Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
KevinGallaugher
F5 Employee
F5 Employee

Introduction

The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic?

An integrated F5 and Fortinet FortiGate solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Fortinet FortiGate VMs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS.

Prerequisites

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain

F5 BIG-IP version 17.1

F5 SSL Orchestrator version 11.0

Fortinet FortiGate Virtual Appliance

Fortinet FortiGate version 7.2.4

Deployed on VMWare ESXi version 6.7

Fortinet FortiGate will be configured as an Explicit Proxy

Additional Help

If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE

For information on SSL Certificate considerations and trust, click HERE

Demo video:

Fortinet FortiGate Virtual Edition Configuration

ESX Virtual Hardware Configuration

The Network Adapters should be configured like the following:

Screen Shot 2023-03-29 at 10.16.13 AM.png

Network Adapter 1 is used for Management and corresponds to the “mgmt” interface on the FortiGate.

Network Adapter 3 is used for Explicit Proxy connections and corresponds to the “port2” interface on the FortiGate.

The other Network Adapters are not used.

Create a Port Group for BIG-IP to connect to the port2 interface (Network Adapter 3) of the FortiGate. The ESX vSwitch topology should be configured as follows:

Screen Shot 2023-03-29 at 10.20.20 AM.png

Fortinet FortiGate Configuration

Enable the Explicit Proxy feature.

Screen Shot 2023-03-29 at 10.22.25 AM.png

Configure the Explicit Web Proxy as follows

Screen Shot 2023-03-29 at 10.41.49 AM.png

Configure a Network Interface as follows

Double click on Port2 to configure it

Screen Shot 2023-03-29 at 10.24.56 AM.png

Specify the IP address and mask to be used, 10.0.0.49 255.255.255.0 in this example.

Enable the Explicit web proxy and click OK.

Screen Shot 2023-03-29 at 10.27.07 AM.png

A Static Route is needed for the Explicit Proxy connection.  Configure it as follows:

Screen Shot 2023-03-30 at 10.10.41 AM.png

F5 BIG-IP SSL Orchestrator VMWare ESXi Configuration

Configure the Virtual Machine Network Adapters as follows:

Screen Shot 2023-03-29 at 10.57.42 AM.png

Network Adapter 1 is used for Management and corresponds to the management interface on the BIG-IP.

Network Adapter 2 is used for Explicit Proxy connections to/from the FortiGate.

Network Adapter 3 is used for network connectivity from the BIG-IP to the North.

Network Adapter 4 is used for network connectivity from the BIG-IP to the South.

BIG-IP SSL Orchestrator Network Configuration

The BIG-IP VLAN settings should look like the following:

Screen Shot 2023-03-29 at 11.00.16 AM.png

Network_North is used for network connectivity from the BIG-IP to the North.

Network_South is used for network connectivity from the BIG-IP to the South.

The BIG-IP Self IPs setting should look like the following:

Screen Shot 2023-03-29 at 11.02.33 AM.png

10.0.0.1 will be used for Explicit Proxy connections to the FortiGate.

Note: in this example SSL Orchestrator is deployed with an L3 Inbound Topology. That’s what the other two Self IPs are for. Your configuration will look different if using an L2 Topology.

BIG-IP SSL Orchestrator Configuration

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

Navigate to SSL Orchestrator > Configuration.

Screen Shot 2023-03-30 at 8.52.01 AM.png

Create the Fortinet FortiGate Service

Under Services, click Add.

Screen Shot 2023-03-21 at 11.19.18 AM.png

In the Service Catalog select the Inline HTTP tab then double click on Fortinet Secure Web Gateway HTTP Proxy.

Screen Shot 2023-03-29 at 11.18.32 AM.png

Give it a name, FortiGate in this example.  Under Service Definition unselect the option to Auto Manage Addresses.

Screen Shot 2023-03-29 at 11.20.25 AM.png

For the To Service VLAN select 10.0.0.1 (VLAN FortiGate_Egress).

Click Add for HTTP Proxy Devices.

Screen Shot 2023-03-29 at 11.22.54 AM.png

Enter the FortiGate IP address, 10.0.0.49 in this example. Set the port to 8080.  Click Done.

Screen Shot 2023-03-29 at 11.25.24 AM.png

For the From Service VLAN select 10.0.0.1 (VLAN FortiGate_Egress).

Screen Shot 2023-03-29 at 11.27.02 AM.png

Click Save & Next at the bottom.

Screen Shot 2023-03-21 at 10.01.46 AM.png

Click the name of the Service Chain.

Screen Shot 2023-03-21 at 10.03.11 AM.png

Select the FortiGate Service from the left and click the arrow to move it to the right.  Click Save.

Screen Shot 2023-03-29 at 11.28.36 AM.png

Click OK

Screen Shot 2023-03-29 at 11.29.58 AM.png

Click Save & Next at the bottom.

Screen Shot 2023-03-21 at 10.08.17 AM.png

Click Deploy
Screen Shot 2023-03-21 at 10.09.30 AM.png

Click OK to the Success message.

Screen Shot 2023-03-21 at 10.13.43 AM.png

When done it should look like the following:

Screen Shot 2023-03-29 at 11.32.16 AM.png

From the Services screen if you expand the Pool Member Status you should see the FortiGate VM.

Screen Shot 2023-03-29 at 11.33.47 AM.png

Testing the Configuration

In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:

https://192.168.0.5

Test this connection now and it should look like the following:

Screen Shot 2023-03-29 at 11.37.25 AM.png

In this example the FortiGate VM is configured with a Custom Category to block connections to http://192.168.0.99. When attempting to connect to this site with a web browser you should see a block page like the following:

Screen Shot 2023-03-29 at 11.39.06 AM.png

Note: in the block page you can see FortiGate VM has identified this site as HTTP and not HTTPS. This is because SSL Orchestrator has decrypted the HTTPS and sent the content to FortiGate as HTTP.

Check the Security Dashboard on the FortiGate VM and you should see something like the following:

Screen Shot 2023-03-29 at 11.41.11 AM.png

Here you can see the attempt to access 192.168.0.99 is logged as a High Threat Level. 

Conclusion

This completes configuration of BIG-IP SSL Orchestrator with Fortinet FortiGate Virtual Edition. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Fortinet FortiGate Service and inspected for malicious payloads or policy violations.

Related Articles

Integrating SSL Orchestrator with Fortinet FortiGate Virtual Edition as a Virtual Wire  

Version history
Last update:
‎20-Nov-2023 13:40
Updated by:
Contributors