Fortinet black logo

Administration Guide

WAN optimization SSL proxy chaining

WAN optimization SSL proxy chaining

An SSL server does not need to be defined for WAN optimization (WANOpt) SSL traffic offloading (traffic acceleration). The server side FortiGate uses an SSL profile to resign the HTTP server's certificate, both with and without an external proxy, without an SSL server configured. GCM and ChaCha ciphers can also be used in the SSL connection.

Examples

In these examples, HTTPS traffic is accelerated without configuring an SSL server, including with a proxy in between, and when the GCM or ChaCha ciphers are used.

Example 1

In this example, the server certificate is resigned by the server side FortiGate, and HTTPS traffic is accelerated without configuring an SSL server.

HTTPS traffic with the GCM or ChaCha cipher can pass though WANOpt tunnel.

To configure FGT_A:
  1. Configure the hard disk to perform WANOpt:

    config system storage
        edit "HDD2"
            set status enable
            set usage wanopt
            set wanopt-mode mix
        next
    end
  2. Configure the WANOpt peer and profile:

    config wanopt peer
        edit "FGT-D"
            set ip 120.120.120.172
        next
    end
    config wanopt profile
        edit "test"
            config http
                set status enable
                set ssl enable
            end
        next
    end
  3. Create an SSL profile with deep inspection on HTTPS port 443:

    config firewall ssl-ssh-profile
        edit "ssl"
            config https
                set ports 443
                set status deep-inspection
            end
        next
    end
  4. Configure a firewall policy in proxy mode with WANOpt enabled and the WANOpt profile selected:

    config firewall policy
        edit 1
            set name "WANOPT-A"
            set srcintf "port21"
            set dstintf "port27"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
            set wanopt enable
            set wanopt-profile "test"
            set nat enable
        next
    end
To configure FGT_D:
  1. Configure the hard disk to perform WANOpt:

    config system storage
        edit "HDD2"
            set status enable
            set usage wanopt
            set wanopt-mode mix
        next
    end
  2. Configure the WANOpt peer:

    config wanopt peer
        edit "FGT-A"
            set ip 110.110.110.171
        next
    end
  3. Create an SSL profile with deep inspection on HTTPS port 443. The default Fortinet_CA_SSL certificate is used to resign the server certificate:

    config firewall ssl-ssh-profile
        edit "ssl"
            config https
                set ports 443
                set status deep-inspection
            end
        next
    end
  4. Configure a firewall policy in proxy mode with WANOpt enabled and passive WANOpt detection:

    config firewall policy
        edit 1
            set name "WANOPT-B"
            set srcintf "port27"
            set dstintf "port23"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection passive
            set nat enable
        next
    end
  5. Configure a proxy policy to apply the SSL profile:

    config firewall proxy-policy
        edit 100
            set proxy wanopt
            set dstintf "port23"
            set srcaddr "all"
            set dstaddr "all"
            set service "ALL"
            set action accept
            set schedule "always"
            set utm-status enable
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
        next
    end
To confirm that traffic is accelerated:
  1. On the client PC, curl a 10MB test sample for the first time:

    root@client:/tmp# curl -k https://172.16.200.144/test_10M.pdf -O
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 9865k  100 9865k    0     0   663k      0  0:00:14  0:00:15 --:--:-- 1526k 

    It takes 15 seconds to finish the download.

  2. On FGT_A, check the WAD statistics:

    # diagnose wad stats worker.tunnel
    comp.n_in_raw_bytes                  10155840
    comp.n_in_comp_bytes                 4548728
    comp.n_out_raw_bytes                 29624
    comp.n_out_comp_bytes                31623
    # diagnose wad stats worker.protos.http
    wan.bytes_in                        0
    wan.bytes_out                       0
    lan.bytes_in                        760
    lan.bytes_out                       10140606
    tunnel.bytes_in                     4548728
    tunnel.bytes_out                    31623
  3. Curl the same test sample a second time:

    root@client:/tmp# curl -k https://172.16.200.144/test_10M.pdf -O
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 9865k  100 9865k    0     0   663k      0  0:00:01  0:00:01 --:--:-- 1526k

    It now takes less than one second to finish the download.

  4. On FGT_A, check the WAD statistics again:

    # diagnose wad stats worker.tunnel
    comp.n_in_raw_bytes                  10181157
    comp.n_in_comp_bytes                 4570331              
    comp.n_out_raw_bytes                 31627
    comp.n_out_comp_bytes                34702
    # diagnose wad stats worker.protos.http
    wan.bytes_in                        0
    wan.bytes_out                       0
    lan.bytes_in                        1607
    lan.bytes_out                       20286841
    tunnel.bytes_in                     4570331
    tunnel.bytes_out                    34702

    The tunnel bytes are mostly unchanged, but the LAN bytes are doubled. This means that the bytes of the second curl come from the cache, showing that the traffic is accelerated.

To confirm that a curl using the GCM cipher is accepted and accelerated:
  1. On the client PC, curl a 10MB test sample with the GCM cipher:

    root@client:/tmp# curl -v -k --ciphers DHE-RSA-AES128-GCM-SHA256 https://172.16.200.144/test_10M.pdf -O
    *   Trying 172.16.200.144...
    * TCP_NODELAY set
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 172.16.200.144 (172.16.200.144) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: DHE-RSA-AES128-GCM-SHA256
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: none
    } [5 bytes data]
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    { [100 bytes data]
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    { [1920 bytes data]
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    { [783 bytes data]
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    { [4 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    } [262 bytes data]
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    } [1 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    } [16 bytes data]
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    { [16 bytes data]
    * SSL connection using TLSv1.2 / DHE-RSA-AES128-GCM-SHA256
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=ubuntu
    *  start date: Sep 20 21:38:01 2018 GMT
    *  expire date: Sep 17 21:38:01 2028 GMT
    *  issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=Fortinet Untrusted CA; emailAddress=support@fortinet.com
    *  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
    } [5 bytes data]
    > GET /test_10M.pdf HTTP/1.1
    > Host: 172.16.200.144
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    { [5 bytes data]
    < HTTP/1.1 200 OK
    < Date: Sat, 12 Jun 2021 00:31:08 GMT
    < Server: Apache/2.4.37 (Ubuntu)
    < Upgrade: h2,h2c
    < Connection: Upgrade
    < Last-Modified: Fri, 29 Jan 2021 20:10:25 GMT
    < ETag: "9a2572-5ba0f98404aa5"
    < Accept-Ranges: bytes
    < Content-Length: 10102130
    < Content-Type: application/pdf
    <
    { [5 bytes data]
    100 9865k  100 9865k    0     0  16.7M      0 --:--:-- --:--:-- --:--:-- 16.8M
    * Connection #0 to host 172.16.200.144 left intact
    * Closing connection 0
To confirm that a curl using the ChaCha cipher is accepted and accelerated:
  1. On the client PC, curl a 10MB test sample with the ChaCha cipher:

    root@client:/tmp# curl -v -k --ciphers ECDHE-RSA-CHACHA20-POLY1305 https://172.16.200.144/test.doc -O
    *   Trying 172.16.200.144...
    * TCP_NODELAY set
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 172.16.200.144 (172.16.200.144) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: ECDHE-RSA-CHACHA20-POLY1305
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: none
    } [5 bytes data]
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    { [100 bytes data]
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    { [1920 bytes data]
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    { [300 bytes data]
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    { [4 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    } [37 bytes data]
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    } [1 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    } [16 bytes data]
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    { [16 bytes data]
    * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=ubuntu
    *  start date: Sep 20 21:38:01 2018 GMT
    *  expire date: Sep 17 21:38:01 2028 GMT
    *  issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=Fortinet Untrusted CA; emailAddress=support@fortinet.com
    *  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
    } [5 bytes data]
    > GET /test.doc HTTP/1.1
    > Host: 172.16.200.144
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    { [5 bytes data]
    < HTTP/1.1 200 OK
    < Date: Sat, 12 Jun 2021 00:32:11 GMT
    < Server: Apache/2.4.37 (Ubuntu)
    < Upgrade: h2,h2c
    < Connection: Upgrade
    < Last-Modified: Wed, 05 May 2021 21:59:49 GMT
    < ETag: "4c00-5c19c504b63f4"
    < Accept-Ranges: bytes
    < Content-Length: 19456
    < Content-Type: application/msword
    <
    { [5 bytes data]
    100 19456  100 19456    0     0   137k      0 --:--:-- --:--:-- --:--:--  138k
    * Connection #0 to host 172.16.200.144 left intact
    * Closing connection 0

Example 2

In this example, an external proxy is added to the configuration in Example 1.

To reconfigure FGT_A:
config firewall profile-protocol-options
    edit "protocol"
        config http
            set ports 80 8080
            unset options
            unset post-lang
        end
    next
end
To reconfigure FGT_D:
  1. Configure a new firewall policy for traffic passing from port27 to port29:

    config firewall policy
        edit 1
            set name "WANOPT-B"
            set srcintf "port27"
            set dstintf "port29"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection passive
            set nat enable
        next
    end
  2. Configure a proxy policy for traffic on destination interface port29:

    config firewall proxy-policy
        edit 100
            set proxy wanopt
            set dstintf "port29"
            set srcaddr "all"
            set dstaddr "all"
            set service "ALL"
            set action accept
            set schedule "always"
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
        next
    end
To confirm that HTTPS traffic is still being accelerated:
  1. On the client PC, curl the same 10MB test sample through the explicit proxy:

    root@client:/tmp# curl -x 100.100.100.174:8080 -v -k https://172.16.200.144/test_10M.pdf -O
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 9865k  100 9865k    0     0   663k      0  0:00:01  0:00:01 --:--:-- 1526k  

    It takes less than a second to finish the download.

WAN optimization SSL proxy chaining

An SSL server does not need to be defined for WAN optimization (WANOpt) SSL traffic offloading (traffic acceleration). The server side FortiGate uses an SSL profile to resign the HTTP server's certificate, both with and without an external proxy, without an SSL server configured. GCM and ChaCha ciphers can also be used in the SSL connection.

Examples

In these examples, HTTPS traffic is accelerated without configuring an SSL server, including with a proxy in between, and when the GCM or ChaCha ciphers are used.

Example 1

In this example, the server certificate is resigned by the server side FortiGate, and HTTPS traffic is accelerated without configuring an SSL server.

HTTPS traffic with the GCM or ChaCha cipher can pass though WANOpt tunnel.

To configure FGT_A:
  1. Configure the hard disk to perform WANOpt:

    config system storage
        edit "HDD2"
            set status enable
            set usage wanopt
            set wanopt-mode mix
        next
    end
  2. Configure the WANOpt peer and profile:

    config wanopt peer
        edit "FGT-D"
            set ip 120.120.120.172
        next
    end
    config wanopt profile
        edit "test"
            config http
                set status enable
                set ssl enable
            end
        next
    end
  3. Create an SSL profile with deep inspection on HTTPS port 443:

    config firewall ssl-ssh-profile
        edit "ssl"
            config https
                set ports 443
                set status deep-inspection
            end
        next
    end
  4. Configure a firewall policy in proxy mode with WANOpt enabled and the WANOpt profile selected:

    config firewall policy
        edit 1
            set name "WANOPT-A"
            set srcintf "port21"
            set dstintf "port27"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
            set wanopt enable
            set wanopt-profile "test"
            set nat enable
        next
    end
To configure FGT_D:
  1. Configure the hard disk to perform WANOpt:

    config system storage
        edit "HDD2"
            set status enable
            set usage wanopt
            set wanopt-mode mix
        next
    end
  2. Configure the WANOpt peer:

    config wanopt peer
        edit "FGT-A"
            set ip 110.110.110.171
        next
    end
  3. Create an SSL profile with deep inspection on HTTPS port 443. The default Fortinet_CA_SSL certificate is used to resign the server certificate:

    config firewall ssl-ssh-profile
        edit "ssl"
            config https
                set ports 443
                set status deep-inspection
            end
        next
    end
  4. Configure a firewall policy in proxy mode with WANOpt enabled and passive WANOpt detection:

    config firewall policy
        edit 1
            set name "WANOPT-B"
            set srcintf "port27"
            set dstintf "port23"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection passive
            set nat enable
        next
    end
  5. Configure a proxy policy to apply the SSL profile:

    config firewall proxy-policy
        edit 100
            set proxy wanopt
            set dstintf "port23"
            set srcaddr "all"
            set dstaddr "all"
            set service "ALL"
            set action accept
            set schedule "always"
            set utm-status enable
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
        next
    end
To confirm that traffic is accelerated:
  1. On the client PC, curl a 10MB test sample for the first time:

    root@client:/tmp# curl -k https://172.16.200.144/test_10M.pdf -O
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 9865k  100 9865k    0     0   663k      0  0:00:14  0:00:15 --:--:-- 1526k 

    It takes 15 seconds to finish the download.

  2. On FGT_A, check the WAD statistics:

    # diagnose wad stats worker.tunnel
    comp.n_in_raw_bytes                  10155840
    comp.n_in_comp_bytes                 4548728
    comp.n_out_raw_bytes                 29624
    comp.n_out_comp_bytes                31623
    # diagnose wad stats worker.protos.http
    wan.bytes_in                        0
    wan.bytes_out                       0
    lan.bytes_in                        760
    lan.bytes_out                       10140606
    tunnel.bytes_in                     4548728
    tunnel.bytes_out                    31623
  3. Curl the same test sample a second time:

    root@client:/tmp# curl -k https://172.16.200.144/test_10M.pdf -O
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 9865k  100 9865k    0     0   663k      0  0:00:01  0:00:01 --:--:-- 1526k

    It now takes less than one second to finish the download.

  4. On FGT_A, check the WAD statistics again:

    # diagnose wad stats worker.tunnel
    comp.n_in_raw_bytes                  10181157
    comp.n_in_comp_bytes                 4570331              
    comp.n_out_raw_bytes                 31627
    comp.n_out_comp_bytes                34702
    # diagnose wad stats worker.protos.http
    wan.bytes_in                        0
    wan.bytes_out                       0
    lan.bytes_in                        1607
    lan.bytes_out                       20286841
    tunnel.bytes_in                     4570331
    tunnel.bytes_out                    34702

    The tunnel bytes are mostly unchanged, but the LAN bytes are doubled. This means that the bytes of the second curl come from the cache, showing that the traffic is accelerated.

To confirm that a curl using the GCM cipher is accepted and accelerated:
  1. On the client PC, curl a 10MB test sample with the GCM cipher:

    root@client:/tmp# curl -v -k --ciphers DHE-RSA-AES128-GCM-SHA256 https://172.16.200.144/test_10M.pdf -O
    *   Trying 172.16.200.144...
    * TCP_NODELAY set
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 172.16.200.144 (172.16.200.144) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: DHE-RSA-AES128-GCM-SHA256
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: none
    } [5 bytes data]
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    { [100 bytes data]
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    { [1920 bytes data]
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    { [783 bytes data]
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    { [4 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    } [262 bytes data]
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    } [1 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    } [16 bytes data]
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    { [16 bytes data]
    * SSL connection using TLSv1.2 / DHE-RSA-AES128-GCM-SHA256
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=ubuntu
    *  start date: Sep 20 21:38:01 2018 GMT
    *  expire date: Sep 17 21:38:01 2028 GMT
    *  issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=Fortinet Untrusted CA; emailAddress=support@fortinet.com
    *  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
    } [5 bytes data]
    > GET /test_10M.pdf HTTP/1.1
    > Host: 172.16.200.144
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    { [5 bytes data]
    < HTTP/1.1 200 OK
    < Date: Sat, 12 Jun 2021 00:31:08 GMT
    < Server: Apache/2.4.37 (Ubuntu)
    < Upgrade: h2,h2c
    < Connection: Upgrade
    < Last-Modified: Fri, 29 Jan 2021 20:10:25 GMT
    < ETag: "9a2572-5ba0f98404aa5"
    < Accept-Ranges: bytes
    < Content-Length: 10102130
    < Content-Type: application/pdf
    <
    { [5 bytes data]
    100 9865k  100 9865k    0     0  16.7M      0 --:--:-- --:--:-- --:--:-- 16.8M
    * Connection #0 to host 172.16.200.144 left intact
    * Closing connection 0
To confirm that a curl using the ChaCha cipher is accepted and accelerated:
  1. On the client PC, curl a 10MB test sample with the ChaCha cipher:

    root@client:/tmp# curl -v -k --ciphers ECDHE-RSA-CHACHA20-POLY1305 https://172.16.200.144/test.doc -O
    *   Trying 172.16.200.144...
    * TCP_NODELAY set
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
      0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 172.16.200.144 (172.16.200.144) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: ECDHE-RSA-CHACHA20-POLY1305
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: none
    } [5 bytes data]
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    } [512 bytes data]
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    { [100 bytes data]
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    { [1920 bytes data]
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    { [300 bytes data]
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    { [4 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    } [37 bytes data]
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    } [1 bytes data]
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    } [16 bytes data]
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    { [16 bytes data]
    * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject: CN=ubuntu
    *  start date: Sep 20 21:38:01 2018 GMT
    *  expire date: Sep 17 21:38:01 2028 GMT
    *  issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=Fortinet Untrusted CA; emailAddress=support@fortinet.com
    *  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
    } [5 bytes data]
    > GET /test.doc HTTP/1.1
    > Host: 172.16.200.144
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    { [5 bytes data]
    < HTTP/1.1 200 OK
    < Date: Sat, 12 Jun 2021 00:32:11 GMT
    < Server: Apache/2.4.37 (Ubuntu)
    < Upgrade: h2,h2c
    < Connection: Upgrade
    < Last-Modified: Wed, 05 May 2021 21:59:49 GMT
    < ETag: "4c00-5c19c504b63f4"
    < Accept-Ranges: bytes
    < Content-Length: 19456
    < Content-Type: application/msword
    <
    { [5 bytes data]
    100 19456  100 19456    0     0   137k      0 --:--:-- --:--:-- --:--:--  138k
    * Connection #0 to host 172.16.200.144 left intact
    * Closing connection 0

Example 2

In this example, an external proxy is added to the configuration in Example 1.

To reconfigure FGT_A:
config firewall profile-protocol-options
    edit "protocol"
        config http
            set ports 80 8080
            unset options
            unset post-lang
        end
    next
end
To reconfigure FGT_D:
  1. Configure a new firewall policy for traffic passing from port27 to port29:

    config firewall policy
        edit 1
            set name "WANOPT-B"
            set srcintf "port27"
            set dstintf "port29"
            set action accept
            set srcaddr "all"
            set dstaddr "all"
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set inspection-mode proxy
            set wanopt enable
            set wanopt-detection passive
            set nat enable
        next
    end
  2. Configure a proxy policy for traffic on destination interface port29:

    config firewall proxy-policy
        edit 100
            set proxy wanopt
            set dstintf "port29"
            set srcaddr "all"
            set dstaddr "all"
            set service "ALL"
            set action accept
            set schedule "always"
            set profile-protocol-options "protocol"
            set ssl-ssh-profile "ssl"
        next
    end
To confirm that HTTPS traffic is still being accelerated:
  1. On the client PC, curl the same 10MB test sample through the explicit proxy:

    root@client:/tmp# curl -x 100.100.100.174:8080 -v -k https://172.16.200.144/test_10M.pdf -O
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 9865k  100 9865k    0     0   663k      0  0:00:01  0:00:01 --:--:-- 1526k  

    It takes less than a second to finish the download.