This section emphasizes on the Virtual IPs section in the FortiGate. I’ve learnt something which is not obvious behaviour and one of those ‘remind me later’ moments that I’ve encountered.
VIPs are essentially Destination Network Address Translation (DNAT) objects. For sessions matching the VIP, the destination address is translated. Let us go through some examples
In the above diagram, all connections going out from 10.10.10.10 will use 203.0.113.22 and not 203.0.113.10 address.
Now, this is where it gets a bit tricky and deviate from default firewall behaviour. In the below firewall policy we would assume that no connections will be allowed to the LAN(internal_network) but VIPs can live up to their name (very important IP) and get users to access the web server even though the deny policy is at the top of the list.
Often times we come across website which use certificates that not match the certificate of the site. It presents us with a warning message and option to proceed with risks, below image is quite common.
A number of applications and website that use SSL encryption correctly. In this case, the traffic goes through a Secure Sockets Layer (SSL) and is encrypted. However, there are risks associated with its use, since encrypted traffic can be used to around network. In common cases, users can unknowingly download a malicious file during an e-commerce session or there can be a phishing attachment sent with the secure email. Since the traffic is encrypted it can bypass the network’s security measures. To protect from the threat, SSL encryption can hold the key to unlock the sessions, examine the packets to find possible threats and blocks them.
When the deep inspection is used, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content. After successful inspection, it re-encrypts the content and creates a new session between FortiGate and recipient. A certificate is used from FortiGate’s own repository in order to re-encrypt the content.
There are 2 methods of deployment being used for SSL inspection.
Multiple clients connecting to multiple servers – This uses a CA certificate and applied to outbound policies destined to unknown servers or websites.
Protecting SSL server – Uses a server certificate, typically used for inbound policies