Hot!Reverse Proxy (Load Balancer) + Deep inspection - Why?

Bronze Member
  • Total Posts : 26
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/02 02:27:43
  • Status: offline
2021/03/16 11:44:04 (permalink)

Reverse Proxy (Load Balancer) + Deep inspection - Why?

I am just curious about why we need to add a deep inspection security profile if we are configuring the FortiGate as reverse proxy. So I have to specify a certificate in the Virtual Server, and also a certiicate in the deep inspection profile if I follow this Fortinet guide:
Method 2 - Server Load balance (SSL-mode half).

1) Create Server load balance object.

# config firewall vip
    edit "Web"
        set type server-load-balance
        set extip
        set extintf "any"
        set server-type https
        set extport 443
        config realservers
            edit 1
                set ip               
                set port 80
        set ssl-certificate "wildcard_lab_com_au"
2) Create new firewall policy with destinated VIP.

# config firewall policy
    edit 2
        set srcintf "port10"
               set dstintf "port2"
        set srcaddr "all"
        set dstaddr "Web"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set utm-status enable
        set logtraffic all
        set webcache enable
        set webcache-https enable
        set fsso disable
        set ssl-ssh-profile "deep-inspection"
        set nat enable
Does someone know the reason behind this configuration? If the incoming traffic is being decrypted thanks to the virtual server, why do we need to add a deep-inspection profile too? Plus, does someone know what would happen if I would choose different certificates for the virtual server and for the deep-inspection security profile? Thanks.
EDIT: Ok, I have just realized that the deep inspection in this example is for the traffic originated from real server (Server -> Internet), and it differs from "Protecting SSL Server" inspection profile.
post edited by amorales - 2021/03/16 12:06:44

0 Replies Related Threads

    Jump to:
    © 2021 APG vNext Commercial Version 5.5