Hot!Reverse Proxy (Load Balancer) + Deep inspection - Why?

Author
amorales
Bronze Member
  • Total Posts : 26
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/02 02:27:43
  • Status: offline
2021/03/16 11:44:04 (permalink)
0

Reverse Proxy (Load Balancer) + Deep inspection - Why?

I am just curious about why we need to add a deep inspection security profile if we are configuring the FortiGate as reverse proxy. So I have to specify a certificate in the Virtual Server, and also a certiicate in the deep inspection profile if I follow this Fortinet guide:
 
https://kb.fortinet.com/kb/documentLink.do?externalID=FD49325
 
Method 2 - Server Load balance (SSL-mode half).

1) Create Server load balance object.

# config firewall vip
    edit "Web"
        set type server-load-balance
        set extip 10.56.243.162
        set extintf "any"
        set server-type https
        set extport 443
        config realservers
            edit 1
                set ip 10.101.0.52               
                set port 80
            next
        end
        set ssl-certificate "wildcard_lab_com_au"
    next
end
2) Create new firewall policy with destinated VIP.

# config firewall policy
    edit 2
        set srcintf "port10"
               set dstintf "port2"
        set srcaddr "all"
        set dstaddr "Web"
        set action accept
        set schedule "always"
        set service "HTTP" "HTTPS"
        set utm-status enable
        set logtraffic all
        set webcache enable
        set webcache-https enable
        set fsso disable
        set ssl-ssh-profile "deep-inspection"
        set nat enable
    next
end
 
Does someone know the reason behind this configuration? If the incoming traffic is being decrypted thanks to the virtual server, why do we need to add a deep-inspection profile too? Plus, does someone know what would happen if I would choose different certificates for the virtual server and for the deep-inspection security profile? Thanks.
 
 
EDIT: Ok, I have just realized that the deep inspection in this example is for the traffic originated from real server (Server -> Internet), and it differs from "Protecting SSL Server" inspection profile.
post edited by amorales - 2021/03/16 12:06:44
#1

0 Replies Related Threads

    Jump to:
    © 2021 APG vNext Commercial Version 5.5