Fortinet black logo

Administration Guide

How to offload or inspect HTTPS

Whether offloading or merely inspecting for HTTPS, FortiWeb must have a copy of your protected web servers’ X.509 server certificates. FortiWeb also has its own server certificate, which it uses to prove its own identity.

Which certificate will be used, and how, depends on the purpose.

  • For connections to the web UI—The FortiWeb appliance presents its own HTTPS Server Certificate which is used only for connections to the web UI.
A Fortinet factory default certificate is used as the FortiWeb appliance’s HTTPS server certificate. It can be replaced with other certificates. For details, see How to change FortiWeb's default certificate.
  • For SSL offloading or SSL inspection—Server certificates do not belong to the FortiWeb appliance itself, but instead belong to the protected web servers. FortiWeb uses the web server’s certificate because it either acts as an SSL agent for the web server, or is privy to its secure connections for the purpose of scanning. It can be either How to offload or inspect HTTPS or How to offload or inspect HTTPS.
    You can select which one the FortiWeb appliance uses when you configure Enable Server Name Indication (SNI) or Certificate in a server policy (see Configuring a server policy), or Certificate File in a server pool (see How to offload or inspect HTTPS).
  • For connections to back-end servers—A certificate you specify in a server pool configuration if connections to a pool member require a valid client certificate. For details, see Creating an HTTP server pool.

Whether offloading or merely inspecting for HTTPS, FortiWeb must have a copy of your protected web servers’ X.509 server certificates. FortiWeb also has its own server certificate, which it uses to prove its own identity.

Which certificate will be used, and how, depends on the purpose.

  • For connections to the web UI—The FortiWeb appliance presents its own HTTPS Server Certificate which is used only for connections to the web UI.
A Fortinet factory default certificate is used as the FortiWeb appliance’s HTTPS server certificate. It can be replaced with other certificates. For details, see How to change FortiWeb's default certificate.
  • For SSL offloading or SSL inspection—Server certificates do not belong to the FortiWeb appliance itself, but instead belong to the protected web servers. FortiWeb uses the web server’s certificate because it either acts as an SSL agent for the web server, or is privy to its secure connections for the purpose of scanning. It can be either How to offload or inspect HTTPS or How to offload or inspect HTTPS.
    You can select which one the FortiWeb appliance uses when you configure Enable Server Name Indication (SNI) or Certificate in a server policy (see Configuring a server policy), or Certificate File in a server pool (see How to offload or inspect HTTPS).
  • For connections to back-end servers—A certificate you specify in a server pool configuration if connections to a pool member require a valid client certificate. For details, see Creating an HTTP server pool.