Fortinet black logo

SSLi Deployment Guide

Home FortiADC 7.4.0 SSLi Deployment Guide

Scenario 1 – Layer 2 Transparent Proxy

7.4.0
7.4.0
Copy Link
Copy Doc ID 94056ed1-6b81-11eb-9995-00505692583a:768026
Download PDF
Scenario 1 – Layer 2 Transparent Proxy

Scenario 1 – Layer 2 Transparent Proxy

This is the most common deployment type, the client and FortiADC are on the same subnet. They don’t need to have IP address changed. This topology is also known as a stealth firewall.

Topology

Creating a Soft-switch

  1. Go to Network > Interface, then click the tab Interface.
  2. Click Create New to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the soft-swtich name
    • Type: Select the Softswtich
    • Member in Type Specifics: Bind the ports facing the client side and gateway side. In the above topology, that is Port1 and Port2.
    • IPv4 in Mode Specifics: Type the address of the softswitch. In the above topology, that is 172.23.133.175/24.

  4. Save the configuration.

Creating Client SSL Profile for SSLi instance

  1. Go to SSLi Proxy > Application Resources, then click the tab Client SSL.
  2. Click Create New > Advanced Mode to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the SSLi instance name.
    • Forward Proxy: Enable this option.
    • Forward Proxy Local Signing CA: Select a CA certificate that your client trusts it.
    • Backend SSL SNI Forward: Enable this option.

  4. Save the configuration.

Creating Real Server Profile for SSLi instance

  1. Go to SSLi Proxy > Real Server Pool, then click the tab Real Server.
  2. Click Create New to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot. Here we need to add two real servers, one connecting with the gateway, and the other connecting with the security device.
    • Name: Enter a unique name for the Real Server.
    • Address: Enter the correct IP address.

  4. Save the configuration.
  5. Go to SSLi Proxy > Real Server Pool, then click the tab Real Server Pool. Here we need to create two real server pools containing the above two real servers respectively.
  6. Click Create New to display the configuration editor.
  7. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the Real Server Pool.
    • Real Server SSL Profile: Enable SSL on the real server to the gateway side, and disable SSL on the one to the security device side.
    • Member: Select the correct the real server in your topology.

  8. Save the configuration.

Configuring Static Routing

  1. Go to Network > Routing, then click the tab Static.
  2. Click Create New to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Destination: Enter a Client IP address scope.
    • Gateway: Enter a Security Device IP address which in the Re-encryption side.
  4. Save the configuration.

This static routing forwards the packets whose destination is the client IP to the security device.

Creating SSLi instance for L2 deploy

  1. Go to SSLi Proxy > Instance, then click the tab Instance.
  2. Click Create New > Advanced Mode to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the SSLi instance.
    • Topology: Select the L2 Transparent Proxy.
    • Decryption tab
      • Inbound Interface: Select the Softswitch type interface you just created.
      • Client SSL Profile: Select the client SSL profile you just created.
      • Outbound Real Server Pool: Select the server pool to the security device.
    • Re-encryption tab
      • Inbound Interface: Select an interface connected to the security device side.
      • Outbound Real Server Pool: Select the server pool to the gateway side.
      • Onbound Interface Status: Enable this option.
      • Onbound Interface: Select the interface connected to the gateway side.

      • If you have configured both L7 and L2/L3 instances for the same security device (attached to the same subnets), their port numbers must not be the same. We will remove this restriction in later releases.

  4. Save the configuration.

Enabling rt-cache-strict

Run the following command:

config router setting

set rt-cache-strict enable

config rt-cache-reverse-exception

end

end

Client side: install CA and try the SSLi function

  1. Install the Local Signing CA that FortiADC selected.
  2. Open the browser and navigate to https://us.yahoo.com, you will see the derived certificate is signed by "Local Signing CA".

Testing SSLi deployment

To test the deployment, check if the plain HTTP traffic is logged on the security device.

Previous
Next
Scenario 1 – Layer 2 Transparent Proxy

Scenario 1 – Layer 2 Transparent Proxy

This is the most common deployment type, the client and FortiADC are on the same subnet. They don’t need to have IP address changed. This topology is also known as a stealth firewall.

Topology

Creating a Soft-switch

  1. Go to Network > Interface, then click the tab Interface.
  2. Click Create New to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the soft-swtich name
    • Type: Select the Softswtich
    • Member in Type Specifics: Bind the ports facing the client side and gateway side. In the above topology, that is Port1 and Port2.
    • IPv4 in Mode Specifics: Type the address of the softswitch. In the above topology, that is 172.23.133.175/24.

  4. Save the configuration.

Creating Client SSL Profile for SSLi instance

  1. Go to SSLi Proxy > Application Resources, then click the tab Client SSL.
  2. Click Create New > Advanced Mode to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the SSLi instance name.
    • Forward Proxy: Enable this option.
    • Forward Proxy Local Signing CA: Select a CA certificate that your client trusts it.
    • Backend SSL SNI Forward: Enable this option.

  4. Save the configuration.

Creating Real Server Profile for SSLi instance

  1. Go to SSLi Proxy > Real Server Pool, then click the tab Real Server.
  2. Click Create New to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot. Here we need to add two real servers, one connecting with the gateway, and the other connecting with the security device.
    • Name: Enter a unique name for the Real Server.
    • Address: Enter the correct IP address.

  4. Save the configuration.
  5. Go to SSLi Proxy > Real Server Pool, then click the tab Real Server Pool. Here we need to create two real server pools containing the above two real servers respectively.
  6. Click Create New to display the configuration editor.
  7. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the Real Server Pool.
    • Real Server SSL Profile: Enable SSL on the real server to the gateway side, and disable SSL on the one to the security device side.
    • Member: Select the correct the real server in your topology.

  8. Save the configuration.

Configuring Static Routing

  1. Go to Network > Routing, then click the tab Static.
  2. Click Create New to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Destination: Enter a Client IP address scope.
    • Gateway: Enter a Security Device IP address which in the Re-encryption side.
  4. Save the configuration.

This static routing forwards the packets whose destination is the client IP to the security device.

Creating SSLi instance for L2 deploy

  1. Go to SSLi Proxy > Instance, then click the tab Instance.
  2. Click Create New > Advanced Mode to display the configuration editor.
  3. Complete the key configuration as shown in the screenshot.
    • Name: Enter a unique name for the SSLi instance.
    • Topology: Select the L2 Transparent Proxy.
    • Decryption tab
      • Inbound Interface: Select the Softswitch type interface you just created.
      • Client SSL Profile: Select the client SSL profile you just created.
      • Outbound Real Server Pool: Select the server pool to the security device.
    • Re-encryption tab
      • Inbound Interface: Select an interface connected to the security device side.
      • Outbound Real Server Pool: Select the server pool to the gateway side.
      • Onbound Interface Status: Enable this option.
      • Onbound Interface: Select the interface connected to the gateway side.

      • If you have configured both L7 and L2/L3 instances for the same security device (attached to the same subnets), their port numbers must not be the same. We will remove this restriction in later releases.

  4. Save the configuration.

Enabling rt-cache-strict

Run the following command:

config router setting

set rt-cache-strict enable

config rt-cache-reverse-exception

end

end

Client side: install CA and try the SSLi function

  1. Install the Local Signing CA that FortiADC selected.
  2. Open the browser and navigate to https://us.yahoo.com, you will see the derived certificate is signed by "Local Signing CA".

Testing SSLi deployment

To test the deployment, check if the plain HTTP traffic is logged on the security device.

Previous
Next