Articles > Information Security
Setting Up Fortigate SSL deep Inspection For your HTTPS webserver
I struggled with this, because all the user guides forget to mention the step where you create the ssl-ssh-profile
Overview of steps
- create VIPs pointed at real servers. One for each protocol (HTTP, HTTPS, ICMP, etc...)
- Import your certificate with private key OR generate a CSR and complete it with your CA to create a new SSL cert
- Setup the ssl-ssh-profile (SSL/SSH Inspection Profile) with the correct SSL certificate
- create the policy rules
- test everything
sample CLI config
/* create the VIP */
config firewall vip
edit "Webmail_HTTPS"
set comment "SSL for Webmail"
set type server-load-balance
set extip x.x.x.x
set extintf "wan1"
set server-type https
set http-ip-header enable
set monitor "Ping-Mon"
set ldb-method first-alive
set persistence http-cookie
set extport 443
config realservers
edit 1
set ip 192.168.x.x
set port 443
next
end
set https-cookie-secure enable
set ssl-mode full
set ssl-certificate "Wildcard_2014"
set ssl-dh-bits 2048
next
end
/* create the SSL inspection profile */
config firewall ssl-ssh-profile
edit "wildcard_SSL_Inspection"
config https
set ports 443
end
config ftps
set ports 990
end
config imaps
set ports 993
end
config pop3s
set ports 995
end
config smtps
set ports 465
end
config ssh
set ports 22
end
config ssl-exempt
edit 1
set fortiguard-category 33
next
edit 2
set fortiguard-category 87
next
edit 3
set fortiguard-category 31
next
end
set server-cert-mode replace
set server-cert "Wildcard_2014"
next
end
/* create the policy rule - do NOT forget the SSL inspection profile */
Also, be sure to use an IPS sensor or else all this SSL inspection setup will do you no good
config firewall policy
edit 383
set srcintf "any"
set dstintf "DMZ"
set srcaddr "all"
set dstaddr "Webmail_HTTPS"
set action accept
set schedule "always"
set service "HTTPS"
set utm-status enable
set logtraffic all
set comments "Webmail (With SSL Inspection)"
set ips-sensor "protect web server"
set profile-protocol-options "default"
set ssl-ssh-profile "wildcard_SSL_Inspection"
next
end
ALSO, if you want ICMP to work with your new virtual IP, be sure to create this additional VIP and then add it to your policy
config firewall vip
edit "VIP"
set extip xxx.xxx.xxx.xxx
set extintf "wan1"
set portforward enable
set mappedip xxx.xxx.xxx.xxx
set protocol icmp
next
end
Fortigate SSL Inspection - Load Balancer with ICMP
Last Updated: 4/17/15Setting Up Fortigate SSL deep Inspection For your HTTPS webserver
I struggled with this, because all the user guides forget to mention the step where you create the ssl-ssh-profile
Overview of steps
- create VIPs pointed at real servers. One for each protocol (HTTP, HTTPS, ICMP, etc...)
- Import your certificate with private key OR generate a CSR and complete it with your CA to create a new SSL cert
- Setup the ssl-ssh-profile (SSL/SSH Inspection Profile) with the correct SSL certificate
- create the policy rules
- test everything
sample CLI config
/* create the VIP */
config firewall vip
edit "Webmail_HTTPS"
set comment "SSL for Webmail"
set type server-load-balance
set extip x.x.x.x
set extintf "wan1"
set server-type https
set http-ip-header enable
set monitor "Ping-Mon"
set ldb-method first-alive
set persistence http-cookie
set extport 443
config realservers
edit 1
set ip 192.168.x.x
set port 443
next
end
set https-cookie-secure enable
set ssl-mode full
set ssl-certificate "Wildcard_2014"
set ssl-dh-bits 2048
next
end
/* create the SSL inspection profile */
config firewall ssl-ssh-profile
edit "wildcard_SSL_Inspection"
config https
set ports 443
end
config ftps
set ports 990
end
config imaps
set ports 993
end
config pop3s
set ports 995
end
config smtps
set ports 465
end
config ssh
set ports 22
end
config ssl-exempt
edit 1
set fortiguard-category 33
next
edit 2
set fortiguard-category 87
next
edit 3
set fortiguard-category 31
next
end
set server-cert-mode replace
set server-cert "Wildcard_2014"
next
end
/* create the policy rule - do NOT forget the SSL inspection profile */
Also, be sure to use an IPS sensor or else all this SSL inspection setup will do you no good
config firewall policy
edit 383
set srcintf "any"
set dstintf "DMZ"
set srcaddr "all"
set dstaddr "Webmail_HTTPS"
set action accept
set schedule "always"
set service "HTTPS"
set utm-status enable
set logtraffic all
set comments "Webmail (With SSL Inspection)"
set ips-sensor "protect web server"
set profile-protocol-options "default"
set ssl-ssh-profile "wildcard_SSL_Inspection"
next
end
ALSO, if you want ICMP to work with your new virtual IP, be sure to create this additional VIP and then add it to your policy
config firewall vip
edit "VIP"
set extip xxx.xxx.xxx.xxx
set extintf "wan1"
set portforward enable
set mappedip xxx.xxx.xxx.xxx
set protocol icmp
next
end
Keywords: fortinet, fortigate, SSL inspection, wildcard certificate, virtual IP address, NAT, TCP 443