FortiADC™ Deployment Guide

High-Performance SSL Inspection with FortiADC and FortiGate

FORTINET DOCUMENT LIBRARY
http://docs.fortinet.com

FORTINET VIDEO GUIDE
http://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT
https://support.fortinet.com 

FORTIGATE COOKBOOK
http://cookbook.fortinet.com

FORTINET TRAINING SERVICES
http://www.fortinet.com/training

FORTIGUARD CENTER
http://www.fortiguard.com

END USER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

February 4, 2016

FortiADC Deployment Guide

Revision 1
TABLE OF CONTENTS

Change Log 4
Introduction 5
Benefits of FortiADC and FortiGate for SSL Inspection 6
The FortiADC difference 7
The FortiGate difference 8
Deployment topology 9
Hardware and software used in this example 10
Configuration overview 11
FortiGate configuration guidelines 12
FortiADC Configuration 13
Internal FortiADC configuration 13
Step 1: Configure network interfaces and a static route 13
Step 2: Import an intermediate CA to be used for SSL forward proxy 15
Step 3: Configure health checks 17
Step 4: Configure the real server pool 18
Step 5: Configure the virtual server profile 21
Step 6: Configure an L2 exception list (optional) 24
Step 7: Configure the virtual server 24
Step 8: Configure a Link Load Balancing policy to load balance all other traffic 26
External FortiADC configuration 29
Step 1: Configure network interfaces and a static route 29
Step 2: Configure the real server pool 31
Step 3: Configure the virtual server 32
Appendix A: Importing the Intermediate CA certificate into a web browser 36
Appendix B: SSL forward proxy packet flow 39
Appendix C: FortiADC configurations 40
Internal FortiADC 40
External FortiADC 47
 Change Log

Change Log

Date Change Description

2016-2-4 Initial release.

FortiADC Deployment Guide 4
Fortinet Technologies Inc.
Introduction

Introduction

HTTPS encryption is the foundation for secure Internet traffic. Online banking, e-commerce, and even sites like
Google and Facebook, all rely on SSL to provide their users a safe, trusted way to ensure sensitive data is
protected when it’s sent over the internet. Many organizations rely on SSL for their own services such as email
and internal applications that are made available on the Internet for remote employees.

However this increased level of security for you also benefits cyber attackers too. They are focusing on the use of
SSL/TLS, because they know the majority of organizations blindly trust encrypted communications and don’t (or
can’t) decrypt them.

Gartner believes that by 2017, more than 50% of network attacks, both inbound and outbound, will use encrypted
SSL/TLS communications. If you’re not deeply inspecting secure traffic with your FortiGate or other security
tools, you’re only going to get half the job done.

SSL decryption and re-encryption is a CPU intensive task, especially with most websites having deployed larger
2048 encryption keys with some even moving to 4096. For years FortiGate firewalls have offered SSL decryption
and re-encryption for deep packet inspection. This however comes at a price in both firewall performance and in
real costs as many users have to spend much more on a higher-capacity model with SSL ASICs to handle traffic
volumes for their network.

Using FortiADC with FortiGate leverages the strengths of two time-tested Fortinet technologies. With FortiADCs
at the front and back ends of a data center’s network security elements, clear traffic speeds through the FortiGate
and other security services at top speeds without the overhead of decrypting and re-encrypting secure traffic.

5 FortiADC Deployment Guide
Fortinet Technologies Inc.
 Benefits of FortiADC and FortiGate for SSL Inspection

Benefits of FortiADC and FortiGate for SSL Inspection

l Single point of management for network decryption and re-encryption

l High-speed FortiADC SSL decryption/re-encryption reduces burden on FortiGate
l Easily scale network security capacity with ability to load balance multiple FortiGates
l Intelligent traffic management to route traffic to best security device
l Maintain compliance and privacy with encryption bypass rules
l Highly redundant solution for enterprise data center environments
l Improved network and application response times for users
l Reduced strain on FortiGate lessens need to overprovision for secure traffic inspection
l Single vendor convenience and simplicity

FortiADC Deployment Guide 6
Fortinet Technologies Inc.
The FortiADC difference

The FortiADC difference

There are a number of hardware load balancing products available on the market with a wide range of features
and capabilities. FortiADC differentiates itself by providing superior value, high performance, reliability, advanced
acceleration features, and security from a market leader.

FortiADC not only load balances Internet service requests across multiple servers, but also accelerates
application performance and provides application-aware features that monitor server load and improve server
response times – by as much as 25%. In addition to basic load balancing, FortiADC provides:

n Automatic server and application health monitoring.

n Intelligent, application-aware load balancing policies (least connections, fastest response time, static weight, and
round robin).
n Redundant high availability (HA) configurations.
n Intuitive Layer 7 policy-based routing that can dynamically rewrite content to support complex applications and
server configurations.
n Hardware and software-based SSL offloading that reduces the performance impact on your server infrastructure.
When deployed with FortiGate, FortiADC performs the SSL decryption and re-encryption necessary for FortiGate to
inspect traffic for threats.
n Content caching that dynamically stores popular application content, such as images, videos, HTML files, and other
types to alleviate server resources and accelerate overall application performance.
n Web Application Firewall that protects against application layer attacks.
n IP Reputation service that protects your applications against automated web attacks by identifying access from
botnets and other malicious sources.
n Global Server Load Balancing that distributes traffic across multiple geographical locations for disaster recovery.
n Link Load Balancing that distributes traffic over multiple ISPs to increase resilience and reduce the need for costly
bandwidth upgrades.
n Authentication offloading that speeds user authentication for secure applications.
n Scripting for custom load balancing and content rewriting rules.
n Virtual domains (VDOMs) that enable administrators to divide a FortiADC into two or more virtual FortiADC devices,
each operating as an independent application delivery controller.
For more information on how FortiADC can make your applications work better, faster, and more economically,
please visit http://www.fortinet.com/products/fortiadc/index.html.

7 FortiADC Deployment Guide
Fortinet Technologies Inc.
 The FortiGate difference

The FortiGate difference

Fortinet delivers unparalleled protection, ease of use, and performance from its next generation network security
platforms to protect against sophisticated cyberthreats. We are a leading global provider of network security
appliances available in both hardware and virtualized form factors to fit unique requirements of carriers, data
centers, enterprises and distributed offices.

We combine the most advanced threat intelligence from FortiGuard Labs with our FortiOS operating system and
purpose-built FortiASIC processors to provide consistently top-rated security, deeper visibility, and superior
performance.

n End-to-end security across the full attack cycle to close gaps in protection.
n Independently validated 99%+ security effectiveness to increase protection.
n NSS Labs "Recommended" NGFW and NGIPS.
n Internal Segmentation Firewall deployment mode to protect the network from the inside-out.
n Single pane of glass management for unmatched visibility and control.
n Best-in-class performance/price to maximize investment value.
n Integrated high port density for maximum flexibility.
n Cloud readiness with multi-tenant and fast integration with 3rd party ecosystems.
For more information on how FortiGate can make your applications work better, faster, and more economically,
please visit http://www.fortinet.com/products/FortiGate/index.html.

FortiADC Deployment Guide 8
Fortinet Technologies Inc.
Deployment topology

Deployment topology

This section shows the most common deployment topology for SSL inspection with FortiADC and FortiGate.

Figure 1 shows an inline topology. FortiADC appliances are deployed at the front- and back-end of a FortiGate
cluster to provide decryption and re-encryption of SSL traffic. This solution is described in this document.

In a sandwich topology like this:

1. The "internal" FortiADC intercepts SSL traffic that matches its Layer 2 virtual server policy.
2. This FortiADC uses SSL forward proxy to manipulate the destination server certificate and complete the SSL
handshake with the client so that it can decrypt the SSL traffic.
3. It forwards the clear text to the FortiGate for deep packet inspection (DPI) and mitigation if necessary.
4. The FortiGate then sends the now cleaned un-encrypted traffic back to the "external" FortiADC.
5. The "external FortiADC re-encrypts it and forwards it toward its destination.
The FortiADC administrator can configure "exceptions"—rules to maintain encryption on trusted sites like banking
and healthcare applications to maintain compliance and provide user data privacy.

Figure  1: Inline Security Topology (Sandwich)

In addition to decryption and re-encryption of secure traffic, FortiADC can direct traffic among multiple FortiGates
and other security devices. Using health monitoring, load balancing, and persistent connections, network traffic is
sent to the best performing security resources in the network. Depending on security elements in place, FortiADC
can intelligently route traffic to different destinations by packet type. For example, it can be configured to
automatically route all SMTP traffic to an email security device like FortiMail instead of to the FortiGate for
inspection.

9 FortiADC Deployment Guide
Fortinet Technologies Inc.
 Hardware and software used in this example

Hardware and software used in this example

The following hardware and software were used in testing this example:

l FortiADC VM
l FortiADC OS Version 4.4.0
l FortiGate VM
l FortiGate OS Version 5.4
l Custom client/server hardware running VMware ESX 4 (Windows 8.1)
Important: This guide is written only for the FortiADC D-Series platform. The instructions included within are not
designed to be used with the FortiADC E-Series platform application delivery controllers.

FortiADC Deployment Guide 10
Fortinet Technologies Inc.
Configuration overview

Configuration overview

Figure 2 shows the network configuration for this solution example.

Figure  2: Deployment topology

Basic steps

1. Configure a FortiGate Active-Active cluster and session synchronization.

2. Configure the internal FortiADC. The configuration for a Layer 2 virtual server on this node enables SSL forward
proxy and load balances traffic to the FortiGate cluster.
3. Configure the external FortiADC. The configuration for a Layer 2 virtual server on this node handles re-encryption
of traffic to the destination and forwards it to the next hop gateway to the Internet.

11 FortiADC Deployment Guide
Fortinet Technologies Inc.
 FortiGate configuration guidelines

FortiGate configuration guidelines

In this deployment, the internal FortiADC load balances decrypted traffic to two identical FortiGate units. The two
FortiGate units must be the same model and run the same version of FortiOS. If one of the FortiGate cluster
members fails, session failover occurs, and active sessions fail over to the peer that is still operating. This failover
occurs without any loss of data. The external FortiADC will detect the failover and re-distribute all sessions to the
peer that is still operating.

In the FortiGate deployment, you use the config system cluster-sync command to enable the
FortiGate Session Life Support Protocol (FGSP) to synchronize session tables. By default, FGSP synchronizes all
IPv4 and IPv6 TCP sessions, IPsec tunnels, and also synchronizes the configuration of the FortiGate units. You
can optionally enable session pickup to synchronize connectionless (UDP and ICMP) sessions, expectation
sessions, and NAT sessions.

Since session pickup requires FortiGate resources, only enable this feature for sessions that you need to have
synchronized. If you do not enable session pickup, the FGSP does not share session tables for the particular
session type and sessions do not resume after a failover. Sessions that are interrupted by the failover and must
be re-established at the application level. Many protocols can successfully restart sessions with little, or no, loss
of data. Others may not recover easily. Enable session pickup for sessions that may be difficult to reestablish.

You can also optionally add filters to control which sessions are synchronized. You can add filters to only
synchronize packets from specified source and destination addresses, specified source and destination
interfaces, and specified services.

By default configuration synchronization is disabled. You can use the following command to enable it.
config system ha
set standalone-config-sync enable
end
Settings that identify the FortiGate unit to the network, for example, interface IP addresses and BGP neighbor
settings are not synchronized so each FortiGate unit maintains its identity on the network.

FortiADC Deployment Guide 12
Fortinet Technologies Inc.
 FortiADC Configuration Internal FortiADC configuration

FortiADC Configuration

This section provides configuration guidelines for the FortiADC appliances on each side of the sandwich:

Internal FortiADC configuration

External FortiADC configuration

Internal FortiADC configuration

This section describes the internal FortiADC configuration. It includes the following steps:

Step 1: Configure network interfaces and a static route

Step 2: Import an intermediate CA to be used for SSL forward proxy
Step 3: Configure health checks
Step 4: Configure the real server pool
Step 5: Configure the virtual server profile
Step 6: Configure an L2 exception list (optional)
Step 7: Configure the virtual server
Step 8: Configure a Link Load Balancing policy to load balance all other traffic

Step 1: Configure network interfaces and a static route

You configure three network interfaces for deployment:

l port2: Internal network (LAN)

l port3, port4: FortiGate-side (reroute HTTP traffic to FortiGate)
To configure network interfaces, go to Networking > Interface. Figure 3 shows the configuration for port2.

13 FortiADC Deployment Guide
Fortinet Technologies Inc.
Internal FortiADC configuration FortiADC Configuration

Figure  3: Network interface configuration page

FortiADC Deployment Guide 14
Fortinet Technologies Inc.
 FortiADC Configuration Internal FortiADC configuration

To create a static route, go to Networking > Routing. Figure 4 shows the static route configuration page.

Figure  4: Static route

Step 2: Import an intermediate CA to be used for SSL forward proxy

In an SSL forward proxy deployment, the server certificate and private key used to negotiate the SSL connection
with the client are dynamically derived from the certificate presented by the real server and chained with an
Intermediate CA trusted by the client.

The following steps create the certificate configuration used in this example:
1. Use Open SSL to generate an intermediate CA and key:
l Create a private root key. The following OpenSSL command creates a 2048 bit key:

openssl genrsa -out FortiADC.key 2048

l Self-sign this certificate. The following command starts an interactive script to populate the contents of the
PEM certificate file (fill it out as appropriate for your organization):

openssl req -x509 -new -nodes -key FortiADC.key -days 1024 -out
FortiADC.pem

2. Import the Intermediate CA and key into FortiADC. Go to System > Manage Certificates > Intermediate CA and
click Import to display the configuration page. Import both the PEM certificate file and the key file.
3. Configure an Intermediate CA group. Make the member that includes the special Intermediate CA the default for
the group. Go to System > Manage Certificates > Intermediate CA Group and click Add to display the
configuration page.
4. Configure a local certificate group that includes any local certificate (including the factory certificate) and the
Intermediate CA group that contains the special Intermediate CA. Make this member the default. Go to System >
Manage Certificates > Local Certificate Group and click Add to display the configuration page.

This example shows an Intermediate CA generated with OpenSSL. You can also use
an Intermediate CA signed by your enterprise certificate server (such as a Microsoft
Certificate Services) or one of the CA vendors that has its root certificates preinstalled
in the web browsers.

15 FortiADC Deployment Guide
Fortinet Technologies Inc.
Internal FortiADC configuration FortiADC Configuration

Figure  5: Intermediate CA configuration page

Figure  6: Intermediate CA group configuration page

FortiADC Deployment Guide 16
Fortinet Technologies Inc.
 FortiADC Configuration Internal FortiADC configuration

Figure  7: Local certificate group configuration page

Step 3: Configure health checks

Health checks test gateway or server availability so the server load balancer can exclude unavailable servers from
the active server pool. In this deployment, we use the predefined ICMP health checks to verify the availability of
FortiGate cluster members.

To configure a health check, go to System > Shared Resources > Health Check.

17 FortiADC Deployment Guide
Fortinet Technologies Inc.
 Internal FortiADC configuration FortiADC Configuration

Figure  8: Health check configuration page

Step 4: Configure the real server pool

In a Layer 2 virtual server deployment, the real server pool configuration specifies the next hop. In this case, the
pool includes the two FortiGate cluster members and specifies that they are to receive unencrypted traffic on port
8080. FortiGate must be configured to receive the unencrypted traffic on port 8080. This enables both FortiADC
and FortiGate to distinguish regular HTTP traffic (port 80) from traffic that has been decrypted by FortiADC (port
8080).

To configure real server pools, go to Server Load Balance > Real Server Pool. Table 1 summarizes the real server
pool configuration for this example. Figure 9 through Figure 11 show the configuration pages.

 Table 1: Real server pool configuration summary

Settings Values Notes

Name L2VSRS

Health Check List LB_HLTHCK_ICMP The predefined health check to test whether the next hop
is responsive.

Real Server SSL Pro- LB_RS_PROF_NONE The predefined profile that indicates SSL is not used
file between the FortiADC and the FortiGate cluster mem-
bers.

FortiADC Deployment Guide 18
Fortinet Technologies Inc.
FortiADC Configuration Internal FortiADC configuration

Settings Values Notes

Member

IP Address 10.1.65.163

10.1.60.165

Port 8080 We use port 8080 so that FortiADC and FortiGate can
distinguish regular HTTP traffic (port 80) from traffic
decrypted by FortiADC (port 8080).

Health Check Inherit Enable In this example, the member inherits the configuration
/ RS Profile Inherit from the master pool configuration. If necessary, you can
apply a different configuration to members.

Figure  9: SLB real server pool initial configuration page

19 FortiADC Deployment Guide
Fortinet Technologies Inc.
Internal FortiADC configuration FortiADC Configuration

Figure  10: Real server pool member configuration page

FortiADC Deployment Guide 20
Fortinet Technologies Inc.
 FortiADC Configuration Internal FortiADC configuration

Figure  11: Real server pool complete configuration

Step 5: Configure the virtual server profile

The virtual sever profile determines connection settings for the client to FortiADC connection. This is the segment
in which the client SSL request is intercepted by the SSL forward proxy feature, so the configuration enables SSL
forward proxy and specifies the Local Certificate Group that includes the Intermediate CA used for SSL forward
proxy.

To configure a virtual server profile, go to Server Load Balance > Profile. Table 2 summarizes the virtual server
profile configuration for this example. Figure 12 shows the configuration page.

21 FortiADC Deployment Guide
Fortinet Technologies Inc.
Internal FortiADC configuration FortiADC Configuration

 Table 2: Virtual server profile configuration summary

Settings Values Notes

Name 183p1

Type HTTPS

SSL Proxy Mode Enable This setting enables SSL forward proxy.

SSL Ciphers ECDHE-RSA-AES256-GCM- The cipher list includes strong ciphers. Your list
SHA384 ECDHE-RSA-
AES256-SHA384 ECDHE- can include
RSA-AES256-SHA DHE-
RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256 AES256-
SHA ECDHE-RSA-AES128-
GCM-SHA256 ECDHE-RSA-
AES128-SHA256 ECDHE-
RSA-AES128-SHA DHE-
RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256 AES128-
SHA ECDHE-RSA-RC4-SHA

Allow SSL Versions SSLv3, TLSv1.0, TLSv1.1, SSLv2 is excluded.

TLSv1.2

Client SNI Required Not enabled. Enable to include the server hostname in the TLS
client hello message if you are using L2 Excep-
tion List.

Local Certificate lg1 The group configured in Step 2.

Group

FortiADC Deployment Guide 22
Fortinet Technologies Inc.
FortiADC Configuration Internal FortiADC configuration

Figure  12: Virtual server profile configuration

23 FortiADC Deployment Guide
Fortinet Technologies Inc.
 Internal FortiADC configuration FortiADC Configuration

Step 6: Configure an L2 exception list (optional)

In some jurisdictions, SSL interception and decryption is disfavored for some types of websites or disallowed
entirely. You use the L2 Exception List configuration to define such destinations. You can build a list using subnet
addresses and hostname patterns. The hostname pattern supports wildcards. For
example: *.bankofamerica.com.

To configure an exception list, go to Server Load Balance > Virtual Server > L2 Exception List. Figure 13 shows
the configuration page.

Figure  13: L2 exception list configuration page

Step 7: Configure the virtual server

In a Layer 2 virtual server deployment, the FortiADC is in the path of client-to-server traffic. The virtual server
intercepts traffic on the configured port—in this case, port 443. It performs the actions enabled by its settings. In
this case, it uses the SSL forward proxy profile settings to decrypt the client traffic, and it loadbalances the
unencrypted traffic to the next hop pool (the FortiGate cluster).

To configure virtual servers, go to Server Load Balance > Virtual Server. Table 3 summarizes the virtual server
configuration for this example. Figure 14 shows the configuration summary page.

FortiADC Deployment Guide 24
Fortinet Technologies Inc.
FortiADC Configuration Internal FortiADC configuration

 Table 3: Virtual server configuration summary

Settings Values Notes

Name L2VS183

Type Layer 2

IP address — IP address is not configured for a Layer 2 virtual

server. On the client-side, the FortiADC is in the
path of the traffic and the virtual server intercepts
traffic on the configured port.

Port 443 The virtual server intercepts traffic to port 443.

Network Interface port2 This Layer 2 virtual server intercepts traffic on

port 443, so make sure the interface does not
have management traffic on port 443. In the inter-
face configuration, make sure HTTPS is not selec-
ted for "allow access".

Profile 183p1 The virtual server profile configured in Step 5.

Persistence LB_PERSIS_HASH_SRC_ Traffic for some applications, like e-commerce

ADDR_PORT transactions or SIP voice calls, are transactions
that depend on an established client-server ses-
sion. If your application requires this, select a pre-
defined or user-defined persistence method. This
example uses a predefined persistence object
that establishes persistence based on a hash of
the source address and source port.

Method LB_METHOD_ROUND_ Predefined method.

ROBIN

Real Server Pool L2VSRS The pool configured in Step 5.

L2 Exception List l1 The list configured in Step 6.

Log Enable Enables traffic logs.

25 FortiADC Deployment Guide
Fortinet Technologies Inc.
 Internal FortiADC configuration FortiADC Configuration

Figure  14: Virtual server configuration page

Step 8: Configure a Link Load Balancing policy to load balance all other traffic
By default, traffic that does not match a FortiADC virtual server policy is forwarded toward its destination
according to the routing tables (static route, policy route, etc.). Routes in the Link Load Balancing table have
precedence over static routes, and we leverage them in this deployment to load balance non-SSL traffic to the
FortiGate cluster as well.

In this configuration, the FortiGate cluster members are the gateways that make up the link group that is load
balanced. You do not have to configure addresses for the Link Load Balancing Policy rules because the rules are
configured to match all traffic (all traffic not forwarded by Load Balance virtual server policy rules, that is).

FortiADC Deployment Guide 26
Fortinet Technologies Inc.
FortiADC Configuration Internal FortiADC configuration

To create a Link Load Balancing policy:

1. Go to Link Load Balance > Link Group > Gateway and create two gateway objects—one for each FortiGate.

27 FortiADC Deployment Guide
Fortinet Technologies Inc.
Internal FortiADC configuration FortiADC Configuration

2. Go to Link Load Balance > Link Group > Persistence and create a persistence configuration. In this example, we
have configured persistence by Source Address. Packets with a source IP address that belongs to the same
subnet are forwarded to the same gateway.

3. Go to Link Load Balance > Link Group and configure a link group that specifies the two gateways and the
persistence configuration.

FortiADC Deployment Guide 28
Fortinet Technologies Inc.
 FortiADC Configuration External FortiADC configuration

4. Go to Link Load Balance > Link Policy and configure a link load balancing policy rule that matches all traffic to the
link group configure in the previous step. Note that if you do not specify Source, Destination, and Service objects,
it is equivalent to matching "any".

External FortiADC configuration

This section describes the external FortiADC configuration. It includes the following steps:

Step 1: Configure network interfaces and a static route

Step 2: Configure the real server pool
Step 3: Configure the virtual server

Step 1: Configure network interfaces and a static route

You configure three network interfaces for deployment:

29 FortiADC Deployment Guide
Fortinet Technologies Inc.
External FortiADC configuration FortiADC Configuration

l port4, port6: FortiGate-side

l port5: External network (WAN-side)
To configure network interfaces, go to Networking > Interface. Figure 15 shows the configuration for port4.

Figure  15: Network interface configuration page

FortiADC Deployment Guide 30
Fortinet Technologies Inc.
 FortiADC Configuration External FortiADC configuration

To create a static route, go to Networking > Routing. Figure 16 shows the static route configuration page.

Figure  16: Static route

Step 2: Configure the real server pool

In a Layer 2 virtual server deployment, the real server pool configuration specifies the next hop. In this case, the
pool includes just one member—the next hop gateway to the Internet. In this example, we use a predefined
health check and predefined Real Server SSL Profile configuration. If your deployment requires custom
configuration objects, complete those steps before you configure the real server pool.

To configure real server pools, go to Server Load Balance > Real Server Pool. Table 4 summarizes the real server
pool configuration for this example. Figure 17 shows the configuration summary page.

 Table 4: Real server pool configuration summary

Settings Values Notes

Name L2RSport443

Health Check List LB_HLTHCK_ICMP The predefined health check to test whether the next
hop is responsive.

Real Server SSL Pro- LB_RS_SSL_PROF_ The predefined profile that indicates SSL is used
file DEFAULT between the FortiADC and the next hop.

Member

IP Address 10.1.80.200

Port 443 Traffic is re-encrypted and forwarded on port 443.

31 FortiADC Deployment Guide
Fortinet Technologies Inc.
 External FortiADC configuration FortiADC Configuration

Settings Values Notes

Health Check Inherit Enable In this example, the member inherits the configuration
/ RS Profile Inherit from the master pool configuration. If necessary, you
can apply a different configuration to members.

Figure  17: SLB real server pool configuration

Step 3: Configure the virtual server

In a Layer 2 virtual server deployment, the FortiADC virtual server intercepts traffic on the configured port—in this
case, port 8080. It performs the actions enabled by its settings. In this case, it re-encrypts the traffic and forwards
it to the next hop on port 443. When it receives the response traffic from the destination server, it does the
reverse: It receives the response traffic on port 443, decrypts it, and forwards it to one of the FortiGate cluster
members on port 8080.

FortiADC Deployment Guide 32
Fortinet Technologies Inc.
FortiADC Configuration External FortiADC configuration

To configure virtual servers, go to Server Load Balance > Virtual Server. Table 5 summarizes the virtual server
configuration for this example. Figure 18 and Figure 19 show the configuration.

 Table 5: Virtual server configuration summary

Settings Values Notes

Name L2VSport8080_port4 This FortiADC receives traffic from a cluster of

L2VSport8080_port6 FortiGate appliances. You configure two virtual
servers—one on port4 and one on port6.

Type Layer 2

IP address — IP address is not configured for a Layer 2 virtual

server. On the LAN-side, the FortiADC is in the
path of the traffic and the virtual server inter-
cepts traffic on the configured port.

Port 8080 The virtual server intercepts traffic to port 8080.

Network Interface port4, port6

Profile LB_PROF_HTTP A predefined profile.

Persistence — None specified

Method LB_METHOD_ROUND_ Predefined method.

ROBIN

Real Server Pool L2RSport443 The pool configured in the previous step.

Log Enable Enables traffic logs.

33 FortiADC Deployment Guide
Fortinet Technologies Inc.
External FortiADC configuration FortiADC Configuration

Figure  18: Virtual server configuration port4

FortiADC Deployment Guide 34
Fortinet Technologies Inc.
FortiADC Configuration External FortiADC configuration

Figure  19: Virtual server configuration port6

35 FortiADC Deployment Guide
Fortinet Technologies Inc.
Appendix A: Importing the Intermediate CA certificate into a web browser

Appendix A: Importing the Intermediate CA certificate into

a web browser

When a client browser requests an HTTPS connection to a web server, the server presents a server certificate to
the client for verification. The client checks the content of the certificate against a local browser database of
Certificate Authorities, and if it finds a match, the connection is made. If no match is found, the browser displays
a warning that asks if you want to continue with the connection, similar to the following.

Even if the user dismisses the error message and continues, the browser still might show an error in the toolbar.

If the certificate used for SSL forward proxy was signed by your enterprise certificate server (such as a Microsoft
Certificate Services) or one of the CA vendors that has its root certificates preinstalled in the web browsers,
clients will not encounter these messages because the certificate Issuer is trusted.

If you use an OpenSSL self-signed certificate and key (as shown in this example), you must distribute that
certificate to client browsers in whatever manner you typically do that—automatic update package from IT,
manual distribution, and so on.

This appendix gives instructions for end-users adding the certificate to their web browser manually.

Internet Explorer

1. Go to Internet Options.
2. Click the Content tab.

36 FortiADC Deployment Guide
Fortinet Technologies Inc.
 Appendix A: Importing the Intermediate CA certificate into a web browser

3. Click Certificates.
4. Click Import to start the Import Wizard.
5. Complete the wizard steps. Make sure that the certificate is imported into Trusted Root Certification Authorities.

Firefox

1. Depending on the platform, go to Menu > Options or Preferences > Advanced and find the Certificates tab
2. Click View Certificates and then click the Authorities tab.
3. Click Import and then browse and select the certificate file.

FortiADC Deployment Guide 37
Fortinet Technologies Inc.
Appendix A: Importing the Intermediate CA certificate into a web browser

Google Chrome and Safari

1. Go to Settings > Advanced Settings and click Manage Certificates.

2. Click Import to start the Import Wizard.
3. Complete the wizard steps. Make sure that the certificate is imported into Trusted Root Certification Authorities.

38 FortiADC Deployment Guide
Fortinet Technologies Inc.
Appendix B: SSL forward proxy packet flow

Appendix B: SSL forward proxy packet flow

1. A client sends an SSL Client Hello to initiate an SSL connection.

2. The "Internal FortiADC" intercepts the client request and establishes a new SSL connection to the destination
server to get its server certificate.
3. The "Internal FortiADC" sets up a full SSL handshake with the client using a manipulated CA.
4. The "Internal FortiADC" decrypts SSL traffic and sends it to FortiGate for DPI analysis. After inspection, this traffic
is forwarded to the "External FortiADC".
5. The "External FortiADC" establishes a new SSL connection and sends the re-encrypted traffic to the next hop,
toward the destination server.
6. When the SSL response returns from the remote server, the "External FortiADC" decrypts it and sends it to
FortiGate for DPI analysis. After inspection, this traffic is forwarded to the "Internal FortiADC".
7. "Internal FortiADC" re-encrypts the traffic and sends it to the client.

39 FortiADC Deployment Guide
Fortinet Technologies Inc.
 Appendix C: FortiADC configurations Internal FortiADC

Appendix C: FortiADC configurations

The following configuration file samples show the FortiADC configurations:

l Internal FortiADC
l External FortiADC

Internal FortiADC

config system global

set hostname FortiADC-Internal
end
config system interface
edit "port1"
set vdom root
set ip 172.30.154.162/24
set allowaccess https ping ssh snmp http telnet
config ha-node-ip-list
end
next
edit "port2"
set vdom root
set ip 10.1.50.10/24
set allowaccess ping ssh snmp telnet
config ha-node-ip-list
end
next
edit "port3"
set vdom root
set ip 10.1.60.162/24
set allowaccess ping ssh snmp telnet
config ha-node-ip-list
end
next
edit "port4"
set vdom root
set ip 10.1.65.162/24
set allowaccess ping ssh snmp telnet
config ha-node-ip-list
end
next
edit "port5"
set vdom root
config ha-node-ip-list
end
next
edit "port6"
set vdom root
config ha-node-ip-list
end

40 FortiADC Deployment Guide
Fortinet Technologies Inc.
Internal FortiADC Appendix C: FortiADC configurations

next
edit "port7"
set vdom root
config ha-node-ip-list
end
next
edit "port8"
set vdom root
config ha-node-ip-list
end
next
edit "port9"
set vdom root
config ha-node-ip-list
end
next
edit "port10"
set vdom root
config ha-node-ip-list
end
next
end
config system dns
set primary 208.91.112.53
set secondary 208.91.112.52
end
config system time manual
end
config system time ntp
end
config system certificate ca
end
config system certificate remote
end
config system certificate crl
end
config user pki
end
config system accprofile
end
config profile authentication radius
end
config system password-policy
end
config user radius
end
config user ldap
end
config system admin
edit "admin"
set is-system-admin yes
next
end
config system ha
end
config system snmp sysinfo

FortiADC Deployment Guide 41
Fortinet Technologies Inc.
Appendix C: FortiADC configurations Internal FortiADC

set status enable

set description "snmp description"
set location sunnyvale
set contact rakesh
end
config system snmp threshold
end
config system snmp community
edit 1
set name snmp1
config host
edit 1
set ip 172.30.12.16
next
end
next
edit 2
set name 2
config host
edit 1
set ip 172.30.12.16
next
end
next
end
config system snmp user
edit "snmp1"
config host
end
next
end
config system fortiguard
end
config system certificate local
end
config system certificate ca_group
end
config system certificate intermediate_ca
edit "c1"
set certificate "Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiADC, CN=ssl_
proxy_test_root_ca/[email protected]
Validity
Not Before: Nov 12 23:06:40 2015 GMT
Not After : Jan 29 23:06:40 2024 GMT
Subject: C=US, ST=California, O=Fortinet, OU=FortiADC, CN=ssl_proxy_test_
level2_ca/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:b1:79:c7:56:42:ad:c4:f5:28:64:b9:4d:b5:6c:

42 FortiADC Deployment Guide
Fortinet Technologies Inc.
Internal FortiADC Appendix C: FortiADC configurations

93:fc:14:1a:b1:d2:ef:72:b2:f6:27:62:7d:36:95:
91:09:69:81:79:87:eb:6d:f7:ab:8d:45:a3:15:4f:
91:55:51:47:b6:ac:d7:7b:f0:90:80:78:e2:73:ff:
77:f6:31:7c:23:61:ad:52:e4:5f:7a:02:9f:09:1a:
63:9f:13:e6:3e:fa:be:e8:d8:e6:c7:42:3c:da:7a:
87:1b:1a:92:ff:9d:e4:06:e5:78:d6:1b:b2:6e:7e:
20:67:4d:c9:8f:32:a4:08:cf:eb:03:20:06:3d:b2:
ec:dc:29:d8:99:8b:e2:6e:b3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
54:3E:CE:DA:29:A4:4F:BC:D1:B3:64:CC:DC:3A:F7:10:33:0B:BA:BA
X509v3 Authority Key Identifier:
keyid:21:34:00:8C:2E:FB:82:5C:54:90:43:3D:42:C3:3F:14:1F:3B:F2:F4

X509v3 Basic Constraints:

CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
0c:15:91:2a:98:be:41:fb:5d:99:ee:2f:e4:e5:93:e9:c7:04:
3a:12:f2:56:c1:16:38:cf:72:58:5c:73:4c:53:5f:69:d6:02:
a3:85:d0:0b:ad:ed:8e:8f:b3:2b:d6:2c:a2:61:3a:6d:5a:94:
09:3f:44:aa:4c:97:fd:d4:67:9f:39:77:00:2a:d9:78:36:c8:
4a:3d:7c:01:b7:31:f9:17:3b:5e:e1:c2:c0:ec:35:1c:35:91:
68:a6:bf:a8:4f:07:a6:b7:ac:4b:45:e9:44:ee:9f:e9:d3:2a:
e6:fb:12:51:1e:73:a3:3c:b8:d0:83:95:5c:06:8e:79:d7:58:
99:a1
-----BEGIN CERTIFICATE-----
MIIC+jCCAmOgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCVVMx
EzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTERMA8GA1UE
CgwIRm9ydGluZXQxETAPBgNVBAsMCEZvcnRpQURDMR8wHQYDVQQDDBZzc2xfcHJv
eHlfdGVzdF9yb290X2NhMSMwIQYJKoZIhvcNAQkBFhRqcWh1YW5nQGZvcnRpbmV0
LmNvbTAeFw0xNTExMTIyMzA2NDBaFw0yNDAxMjkyMzA2NDBaMIGQMQswCQYDVQQG
EwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UECgwIRm9ydGluZXQxETAP
BgNVBAsMCEZvcnRpQURDMSEwHwYDVQQDDBhzc2xfcHJveHlfdGVzdF9sZXZlbDJf
Y2ExIzAhBgkqhkiG9w0BCQEWFGpxaHVhbmdAZm9ydGluZXQuY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCxecdWQq3E9ShkuU21bJP8FBqx0u9ysvYnYn02
lZEJaYF5h+tt96uNRaMVT5FVUUe2rNd78JCAeOJz/3f2MXwjYa1S5F96Ap8JGmOf
E+Y++r7o2ObHQjzaeocbGpL/neQG5XjWG7JufiBnTcmPMqQIz+sDIAY9suzcKdiZ
i+JuswIDAQABo1AwTjAdBgNVHQ4EFgQUVD7O2imkT7zRs2TM3Dr3EDMLurowHwYD
VR0jBBgwFoAUITQAjC77glxUkEM9QsM/FB878vQwDAYDVR0TBAUwAwEB/zANBgkq
hkiG9w0BAQUFAAOBgQAMFZEqmL5B+12Z7i/k5ZPpxwQ6EvJWwRY4z3JYXHNMU19p
1gKjhdALre2Oj7Mr1iyiYTptWpQJP0SqTJf91GefOXcAKtl4NshKPXwBtzH5Fzte
4cLA7DUcNZFopr+oTwemt6xLRelE7p/p0yrm+xJRHnOjPLjQg5VcBo5511iZoQ==
-----END CERTIFICATE-----
"
set private-key "-----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBALF5x1ZCrcT1KGS5
TbVsk/wUGrHS73Ky9idifTaVkQlpgXmH6233q41FoxVPkVVRR7as13vwkIB44nP/
d/YxfCNhrVLkX3oCnwkaY58T5j76vujY5sdCPNp6hxsakv+d5AbleNYbsm5+IGdN
yY8ypAjP6wMgBj2y7Nwp2JmL4m6zAgMBAAECgYAB7DXSo2pKhfVoEfHbk0+PHZCk
eIqLjZDJIHIG01v85B24+VX9nP9IyoZXxsLmT7kdK4YyG4sVOToK06uzCRo1K01h
Z3GbvuM/VJ4pq99XjdAXBTI7GTxkDfzURjgMwhCPQOMoVUVpq70+PoIu1SUhcU1l
8b2ksgUy/zm8t3/bIQJBANaDuEDTxQ1mJIfZfbtSh29TjbI36QvHR0fG1S9MM2D+
WHjZFd9g88F4pb7pjw9rvD73Qu4VQyK3WnORMylwNLkCQQDTzFLzOcppr8zS5w0k
Sl5t+0fwJb9lhEDadHXbS35QnRfognc/S17rMvCFWKqQ2C1m0tm+tbBolcVYRIlG
HaDLAkAl11ykivcC8xbUpChK6DceC2Y+nyBMRJ4takTnMBEMNjITN3BlVGwLoCXU

FortiADC Deployment Guide 43
Fortinet Technologies Inc.
Appendix C: FortiADC configurations Internal FortiADC

9MyY0s+FaAb1iuip8iBRrLaSw8l5AkAomNeli4RC8dGe827Pb/ndtva5D2M6gDk2
JnCY0kWqChKVHLziwv20s5Tq2m4HSYiaVvwp1AW2Zk7ndmuhpvg1AkBvA8oHcugz
NbeMsDXoXKX0FJ7Ae6sdy3tpJ3pwMnJBZmLbW54HLK5xeeyM5ej8seVlPylZv5kf
OkR4W7azoUs8
-----END PRIVATE KEY-----
"
next
end
config system certificate intermediate_ca_group
edit "cg1"
config group_member
edit 1
set ca c1
set default enable
next
end
next
end
config system certificate local_cert_group
edit "lg1"
config group_member
edit 1
set local-cert Factory
set intermediate-ca-group cg1
set default enable
next
end
next
end
config system certificate certificate_verify
end
config system mailserver
end
config router static
edit 1
set gateway 172.30.154.254
next
end
config system address
edit "all"
next
end
config load-balance profile
edit "183p1"
set type https
set ssl-ciphers ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-
AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA
AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-
AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA
set local-cert-group lg1
set ssl-proxy enable
next
end
config load-balance connection-pool
end

44 FortiADC Deployment Guide
Fortinet Technologies Inc.
Internal FortiADC Appendix C: FortiADC configurations

config load-balance ippool

end
config load-balance rs-profile
end
config load-balance pool
edit "L2VSRS"
set health-check-ctrl enable
set health-check-list LB_HLTHCK_ICMP
set real-server-profile LB_RS_PROF_NONE
config pool_member
edit 2
set ip 10.1.65.165
set pool_member_server_name L2VSRS2
set pool_member_service_port 8080
next
edit 1
set ip 10.1.60.163
set pool_member_server_name L2VSRS1
set pool_member_service_port 8080
next
end
next
end
config load-balance method
end
config load-balance persistence
end
config load-balance content-rewriting
end
config load-balance content-routing
end
config user local
end
config user user-group
end
config load-balance auth-policy
end
config load-balance l2-exception-list
edit "l1"
set description l1
config member
edit 1
set host-pattern *.bankofamerica.com
next
end
next
end
config load-balance virtual-server
edit "L2VS183"
set type l2-load-balance
set interface port2
set port 443
set load-balance-profile 183p1
set load-balance-persistence LB_PERSIS_HASH_SRC_ADDR_PORT
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool L2VSRS

FortiADC Deployment Guide 45
Fortinet Technologies Inc.
Appendix C: FortiADC configurations Internal FortiADC

set traffic-log enable

set l2-exception-list l1
next
end
config link-load-balance persistence
edit "LGP1"
next
end
config link-load-balance gateway
edit "LGGW1"
set ip 10.1.60.163
set health-check-ctrl enable
set health-check-list LB_HLTHCK_ICMP
next
edit "LGGW2"
set ip 10.1.65.165
set health-check-ctrl enable
set health-check-list LB_HLTHCK_ICMP
next
end
config link-load-balance link-group
edit "LG1"
set persistence LGP1
config link-member
edit "LGM1"
set gateway LGGW1
next
edit "LGM2"
set gateway LGGW2
next
end
next
edit "LG2"
config link-member
edit "LG2M1"
set gateway LGGW1
next
end
next
end
config link-load-balance virtual-tunnel
end
config link-load-balance flow-policy
set default-link-group LG2
config rule
edit "LGpolicy1"
set in-interface port2
set link-group LG1
next
end
end

46 FortiADC Deployment Guide
Fortinet Technologies Inc.
External FortiADC Appendix C: FortiADC configurations

External FortiADC

config system global

set hostname FADC-External
set admin-idle-timeout 480
end
config system interface
edit "port1"
set vdom root
config ha-node-ip-list
end
next
edit "port2"
set vdom root
config ha-node-ip-list
end
next
edit "port3"
set vdom root
config ha-node-ip-list
end
next
edit "port4"
set vdom root
set ip 10.1.70.159/24
set allowaccess ping ssh snmp telnet
config ha-node-ip-list
end
next
edit "port5"
set vdom root
set ip 10.1.80.159/24
set allowaccess ping ssh snmp telnet
config ha-node-ip-list
end
next
edit "port6"
set vdom root
set ip 10.1.75.159/24
set allowaccess ping ssh snmp telnet
config ha-node-ip-list
end
next
edit "port7"
set vdom root
config ha-node-ip-list
end
next
edit "port8"
set vdom root
config ha-node-ip-list
end
next
edit "port9"

FortiADC Deployment Guide 47
Fortinet Technologies Inc.
Appendix C: FortiADC configurations External FortiADC

set vdom root

config ha-node-ip-list
end
next
edit "port10"
set vdom root
config ha-node-ip-list
end
next
end
config system dns
set primary 8.8.8.8
set secondary 208.91.112.52
end
config system time manual
end
config system time ntp
set ntpsync enable
end
config system admin
edit "admin"
set is-system-admin yes
set vdom root
set access-profile super_admin_prof
next
end
config system ha
end
config system snmp sysinfo
end
config system snmp threshold
end
config system snmp community
end
config system snmp user
end
config system fortiguard
end
config system certificate local
end
config system certificate ca_group
end
config system certificate intermediate_ca
end
config system certificate certificate_verify
end
config system mailserver
set smtp-auth disable
end
config router static
edit 1
set gateway 172.30.154.254
end
config user radius
end
config user ldap

48 FortiADC Deployment Guide
Fortinet Technologies Inc.
External FortiADC Appendix C: FortiADC configurations

end
config log alertemail recipient
end
config log alertemail setting
set by_category disable
set loglevel information
set deferq-interval 1
end
config load-balance pool
edit "L2RSport443"
set health-check-ctrl enable
set health-check-list LB_HLTHCK_ICMP
set real-server-ssl-profile LB_RS_SSL_PROF_DEFAULT
config pool_member
edit 1
set ip 10.1.80.200
set pool_member_service_port 443
set pool_member_server_name L2RS-external-gateway
next
end
next
end
config load-balance virtual-server
edit "L2VSport8080_port4”
set type l2-load-balance
set interface port4
set port 8080
set load-balance-profile LB_PROF_HTTP
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool L2RSport443
set id 6
next
edit "L2VSport8080_port6"
set type l2-load-balance
set interface port6
set port 8080
set load-balance-profile LB_PROF_HTTP
set load-balance-method LB_METHOD_ROUND_ROBIN
set load-balance-pool L2RSport443
set id 12
next
end

FortiADC Deployment Guide 49
Fortinet Technologies Inc.
Copyright© 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.