SSL/TLS load balancing

SSL/TLS load balancing

In a firewall load balancing virtual server configuration, you can select SSL to load balance only SSL and TLS sessions. The virtual server will load balance SSL and TLS sessions received at the virtual server interface with destination IP address that matches the configured virtual server IP and destination port number that matches the configured virtual server port. Change this port to match the destination port of the sessions to be load balanced.

For SSL load balancing you can also set persistence to SSL session ID. Persistence is achieved by the FortiGate unit sending all sessions with the same SSL session ID to the same real server. When you configure persistence, the FortiGate unit load balances a new session to a real server according to the Load Balance Method. If the session has an SSL session ID, the FortiGate unit sends all subsequent sessions with the same SSL session ID to the same real server.

 

SSL offloading

Use SSL offloading to accelerate clients’ SSL or HTTPS connections to real servers by using the FortiGate unit to perform SSL operations (offloading them from the real servers using the FortiGate unit’s SSL acceleration hardware). FortiGate units can offload SSL 3.0 and TLS 1.0. SSL offloading is available on FortiGate units that support SSL acceleration.

To configure SSL offloading from the web-based manager go to Policy & Objects > Virtual Servers. Add a virtual server and set the type to HTTPS or SSL and select the SSL offloading type (Client <-> FortiGate or Client <-> FortiGate <-> Server).

Select Client <-> FortiGate to apply hardware accelerated SSL processing only to the part of the connection between the client and the FortiGate unit. This mode is called half mode SSL offloading. The segment between the FortiGate unit and the server will use clear text communications. This results in best performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator.

Select Client <-> FortiGate <->Server to apply hardware accelerated SSL processing to both parts of the connection: the segment between client and the FortiGate unit, and the segment between the FortiGate unit and the server. This mode is called full mode SSL offloading. The segment between the FortiGate unit and the server will use encrypted communications, but the handshakes will be abbreviated. This results in performance which is less than the other option, but still improved over communications without SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the server’s configuration.

SSL Offloading modes

Web server cluster

FortiGate unit

SSL accelerator

Client <-> FortiGate

(Half-mode) SSL accelerator

Web server cluster

NAT Router

FortiGate unit

SSL accelerator

Client <-> FortiGate <-> Server

(Full-mode) SSL accelerator

Configuring SSL offloading also requires selecting a certificate to use for the SSL offloading sessions. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.

The following CLI command shows an example half mode HTTPS SSL offloading configuration. In the example the ssl-mode option sets the SSL offload mode to half (which is the default mode).

config firewall vip

edit Vserver-ssl-offload

set type server-load-balance

set server-type https

set ldb-method round-robin set extip 172.20.120.30

set extintf wan1 set extport 443

set persistence ssl-session-id set ssl-mode half

set ssl-certificate my-cert set monitor tcp-mon-1

config realservers edit 1

set ip 10.31.101.30 set port 443

next edit 2

set ip 10.31.101.40 set port 443

end

end

 

Additional SSL load balancing options

The following SSL load balancing and SSL offloading options are only available from the CLI:

ssl-client-session-state-max <sessionstates_int>

Enter the maximum number of SSL session states to keep for the segment of the SSL connection between the client and the FortiGate unit.

ssl-client-session-state-timeout <timeout_int>

Enter the number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the FortiGate unit.

ssl-client-session-state-type {both | client | disable | time}

Select which method the FortiGate unit should use when deciding to expire SSL sessions for the segment of the

SSL connection between the client and the FortiGate unit.

  • both: Select to expire SSL session states when either ssl-client-session-state-max or ssl-client- session-state-timeout is exceeded, regardless of which occurs first.
  • count: Select to expire SSL session states when ssl-client-session-state-max is exceeded.
  • disable: Select to keep no SSL session states.
  • time: Select to expire SSL session states when ssl-client-session-state-timeout is exceeded.

ssl-dh-bits <bits_int>

Enter the number of bits of the prime number used in the Diffie-Hellman exchange for RSA encryption of the SSL

connection. Larger prime numbers are associated with greater cryptographic strength.

ssl-http-location-conversion {enable | disable}

Select to replace http with https in the reply’s Location HTTP header field. For example, in the reply,

Location: http://example.com/ would be converted to Location: https://example.com/

ssl-http-match-host {enable | disable}

Select to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field, or, if the Host field does not exist, the host name portion of the request’s URI. If disabled, conversion occurs regardless of whether the host names in the request and the reply match.

For example, if host matching is enabled, and a request contains Host: example.com and the reply contains Location: http://example.cc/, the Location field does not match the host of the original request and the reply’s Location field remains unchanged. If the reply contains  Location: http://example.com/, however, then the FortiGate unit detects the matching host name and converts the reply field to Location: https://example.com/.

This option appears only if ssl-http-location-conversion is enable.

ssl-max-version {ssl-3.0 | tls-1.0}

Enter the maximum version of SSL/TLS to accept in negotiation.

ssl-min-version {ssl-3.0 | tls-1.0}

Enter the minimum version of SSL/TLS to accept in negotiation.

ssl-send-empty-frags {enable | disable}

Select to precede the record with empty fragments to thwart attacks on CBC IV. You might disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments.

ssl-server-session-state-max <sessionstates_int>

Enter the maximum number of SSL session states to keep for the segment of the SSL connection between the server and the FortiGate unit.

ssl-server-session-state-timeout <timeout_int>

Enter the number of minutes to keep the SSL session states for the segment of the SSL connection between the server and the FortiGate unit. This option appears only if ssl-mode is full.

ssl-server-session-state-type {both | count | disable | time}

Select which method the FortiGate unit should use when deciding to expire SSL sessions for the segment of the

SSL connection between the server and the FortiGate unit. This option appears only if ssl-mode is full.

  • both: Select to expire SSL session states when either ssl-server-session-state-max or ssl-server- session-state-timeout is exceeded, regardless of which occurs first.
  • count: Select to expire SSL session states when ssl-server-session-state-max is exceeded.
  • disable: Select to keep no SSL session states.
  • time: Select to expire SSL session states when ssl-server-session-state-timeout is exceeded
This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “SSL/TLS load balancing

  1. phenod

    Hi Mike,

    We are very grateful for all this knowledge sharing. Appreciate!
    Please tell me on which mode of FGT can we activate LB ?

    Proxy or flow based…I heard about this somewhere actually.
    Could you please advise!
    Thanks in advance.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.