Load balancing

This chapter describes new load balancing features added to FortiOS 5.4.

Separate virtual-server client and server TLS version and cipher configuration (308040)

In previous versions of FortiOS you can configure minimum and maximum SSL/TLS versions that a virtual server will accept. Those versions primarily applied to the client to FortiGate connection; but, they are also applied to the FortiGate to server connection. In some cases you may want to use different versions of SSL or TLS on the client to FortiGate connection than on the FortiGate to server connection. For example, you may want to use the FortiGate to protect a legacy SSL 3.0 or TLS 1.0 server while making sure that client to FortiGate connections must always use the higher level of protection offered by TLS 1.1 or greater.

Similarly in previous versions of FortiOS you could control the cypher suites that can be used by the FortiGate to negotiate with the client and with the server. But you could only configure the same configuration for both client and server connections. Also, in some cases you might want to protect a server that only has weak ciphers (for example, DES or RC4) while making sure that all connections between the FortiGate and the client use a strong cipher for better protection.

The following new options are available when configuring server load balancing for HTTPS sessions configured with the following command:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-mode full

...

Different SSL/TLS versions for server and client connections

New ssl-server-min-version and ssl-server-max-version configuration options allow the minimum and maximum SSL/TLS versions for the client to FortiGate connection to be independent of the FortiGate to server configuration. By default these options are both set to client and the configured ssl-min-version and ssl-max-version settings are applied to both the client and the server connection.

You can change the ssl-server-min-version and ssl-server-max-version to apply different options to the server connection. The ssl-min-version and ssl-max-version settings are still applied to the client connection. If you set the ssl-server-min-version and ssl-server-max-version to an explicit version then both must be set to an explicit version.

The ssl-server-min-version and ssl-server-max-version options allow you to specify the minimum and maximum SSL/TLS versions the FortiGate will offer to the server (in the record header of the ClientHello) when performing full mode SSL offloading and thus the minimum and maximum SSL/TLS versions the FortiGate accepts from the server (in a ServerHello). If the server responds with a version in its ServerHello that is lower than ssl-server-min-version or higher than the ssl-server-max-version then the FortiGate terminates the connection.

Command syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-mode full

set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

set ssl-server-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}

set ssl-server-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}

 

 

Different cipher choices for server and client connections

New ssl-server-algorithm configuration option allows the cipher choice for the FortiGate to server connection to be independent of the client to FortiGate connection. By default, ssl-server-algorithm is set to client and the configured ssl-algorithm setting is applied to both the client and the server connection.

You can change the ssl-server-algorithm to apply different options to the server connection. The ssl-algorithm setting is still applied to the client connection.

The following ssl-server-algorithm options are available:

  • high, offer AES or 3DES cypher suites in the ServerHello
  • medium, use AES, 3DES, or RC4 cypher suites in the ServerHello
  • low, use AES, 3DES, RC4, or DES cypher suites in the ServerHello
  • custom, specifiy custom cypher suites using the config ssl-server-cipher-suites and offer these custom cypher suites in the ServerHello.
  • client, offer the cypher suites in the ServerHello that are offered in the ClientHello.

Command syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-mode full

set ssl-algorithm {high | medium | low | custom}

set ssl-server-algorithm {high | medium | low | custom | client}

If you set ssl-server-algorithm to custom, the syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-mode full

set ssl-server-algorithm custom

config ssl-server-cipher-suites

edit 10

set cipher <cipher-suite>

set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

next

edit 20

set cipher <cipher-suite>

set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

end

end

 

Protection from downgrade attacks

The new ssl-client-fallback option, when enabled (the default configuration), performs downgrade attack prevention (RFC 7507).

Command syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-client-fallback {disable | enable}

Allow 3072- and 4096-bit Diffie-Hellman values

New settings added to the ssl-dh-bits option to allow 3072 and 4096 bit DH values.

Command syntax is:

config firewall vip

edit server-name

set type server-load-balance

set server-type https

set ssl-dh-bits {768 | 1024 | 1536 | 2048 | 3072 | 4096}

 

The reason for adding these larger sizes is that the previous largest value of 2048 only provides the equivalent of a symmetric cipher in the range of 112 - 128 bits. This means that if AES 256 is used then the weakest point is the DH of 2048 and at least a value of 3072 should be use if the goal is to have 256 bits of security.

FortiGate models with CP9 processors support 3072 and 4096 DH bit sizes in hardware. All FortiGate models up to and including those with CP8 processors only support offloading DH bit sizes up to 2048 so any sizes larger than that are done in software and thus are relatively resource intensive.

 

ChaCha20 and Poly1305 cipher suites added for SSL load balancing (264785)

FortiOS 5.4 adds support for ChaCha20 and Poly1305 for SSL load balancing (see RFC 7539 for information about ChaCha20 and Poly1305). You can use the following command to view the complete list of supported cipher suites:

config firewall vip

edit <vip-name>

set type server-load-balance

set server-type https

set ssl-algorithm custom

config ssl-cipher-suites

edit 0

set cipher ?

In most configurations the matching cipher suite is automatically selected.

All of these cipher suites are available to all of FortiOS's implementations of SSL but the complete list of supported cipher suites is only viewable using the above command.

You can also use the above command to limit the set of cipher suites that are available for a given SSL offloading configuration. For example, use the following command to limit an SSL load balancing configuration to use the three cipher suites that support ChaCha20 and Poly1305:

config firewall vip

edit <vip-name>

set type server-load-balance

set server-type https

set ssl-algorithm custom

config ssl-cipher-suites

edit 1

set cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

next

edit 2

set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

next

edit 3

set cipher TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

end

end

TLS 1.2 support for SSL offloading (241817)

You can use the following command to configure SSL offloading to support TLS 1.2:

config firewall vip

edit <name>

set type server-load-balance

set server-type https

set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

...

 

The default ssl-min-version is tls-1.0 and the default ssl-max-version is tls-1.2.

The following AES-GCM TLS 1.2-only cipher suites have also been added. These cipher suites are not supported by the CPx or NPx processors so if you select one of these, all processing is done without hardware acceleration.

note icon TLS 1.2 support does not require setting ssl-algorithm to custom and configuring a custom cipher suite.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

TLS-RSA-WITH-AES-128-GCM-SHA256

TLS-RSA-WITH-AES-256-GCM-SHA384

 

You can use the following command to select one of these cipher suites:

config firewall vip

edit <name>

set type server-load-balance

set server-type https

set ssl-max-version tls-1.2

set ssl-algorithm custom

config ssl-cipher-suites

edit 100

set cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

...