Chapter 1 What’s New for FortiOS 5.0 : WAN optimization and Web Caching : Turning on web caching and SSL offloading for HTTPS traffic
  
Turning on web caching and SSL offloading for HTTPS traffic
Web caching can cache the content of HTTPS traffic on TCP port 443. With HTTPS web caching, the FortiGate unit receives the HTTPS traffic on behalf of the client, opens up the encrypted traffic and extracts content to be cached. Then FortiGate unit re-encrypts the traffic and sends it on to its intended recipient. It is very similar to a man-in-the-middle attack. You enable HTTPS web caching from the CLI in a security policy that accepts the traffic to be cached using webcache-https:
config firewall policy
edit 0
.
.
.
set webcache enable
set webcache-https any
.
.
.
end
The any setting causes the FortiGate unit to re-encrypt the traffic with the FortiGate unit’s certificate rather than the original certificate. This configuration can cause errors for HTTPS clients because the name on the certificate does not match the name on the web site.
You can stop these errors from happening by configuring HTTPS web caching to use the web server’s certificate by setting webcache-https to ssl-server:
config firewall policy
edit 0
.
.
.
set webcache enable
set webcache-https ssl-server
.
.
.
end
The ssl-server option causes the FortiGate unit to re-encrypt the traffic with the certificate that you imported into the FortiGate unit. The certificate is added to an SSL server configuration using the following command:
config wanopt ssl-server
edit example_server
set ip <Web-Server-IP>
set port 443
set ssl-mode { full | half}
set ssl-cert <Web-Server-Cert>
end
Where:
Web-Server-IP is the web server’s IP address.
Web-Server-Cert is the original web server certificate imported into the FortiGate unit.
The SSL server configuration also determines whether the SSL server is operating in half or full mode and the port used for the HTTPS traffic.
Using the SSL server configuration, web caching also supports SSL offloading that uses the FortiGate unit’s FortiASIC SSL encryption/decryption engine to accelerate SSL performance.