Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
lgm
New Contributor

Fortiweb: Apply different policy depending on Source IP.

I have a Fortigate+Fortiweb (waf)

I have a web service published on a public IP in the Fortigate. Through a NAT I redirect the traffic to a virtual IP in the WAF. When the traffic arrives to the WAF, I need that depending on the source IP of my clients I can apply one policy or another.

I want to do this because I have a couple of clients that have insecure Ciphers, so I want to apply a special policy to them. That is to say, they are going to use the same services all the clients, but to some of them I have to allow them to negotiate with more insecure ciphers.

 

How can I do this?

2 REPLIES 2
rosatechnocrat
Contributor II

@lgm : Unfortunately, you can not set the SSL-Cipher based on the client Source IP. 

 

The workaround to achieve this can be

1.  Create two Virtual IP on Fortiweb and bind different SSL Ciphers against the Virtual Servers. 

2. From Fortigate perform the NAT based on the source IP to redirect the traffic two different Virtual server on Fortiweb. 

 

 

ssl setting.PNG

 

Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe
lgm
New Contributor

Hi!

 

Yesterday we tried to do that, but the Fortigate does not allow us to create a new NAT pointing to the 2 virtual IPs, since the NAT is on the same public IP and with the same port 443.

How can we do this? I tell you that for now we have not found the way to do it.

 

Thanks!

Labels
Top Kudoed Authors