SSL-Deep-Inspection/ta...

 

The confusion is that we use SSL offloading at VS level and deep inspection at firewall policy level, like if we configure traffic decryption at two levels (but I guess it is done once, right?).

There are some question like:

  • Who decrypts the traffic in this case? VS' SSL offloading or policy's SSL inspection profile? And what is the aim of configuring twice (at VS and at policy level).
  • What is the expected behavior if we use the half mode SSL offloading (Client <-> FortiGate) in such case? Is it half offloaded as per the configured VS' SSL offloading mode, or re-encrypted before sent to back-end server as per the deep inspection profile?
  • And what if we just need a half mode SSL offloading with clear text communication between FG and the back-end server (80)? In this case wouldn't the deep inspection at policy level force the traffic to be re-encrypted before sending to back-end server?
 
AEK
AEK
2 REPLIES 2
Debbie_FTNT
Staff
Staff

Hey AEK,

 

let's see if I can shed some light :).

Please take this with a grain of salt, I've gotten a bit rusty with SSL inspection and related queries, but as far as I know:

- VS SSL offloading should take precedence before SSL inspection (VIP/VS-related config is handled first before a packet goes through UTM)

- if I remember correctly, with SSL offloading, the FortiGate essentially handles HTTP traffic once the traffic has hit the virtual server, and it would be that unencrypted traffic that is handed to UTM for inspection

-> deep inspection would not come into play as I understand it

-> deep inspection should also not re-encrypt the traffic, as from a UTM perspective the traffic is not encrypted in the first place

 

Cheers,

Debbie

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
AEK

Thanks again Debbie. Again it is more clear but I still need some deeper exercise to remove my rust.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors