1

We have a website hosted behind WAF(FortiWeb) and Firewall (FortiGate). The WAF already has the server valid SSL Certificate from public CA. Do we need to install SSL certificate on Firewall also for inbound traffic to make it more secure ? Will Unscanned https traffic reach the firewall first compromise the network ?

msalhi
  • 11
  • 4
  • I'm afraid you have misunderstood both how firewalls work and what SSL does. Firewalls operate at the TCP level and don't use certs. Also, HTTPS doesn't provide any protection against malicious payloads – Conor Mancone Jul 04 '20 at 01:53
  • @msalhi: Your setup is unclear for me. A WAF is typically used to protect a web server in the DMZ against access from outside. I'm not sure what you mean with "install SSL certificate on Firewall" - but if you refer to SSL interception for web surfing from inside the company this is a completely different thing. It might help if you define your specific use case in more detail and with a less generic description. It might also be that this is actually a product specific question which should be asked the vendor support instead. – Steffen Ullrich Jul 04 '20 at 06:17
  • 2
    @ConorMancone: "Firewalls operate at the TCP level and don't use certs." - Firewall is a very broad term and used for a variety of products with different capabilities. What you refer to is a simple packet filter. So called Next Generation Firewalls (NGFW) do work at the application level, for example by doing Deep Packet Inspection. SSL Interception is also often part of such firewall products. And Web Application Firewalls (WAF) are also called Firewalls and also work at the application level and can include SSL termination. – Steffen Ullrich Jul 04 '20 at 06:21
  • @SteffenUllrich while true, most people still mean the classic packet filters when they talk about firewalls. Since a WAF is also in the mix it made it much more likely (IMO) that the firewall in question was the non-terminating, simple filter kind. – Conor Mancone Jul 04 '20 at 10:48
  • Although you are right - FortiGate is a NGFW – Conor Mancone Jul 04 '20 at 11:22

0 Answers0