The Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS), are being widely adopted by organizations to secure IP communications. While SSL/TLS provides data privacy and secure communications, it also creates challenges to inspection devices in the security stack. What if attackers are hiding malware inside the encrypted traffic?
An integrated F5 and Fortinet FortiGate solution solves the SSL/TLS challenges. F5 BIG-IP SSL Orchestrator centralizes SSL/TLS inspection. The decrypted traffic is then inspected by one or more Fortinet FortiGate VMs, which can block previously hidden threats. This solution eliminates the blind spots introduced by SSL/TLS.
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain
F5 BIG-IP version 17.1
F5 SSL Orchestrator version 11.0
Fortinet FortiGate Virtual Appliance
Fortinet FortiGate version 7.2.4
Deployed on VMWare ESXi version 6.7
Fortinet FortiGate will be configured as an Explicit Proxy
If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE
For information on SSL Certificate considerations and trust, click HERE
Fortinet FortiGate Virtual Edition Configuration
ESX Virtual Hardware Configuration
The Network Adapters should be configured like the following:
Network Adapter 1 is used for Management and corresponds to the “mgmt” interface on the FortiGate.
Network Adapter 3 is used for Explicit Proxy connections and corresponds to the “port2” interface on the FortiGate.
The other Network Adapters are not used.
Create a Port Group for BIG-IP to connect to the port2 interface (Network Adapter 3) of the FortiGate. The ESX vSwitch topology should be configured as follows:
Fortinet FortiGate Configuration
Enable the Explicit Proxy feature.
Configure the Explicit Web Proxy as follows
Configure a Network Interface as follows
Double click on Port2 to configure it
Specify the IP address and mask to be used, 10.0.0.49 255.255.255.0 in this example.
Enable the Explicit web proxy and click OK.
A Static Route is needed for the Explicit Proxy connection. Configure it as follows:
Test this connection now and it should look like the following:
In this example the FortiGate VM is configured with a Custom Category to block connections to http://192.168.0.99. When attempting to connect to this site with a web browser you should see a block page like the following:
Note: in the block page you can see FortiGate VM has identified this site as HTTP and not HTTPS. This is because SSL Orchestrator has decrypted the HTTPS and sent the content to FortiGate as HTTP.
Check the Security Dashboard on the FortiGate VM and you should see something like the following:
Here you can see the attempt to access 192.168.0.99 is logged as a High Threat Level.
This completes configuration of BIG-IP SSL Orchestrator with Fortinet FortiGate Virtual Edition. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the Fortinet FortiGate Service and inspected for malicious payloads or policy violations.