Load balancing
This chapter describes new load balancing features added to FortiOS 5.4.
Separate virtual-server client and server TLS version and cipher configuration (308040)
In previous versions of FortiOS you can configure minimum and maximum SSL/TLS versions that a virtual server will accept. Those versions primarily applied to the client to FortiGate connection; but, they are also applied to the FortiGate to server connection. In some cases you may want to use different versions of SSL or TLS on the client to FortiGate connection than on the FortiGate to server connection. For example, you may want to use the FortiGate to protect a legacy SSL 3.0 or TLS 1.0 server while making sure that client to FortiGate connections must always use the higher level of protection offered by TLS 1.1 or greater.
Similarly in previous versions of FortiOS you could control the cypher suites that can be used by the FortiGate to negotiate with the client and with the server. But you could only configure the same configuration for both client and server connections. Also, in some cases you might want to protect a server that only has weak ciphers (for example, DES or RC4) while making sure that all connections between the FortiGate and the client use a strong cipher for better protection.
The following new options are available when configuring server load balancing for HTTPS sessions configured with the following command:
config firewall vip
edit server-name
set type server-load-balance
set server-type https
set ssl-mode full
...
Different SSL/TLS versions for server and client connections
New ssl-server-min-version
and ssl-server-max-version
configuration options allow the minimum and maximum SSL/TLS versions for the client to FortiGate connection to be independent of the FortiGate to server configuration. By default these options are both set to client
and the configured ssl-min-version
and ssl-max-version
settings are applied to both the client and the server connection.
You can change the ssl-server-min-version
and ssl-server-max-version
to apply different options to the server connection. The ssl-min-version
and ssl-max-version
settings are still applied to the client connection. If you set the ssl-server-min-version
and ssl-server-max-version
to an explicit version then both must be set to an explicit version.
The ssl-server-min-version
and ssl-server-max-version
options allow you to specify the minimum and maximum SSL/TLS versions the FortiGate will offer to the server (in the record header of the ClientHello) when performing full mode SSL offloading and thus the minimum and maximum SSL/TLS versions the FortiGate accepts from the server (in a ServerHello). If the server responds with a version in its ServerHello that is lower than ssl-server-min-version
or higher than the ssl-server-max-version
then the FortiGate terminates the connection.
Command syntax is:
config firewall vip
edit server-name
set type server-load-balance
set server-type https
set ssl-mode full
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-server-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}
set ssl-server-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}
Different cipher choices for server and client connections
New ssl-server-algorithm
configuration option allows the cipher choice for the FortiGate to server connection to be independent of the client to FortiGate connection. By default, ssl-server-algorithm
is set to client
and the configured ssl-algorithm
setting is applied to both the client and the server connection.
You can change the ssl-server-algorithm
to apply different options to the server connection. The ssl-algorithm
setting is still applied to the client connection.
The following ssl-server-algorithm
options are available:
high
, offer AES or 3DES cypher suites in the ServerHellomedium
, use AES, 3DES, or RC4 cypher suites in the ServerHellolow
, use AES, 3DES, RC4, or DES cypher suites in the ServerHellocustom
, specifiy custom cypher suites using theconfig ssl-server-cipher-suites
and offer these custom cypher suites in the ServerHello.client
, offer the cypher suites in the ServerHello that are offered in the ClientHello.
Command syntax is:
config firewall vip
edit server-name
set type server-load-balance
set server-type https
set ssl-mode full
set ssl-algorithm {high | medium | low | custom}
set ssl-server-algorithm {high | medium | low | custom | client}
If you set ssl-server-algorithm to custom, the syntax is:
config firewall vip
edit server-name
set type server-load-balance
set server-type https
set ssl-mode full
set ssl-server-algorithm custom
config ssl-server-cipher-suites
edit 10
set cipher <cipher-suite>
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
next
edit 20
set cipher <cipher-suite>
set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
end
end
Protection from downgrade attacks
The new ssl-client-fallback
option, when enabled (the default configuration), performs downgrade attack prevention (RFC 7507).
Command syntax is:
config firewall vip
edit server-name
set type server-load-balance
set server-type https
set ssl-client-fallback {disable | enable}
Allow 3072- and 4096-bit Diffie-Hellman values
New settings added to the ssl-dh-bits
option to allow 3072 and 4096 bit DH values.
Command syntax is:
config firewall vip
edit server-name
set type server-load-balance
set server-type https
set ssl-dh-bits {768 | 1024 | 1536 | 2048 | 3072 | 4096}
The reason for adding these larger sizes is that the previous largest value of 2048 only provides the equivalent of a symmetric cipher in the range of 112 - 128 bits. This means that if AES 256 is used then the weakest point is the DH of 2048 and at least a value of 3072 should be use if the goal is to have 256 bits of security.
FortiGate models with CP9 processors support 3072 and 4096 DH bit sizes in hardware. All FortiGate models up to and including those with CP8 processors only support offloading DH bit sizes up to 2048 so any sizes larger than that are done in software and thus are relatively resource intensive.
ChaCha20 and Poly1305 cipher suites added for SSL load balancing (264785)
FortiOS 5.4 adds support for ChaCha20 and Poly1305 for SSL load balancing (see RFC 7539 for information about ChaCha20 and Poly1305). You can use the following command to view the complete list of supported cipher suites:
config firewall vip
edit <vip-name>
set type server-load-balance
set server-type https
set ssl-algorithm custom
config ssl-cipher-suites
edit 0
set cipher ?
In most configurations the matching cipher suite is automatically selected.
All of these cipher suites are available to all of FortiOS's implementations of SSL but the complete list of supported cipher suites is only viewable using the above command.
You can also use the above command to limit the set of cipher suites that are available for a given SSL offloading configuration. For example, use the following command to limit an SSL load balancing configuration to use the three cipher suites that support ChaCha20 and Poly1305:
config firewall vip
edit <vip-name>
set type server-load-balance
set server-type https
set ssl-algorithm custom
config ssl-cipher-suites
edit 1
set cipher TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
next
edit 2
set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
next
edit 3
set cipher TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256
end
end
TLS 1.2 support for SSL offloading (241817)
You can use the following command to configure SSL offloading to support TLS 1.2:
config firewall vip
edit <name>
set type server-load-balance
set server-type https
set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}
...
The default ssl-min-version
is tls-1.0
and the default ssl-max-version
is tls-1.2
.
The following AES-GCM TLS 1.2-only cipher suites have also been added. These cipher suites are not supported by the CPx or NPx processors so if you select one of these, all processing is done without hardware acceleration.
TLS 1.2 support does not require setting ssl-algorithm to custom and configuring a custom cipher suite. |
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-256-GCM-SHA384
You can use the following command to select one of these cipher suites:
config firewall vip
edit <name>
set type server-load-balance
set server-type https
set ssl-max-version tls-1.2
set ssl-algorithm custom
config ssl-cipher-suites
edit 100
set cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
...