Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 6.4.5 Administration Guide
    6.4.5
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    HTTP to HTTPS redirect for load balancing

    HTTP to HTTPS redirect for load balancing

    You can configure a virtual server with HTTP to HTTPS redirect enabled. When enabled, a virtual server can convert a client's HTTP requests to HTTPS requests. Through this mandatory conversion, HTTP traffic is converted to HTTPS traffic. This conversion improves the security of the user network.

    You can only enable this feature by using the CLI. After you enable this feature, traffic flows as follows:

    • When FortiGate receives an HTTP request for an external IP, such as 10.1.100.201 in the following example, FortiGate sends an HTTP 303 response back to the original client and redirects HTTP to HTTPS, instead of forwarding the HTTP request to the real backend servers.
    • The client browser restarts the TCP session to HTTPS.
    • The HTTPS session comes to the FortiGate where a matching firewall policy allows the HTTPS traffic and establishes a secure SSL connection, and then forwards the request to the real backend servers.
    To configure virtual server with HTTPS redirect enabled:
    1. Create a virtual server with server-type set to http:

      config firewall vip

      edit "virtual-server-http"

      set type server-load-balance

      set extip 10.1.100.201

      set extintf "wan2"

      set server-type http

      set ldb-method round-robin

      set extport 80

      config realservers

      edit 1

      set ip 172.16.200.44

      set port 80

      next

      edit 2

      set ip 172.16.200.55

      set port 80

      next

      end

      next

      end

    2. Create a virtual server with server-type set to https and with the same external IP address:

      config firewall vip

      edit "virtual-server-https"

      set type server-load-balance

      set extip 10.1.100.201

      set extintf "wan2"

      set server-type https

      set ldb-method round-robin

      set extport 443

      config realservers

      edit 1 set ip 172.16.200.44

      set port 443

      next

      edit 2

      set ip 172.16.200.55

      set port 443

      next

      end

      set ssl-certificate "Fortinet_CA_SSL"

      next

      end

    3. Enable the http-redirect option for the virtual server with server-type set to http:

      config firewall vip

      edit "virtual-server-http"

      set http-redirect enable

      next

      end

    4. Add the two virtual servers to a policy:

      config firewall policy

      edit 9

      set srcintf "wan2"

      set dstintf "wan1"

      set srcaddr "all"

      set dstaddr "virtual-server-http" "virtual-server-https"

      set action accept

      set schedule "always"

      set service "ALL"

      set inspection-mode proxy set logtraffic all

      set auto-asic-offload disable

      set nat enable

      next

      end

    Previous
    Next

    HTTP to HTTPS redirect for load balancing

    HTTP to HTTPS redirect for load balancing

    You can configure a virtual server with HTTP to HTTPS redirect enabled. When enabled, a virtual server can convert a client's HTTP requests to HTTPS requests. Through this mandatory conversion, HTTP traffic is converted to HTTPS traffic. This conversion improves the security of the user network.

    You can only enable this feature by using the CLI. After you enable this feature, traffic flows as follows:

    • When FortiGate receives an HTTP request for an external IP, such as 10.1.100.201 in the following example, FortiGate sends an HTTP 303 response back to the original client and redirects HTTP to HTTPS, instead of forwarding the HTTP request to the real backend servers.
    • The client browser restarts the TCP session to HTTPS.
    • The HTTPS session comes to the FortiGate where a matching firewall policy allows the HTTPS traffic and establishes a secure SSL connection, and then forwards the request to the real backend servers.
    To configure virtual server with HTTPS redirect enabled:
    1. Create a virtual server with server-type set to http:

      config firewall vip

      edit "virtual-server-http"

      set type server-load-balance

      set extip 10.1.100.201

      set extintf "wan2"

      set server-type http

      set ldb-method round-robin

      set extport 80

      config realservers

      edit 1

      set ip 172.16.200.44

      set port 80

      next

      edit 2

      set ip 172.16.200.55

      set port 80

      next

      end

      next

      end

    2. Create a virtual server with server-type set to https and with the same external IP address:

      config firewall vip

      edit "virtual-server-https"

      set type server-load-balance

      set extip 10.1.100.201

      set extintf "wan2"

      set server-type https

      set ldb-method round-robin

      set extport 443

      config realservers

      edit 1 set ip 172.16.200.44

      set port 443

      next

      edit 2

      set ip 172.16.200.55

      set port 443

      next

      end

      set ssl-certificate "Fortinet_CA_SSL"

      next

      end

    3. Enable the http-redirect option for the virtual server with server-type set to http:

      config firewall vip

      edit "virtual-server-http"

      set http-redirect enable

      next

      end

    4. Add the two virtual servers to a policy:

      config firewall policy

      edit 9

      set srcintf "wan2"

      set dstintf "wan1"

      set srcaddr "all"

      set dstaddr "virtual-server-http" "virtual-server-https"

      set action accept

      set schedule "always"

      set service "ALL"

      set inspection-mode proxy set logtraffic all

      set auto-asic-offload disable

      set nat enable

      next

      end

    Previous
    Next