Articles > Information Security
Printer Friendly Version
Views: 7709

Fortigate SSL Inspection - Load Balancer with ICMP

Last Updated: 4/17/15

Setting Up Fortigate SSL deep Inspection For your HTTPS webserver

I struggled with this, because all the user guides forget to mention the step where you create the ssl-ssh-profile

Overview of steps
- create VIPs pointed at real servers. One for each protocol (HTTP, HTTPS, ICMP, etc...)
- Import your certificate with private key OR generate a CSR and complete it with your CA to create a new SSL cert
- Setup the ssl-ssh-profile (SSL/SSH Inspection Profile) with the correct SSL certificate
- create the policy rules
- test everything

sample CLI config

/* create the VIP */


config firewall vip
    edit "Webmail_HTTPS"
        set comment "SSL for Webmail"
        set type server-load-balance
        set extip x.x.x.x
        set extintf "wan1"
        set server-type https
        set http-ip-header enable
        set monitor "Ping-Mon"
        set ldb-method first-alive
        set persistence http-cookie
        set extport 443
            config realservers



                edit 1
                    set ip 192.168.x.x
                    set port 443
                next
            end
        set https-cookie-secure enable
        set ssl-mode full
        set ssl-certificate "Wildcard_2014"
        set ssl-dh-bits 2048
    next
end

/* create the SSL inspection profile */

config firewall ssl-ssh-profile
 edit "wildcard_SSL_Inspection"
            config https
                set ports 443
            end
            config ftps
                set ports 990
            end
            config imaps
                set ports 993
            end



            config pop3s
                set ports 995
            end
            config smtps
                set ports 465
            end
            config ssh
                set ports 22
            end
            config ssl-exempt
                edit 1
                    set fortiguard-category 33
                next
                edit 2
                    set fortiguard-category 87
                next
                edit 3
                    set fortiguard-category 31
                next
            end
        set server-cert-mode replace
        set server-cert "Wildcard_2014"
    next
end


/* create the policy rule - do NOT forget the SSL inspection profile  */
Also, be sure to use an IPS sensor or else all this SSL inspection setup will do you no good

config firewall policy
    edit 383
        set srcintf "any"
        set dstintf "DMZ"
        set srcaddr "all"
        set dstaddr "Webmail_HTTPS"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable
        set logtraffic all
        set comments "Webmail (With SSL Inspection)"
        set ips-sensor "protect web server"
        set profile-protocol-options "default"
        set ssl-ssh-profile "wildcard_SSL_Inspection"
    next
end



ALSO, if you want ICMP to work with your new virtual IP, be sure to create this additional VIP and then add it to your policy


config firewall vip
edit "VIP"
set extip xxx.xxx.xxx.xxx
set extintf "wan1"
set portforward enable
set mappedip xxx.xxx.xxx.xxx
set protocol icmp
next
end




Keywords: fortinet, fortigate, SSL inspection, wildcard certificate, virtual IP address, NAT, TCP 443