WAN optimization SSL proxy chaining
An SSL server does not need to be defined for WAN optimization (WANOpt) SSL traffic offloading (traffic acceleration). The server side FortiGate uses an SSL profile to resign the HTTP server's certificate, both with and without an external proxy, without an SSL server configured. GCM and ChaCha ciphers can also be used in the SSL connection.
Examples
In these examples, HTTPS traffic is accelerated without configuring an SSL server, including with a proxy in between, and when the GCM or ChaCha ciphers are used.
Example 1
In this example, the server certificate is resigned by the server side FortiGate, and HTTPS traffic is accelerated without configuring an SSL server.
HTTPS traffic with the GCM or ChaCha cipher can pass though WANOpt tunnel.
To configure FGT_A:
-
Configure the hard disk to perform WANOpt:
config system storage edit "HDD2" set status enable set usage wanopt set wanopt-mode mix next end -
Configure the WANOpt peer and profile:
config wanopt peer edit "FGT-D" set ip 120.120.120.172 next endconfig wanopt profile edit "test" config http set status enable set ssl enable end next end -
Create an SSL profile with deep inspection on HTTPS port 443:
config firewall ssl-ssh-profile edit "ssl" config https set ports 443 set status deep-inspection end next end -
Configure a firewall policy in proxy mode with WANOpt enabled and the WANOpt profile selected:
config firewall policy edit 1 set name "WANOPT-A" set srcintf "port21" set dstintf "port27" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set profile-protocol-options "protocol" set ssl-ssh-profile "ssl" set wanopt enable set wanopt-profile "test" set nat enable next end
To configure FGT_D:
-
Configure the hard disk to perform WANOpt:
config system storage edit "HDD2" set status enable set usage wanopt set wanopt-mode mix next end -
Configure the WANOpt peer:
config wanopt peer edit "FGT-A" set ip 110.110.110.171 next end -
Create an SSL profile with deep inspection on HTTPS port 443. The default Fortinet_CA_SSL certificate is used to resign the server certificate:
config firewall ssl-ssh-profile edit "ssl" config https set ports 443 set status deep-inspection end next end -
Configure a firewall policy in proxy mode with WANOpt enabled and passive WANOpt detection:
config firewall policy edit 1 set name "WANOPT-B" set srcintf "port27" set dstintf "port23" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set wanopt enable set wanopt-detection passive set nat enable next end -
Configure a proxy policy to apply the SSL profile:
config firewall proxy-policy edit 100 set proxy wanopt set dstintf "port23" set srcaddr "all" set dstaddr "all" set service "ALL" set action accept set schedule "always" set utm-status enable set profile-protocol-options "protocol" set ssl-ssh-profile "ssl" next end
To confirm that traffic is accelerated:
-
On the client PC, curl a 10MB test sample for the first time:
root@client:/tmp# curl -k https://172.16.200.144/test_10M.pdf -O % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 9865k 100 9865k 0 0 663k 0 0:00:14 0:00:15 --:--:-- 1526kIt takes 15 seconds to finish the download.
-
On FGT_A, check the WAD statistics:
# diagnose wad stats worker.tunnel comp.n_in_raw_bytes 10155840 comp.n_in_comp_bytes 4548728 comp.n_out_raw_bytes 29624 comp.n_out_comp_bytes 31623
# diagnose wad stats worker.protos.http wan.bytes_in 0 wan.bytes_out 0 lan.bytes_in 760 lan.bytes_out 10140606 tunnel.bytes_in 4548728 tunnel.bytes_out 31623
-
Curl the same test sample a second time:
root@client:/tmp# curl -k https://172.16.200.144/test_10M.pdf -O % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 9865k 100 9865k 0 0 663k 0 0:00:01 0:00:01 --:--:-- 1526kIt now takes less than one second to finish the download.
-
On FGT_A, check the WAD statistics again:
# diagnose wad stats worker.tunnel comp.n_in_raw_bytes 10181157 comp.n_in_comp_bytes 4570331 comp.n_out_raw_bytes 31627 comp.n_out_comp_bytes 34702
# diagnose wad stats worker.protos.http wan.bytes_in 0 wan.bytes_out 0 lan.bytes_in 1607 lan.bytes_out 20286841 tunnel.bytes_in 4570331 tunnel.bytes_out 34702
The tunnel bytes are mostly unchanged, but the LAN bytes are doubled. This means that the bytes of the second curl come from the cache, showing that the traffic is accelerated.
To confirm that a curl using the GCM cipher is accepted and accelerated:
-
On the client PC, curl a 10MB test sample with the GCM cipher:
root@client:/tmp# curl -v -k --ciphers DHE-RSA-AES128-GCM-SHA256 https://172.16.200.144/test_10M.pdf -O * Trying 172.16.200.144... * TCP_NODELAY set % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 172.16.200.144 (172.16.200.144) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: DHE-RSA-AES128-GCM-SHA256 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [100 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [1920 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [783 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [262 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / DHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=ubuntu * start date: Sep 20 21:38:01 2018 GMT * expire date: Sep 17 21:38:01 2028 GMT * issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=Fortinet Untrusted CA; emailAddress=support@fortinet.com * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. } [5 bytes data] > GET /test_10M.pdf HTTP/1.1 > Host: 172.16.200.144 > User-Agent: curl/7.64.1 > Accept: */* > { [5 bytes data] < HTTP/1.1 200 OK < Date: Sat, 12 Jun 2021 00:31:08 GMT < Server: Apache/2.4.37 (Ubuntu) < Upgrade: h2,h2c < Connection: Upgrade < Last-Modified: Fri, 29 Jan 2021 20:10:25 GMT < ETag: "9a2572-5ba0f98404aa5" < Accept-Ranges: bytes < Content-Length: 10102130 < Content-Type: application/pdf < { [5 bytes data] 100 9865k 100 9865k 0 0 16.7M 0 --:--:-- --:--:-- --:--:-- 16.8M * Connection #0 to host 172.16.200.144 left intact * Closing connection 0
To confirm that a curl using the ChaCha cipher is accepted and accelerated:
-
On the client PC, curl a 10MB test sample with the ChaCha cipher:
root@client:/tmp# curl -v -k --ciphers ECDHE-RSA-CHACHA20-POLY1305 https://172.16.200.144/test.doc -O * Trying 172.16.200.144... * TCP_NODELAY set % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to 172.16.200.144 (172.16.200.144) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ECDHE-RSA-CHACHA20-POLY1305 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none } [5 bytes data] * TLSv1.3 (OUT), TLS handshake, Client hello (1): } [512 bytes data] * TLSv1.3 (IN), TLS handshake, Server hello (2): { [100 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [1920 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [300 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [37 bytes data] * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=ubuntu * start date: Sep 20 21:38:01 2018 GMT * expire date: Sep 17 21:38:01 2028 GMT * issuer: C=US; ST=California; L=Sunnyvale; O=Fortinet; OU=Certificate Authority; CN=Fortinet Untrusted CA; emailAddress=support@fortinet.com * SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway. } [5 bytes data] > GET /test.doc HTTP/1.1 > Host: 172.16.200.144 > User-Agent: curl/7.64.1 > Accept: */* > { [5 bytes data] < HTTP/1.1 200 OK < Date: Sat, 12 Jun 2021 00:32:11 GMT < Server: Apache/2.4.37 (Ubuntu) < Upgrade: h2,h2c < Connection: Upgrade < Last-Modified: Wed, 05 May 2021 21:59:49 GMT < ETag: "4c00-5c19c504b63f4" < Accept-Ranges: bytes < Content-Length: 19456 < Content-Type: application/msword < { [5 bytes data] 100 19456 100 19456 0 0 137k 0 --:--:-- --:--:-- --:--:-- 138k * Connection #0 to host 172.16.200.144 left intact * Closing connection 0
Example 2
In this example, an external proxy is added to the configuration in Example 1.
To reconfigure FGT_A:
config firewall profile-protocol-options
edit "protocol"
config http
set ports 80 8080
unset options
unset post-lang
end
next
end
To reconfigure FGT_D:
-
Configure a new firewall policy for traffic passing from port27 to port29:
config firewall policy edit 1 set name "WANOPT-B" set srcintf "port27" set dstintf "port29" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set inspection-mode proxy set wanopt enable set wanopt-detection passive set nat enable next end -
Configure a proxy policy for traffic on destination interface port29:
config firewall proxy-policy edit 100 set proxy wanopt set dstintf "port29" set srcaddr "all" set dstaddr "all" set service "ALL" set action accept set schedule "always" set profile-protocol-options "protocol" set ssl-ssh-profile "ssl" next end
To confirm that HTTPS traffic is still being accelerated:
-
On the client PC, curl the same 10MB test sample through the explicit proxy:
root@client:/tmp# curl -x 100.100.100.174:8080 -v -k https://172.16.200.144/test_10M.pdf -O % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 9865k 100 9865k 0 0 663k 0 0:00:01 0:00:01 --:--:-- 1526kIt takes less than a second to finish the download.