SSL/TLS load balancing
In a firewall load balancing virtual server configuration, you can select SSL to load balance only SSL and TLS sessions. The virtual server will load balance SSL and TLS sessions received at the virtual server interface with destination IP address that matches the configured virtual server IP and destination port number that matches the configured virtual server port. Change this port to match the destination port of the sessions to be load balanced.
For SSL load balancing you can also set persistence to SSL session ID. Persistence is achieved by the FortiGate unit sending all sessions with the same SSL session ID to the same real server. When you configure persistence, the FortiGate unit load balances a new session to a real server according to the Load Balance Method. If the session has an SSL session ID, the FortiGate unit sends all subsequent sessions with the same SSL session ID to the same real server.
SSL offloading
Use SSL offloading to accelerate clients’ SSL or HTTPS connections to real servers by using the FortiGate unit to perform SSL operations (offloading them from the real servers using the FortiGate unit’s SSL acceleration hardware). FortiGate units can offload SSL 3.0 and TLS 1.0. SSL offloading is available on FortiGate units that support SSL acceleration.
To configure SSL offloading from the web-based manager go to Policy & Objects > Virtual Servers. Add a virtual server and set the type to HTTPS or SSL and select the SSL offloading type (Client <-> FortiGate or Client <-> FortiGate <-> Server).
Select Client <-> FortiGate to apply hardware accelerated SSL processing only to the part of the connection between the client and the FortiGate unit. This mode is called half mode SSL offloading. The segment between the FortiGate unit and the server will use clear text communications. This results in best performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator.
Select Client <-> FortiGate <->Server to apply hardware accelerated SSL processing to both parts of the connection: the segment between client and the FortiGate unit, and the segment between the FortiGate unit and the server. This mode is called full mode SSL offloading. The segment between the FortiGate unit and the server will use encrypted communications, but the handshakes will be abbreviated. This results in performance which is less than the other option, but still improved over communications without SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the server’s configuration.
SSL Offloading modes
Web server cluster
FortiGate unit
SSL accelerator
Client <-> FortiGate
(Half-mode) SSL accelerator
Web server cluster
NAT Router
FortiGate unit
SSL accelerator
Client <-> FortiGate <-> Server
(Full-mode) SSL accelerator
Configuring SSL offloading also requires selecting a certificate to use for the SSL offloading sessions. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
The following CLI command shows an example half mode HTTPS SSL offloading configuration. In the example the ssl-mode option sets the SSL offload mode to half (which is the default mode).
config firewall vip
edit Vserver-ssl-offload
set type server-load-balance
set server-type https
set ldb-method round-robin set extip 172.20.120.30
set extintf wan1 set extport 443
set persistence ssl-session-id set ssl-mode half
set ssl-certificate my-cert set monitor tcp-mon-1
config realservers edit 1
set ip 10.31.101.30 set port 443
next edit 2
set ip 10.31.101.40 set port 443
end
end
Additional SSL load balancing options
The following SSL load balancing and SSL offloading options are only available from the CLI:
ssl-client-session-state-max <sessionstates_int>
Enter the maximum number of SSL session states to keep for the segment of the SSL connection between the client and the FortiGate unit.
ssl-client-session-state-timeout <timeout_int>
Enter the number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the FortiGate unit.
ssl-client-session-state-type {both | client | disable | time}
Select which method the FortiGate unit should use when deciding to expire SSL sessions for the segment of the
SSL connection between the client and the FortiGate unit.
- both: Select to expire SSL session states when either ssl-client-session-state-max or ssl-client- session-state-timeout is exceeded, regardless of which occurs first.
- count: Select to expire SSL session states when ssl-client-session-state-max is exceeded.
- disable: Select to keep no SSL session states.
- time: Select to expire SSL session states when ssl-client-session-state-timeout is exceeded.
ssl-dh-bits <bits_int>
Enter the number of bits of the prime number used in the Diffie-Hellman exchange for RSA encryption of the SSL
connection. Larger prime numbers are associated with greater cryptographic strength.
ssl-http-location-conversion {enable | disable}
Select to replace http with https in the reply’s Location HTTP header field. For example, in the reply,
Location: http://example.com/ would be converted to Location: https://example.com/
ssl-http-match-host {enable | disable}
Select to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field, or, if the Host field does not exist, the host name portion of the request’s URI. If disabled, conversion occurs regardless of whether the host names in the request and the reply match.
For example, if host matching is enabled, and a request contains Host: example.com and the reply contains Location: http://example.cc/, the Location field does not match the host of the original request and the reply’s Location field remains unchanged. If the reply contains Location: http://example.com/, however, then the FortiGate unit detects the matching host name and converts the reply field to Location: https://example.com/.
This option appears only if ssl-http-location-conversion is enable.
ssl-max-version {ssl-3.0 | tls-1.0}
Enter the maximum version of SSL/TLS to accept in negotiation.
ssl-min-version {ssl-3.0 | tls-1.0}
Enter the minimum version of SSL/TLS to accept in negotiation.
ssl-send-empty-frags {enable | disable}
Select to precede the record with empty fragments to thwart attacks on CBC IV. You might disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments.
ssl-server-session-state-max <sessionstates_int>
Enter the maximum number of SSL session states to keep for the segment of the SSL connection between the server and the FortiGate unit.
ssl-server-session-state-timeout <timeout_int>
Enter the number of minutes to keep the SSL session states for the segment of the SSL connection between the server and the FortiGate unit. This option appears only if ssl-mode is full.
ssl-server-session-state-type {both | count | disable | time}
Select which method the FortiGate unit should use when deciding to expire SSL sessions for the segment of the
SSL connection between the server and the FortiGate unit. This option appears only if ssl-mode is full.
- both: Select to expire SSL session states when either ssl-server-session-state-max or ssl-server- session-state-timeout is exceeded, regardless of which occurs first.
- count: Select to expire SSL session states when ssl-server-session-state-max is exceeded.
- disable: Select to keep no SSL session states.
- time: Select to expire SSL session states when ssl-server-session-state-timeout is exceeded