Fortinet black logo

Administration Guide

Offloading vs. inspection

Offloading vs. inspection

Depending on the FortiWeb appliance’s operation mode, FortiWeb can act as the SSL/TLS terminator: instead of clients having an encrypted tunnel along the entire path to a back-end server, the client’s HTTPS request is encrypted/decrypted partway along its path to the server, when it reaches the FortiWeb. FortiWeb then is typically configured to forward unencrypted HTTP traffic to your servers. When the server replies, the server connects to the FortiWeb via clear text HTTP. FortiWeb then encrypts the response and forwards it via HTTPS to the client.

In this way, FortiWeb bears the load for encryption processing instead of your back-end servers, allowing them to focus resources on the network application itself. This is called SSL offloading.

SSL offloading can be associated with improved SSL/TLS performance. In hardware models with specialized ASIC chip SSL accelerator(s), FortiWeb can encrypt and decrypt packets at better speeds than a back-end server with a general-purpose CPU.

When SSL offloading, the web server does not use its own server certificate. Instead, FortiWeb acts like an SSL proxy for the web server, possessing the web server’s certificate and using it to:

  • authenticate itself to clients
  • decrypt requests
  • encrypt responses

whenever a client requests an HTTPS connection to that web server.

As a side effect of being an SSL terminator, the FortiWeb is in possession of both the HTTP request and reply in their decrypted state. Because they are not encrypted at that point on the path, FortiWeb can rewrite content and/or route traffic based upon the contents of Layer 7 (the application layer). Otherwise Layer 7 content-based routing and rewriting would be impossible: that part of the packets would be encrypted and unreadable to FortiWeb.

Secure traffic between FortiWeb and back-end servers when using SSL offloading. Failure to do so will compromise the security of all offloaded sessions. No attack will be apparent to clients, as SSL offloading cannot be detected by them, and therefore they will not receive any alerts that their session has been compromised.

For example, you might pass decrypted traffic to back-end servers as directly as possible, through one switch that is physically located in the same locked rack, and that has no other connections to the overall network.

However, depending on the operation mode, FortiWeb is not always an SSL terminator.

By their asynchronous nature, SSL termination cannot be supported in Transparent Inspection and Offline Protection modes. To terminate, FortiWeb must process traffic synchronously with the connection state. In those modes, the web server uses its own certificate, and acts as its own SSL terminator. The web server bears the load for SSL processing. FortiWeb only “listens in” and can interrupt the connection, but otherwise cannot change or reroute packets.

In those modes, FortiWeb only uses the web server’s certificate to decrypt traffic in order to scan it for policy violations. If there are no violations, it allows the existing encrypted traffic to continue without interruption. FortiWeb does not expend CPU and resources to re-encrypt, because it is not a terminator.

In other words, FortiWeb performs SSL inspection, not SSL offloading.

See also

Offloading vs. inspection

Depending on the FortiWeb appliance’s operation mode, FortiWeb can act as the SSL/TLS terminator: instead of clients having an encrypted tunnel along the entire path to a back-end server, the client’s HTTPS request is encrypted/decrypted partway along its path to the server, when it reaches the FortiWeb. FortiWeb then is typically configured to forward unencrypted HTTP traffic to your servers. When the server replies, the server connects to the FortiWeb via clear text HTTP. FortiWeb then encrypts the response and forwards it via HTTPS to the client.

In this way, FortiWeb bears the load for encryption processing instead of your back-end servers, allowing them to focus resources on the network application itself. This is called SSL offloading.

SSL offloading can be associated with improved SSL/TLS performance. In hardware models with specialized ASIC chip SSL accelerator(s), FortiWeb can encrypt and decrypt packets at better speeds than a back-end server with a general-purpose CPU.

When SSL offloading, the web server does not use its own server certificate. Instead, FortiWeb acts like an SSL proxy for the web server, possessing the web server’s certificate and using it to:

  • authenticate itself to clients
  • decrypt requests
  • encrypt responses

whenever a client requests an HTTPS connection to that web server.

As a side effect of being an SSL terminator, the FortiWeb is in possession of both the HTTP request and reply in their decrypted state. Because they are not encrypted at that point on the path, FortiWeb can rewrite content and/or route traffic based upon the contents of Layer 7 (the application layer). Otherwise Layer 7 content-based routing and rewriting would be impossible: that part of the packets would be encrypted and unreadable to FortiWeb.

Secure traffic between FortiWeb and back-end servers when using SSL offloading. Failure to do so will compromise the security of all offloaded sessions. No attack will be apparent to clients, as SSL offloading cannot be detected by them, and therefore they will not receive any alerts that their session has been compromised.

For example, you might pass decrypted traffic to back-end servers as directly as possible, through one switch that is physically located in the same locked rack, and that has no other connections to the overall network.

However, depending on the operation mode, FortiWeb is not always an SSL terminator.

By their asynchronous nature, SSL termination cannot be supported in Transparent Inspection and Offline Protection modes. To terminate, FortiWeb must process traffic synchronously with the connection state. In those modes, the web server uses its own certificate, and acts as its own SSL terminator. The web server bears the load for SSL processing. FortiWeb only “listens in” and can interrupt the connection, but otherwise cannot change or reroute packets.

In those modes, FortiWeb only uses the web server’s certificate to decrypt traffic in order to scan it for policy violations. If there are no violations, it allows the existing encrypted traffic to continue without interruption. FortiWeb does not expend CPU and resources to re-encrypt, because it is not a terminator.

In other words, FortiWeb performs SSL inspection, not SSL offloading.

See also