Published by Guest Author
Last updated on December 15, 2025
•
11 minute read
Configuring a FortiGate reverse proxy for PRTG Network Monitor enables secure external access to your monitoring infrastructure while offloading SSL/TLS processing from your PRTG server. This comprehensive guide, written by IT Security Architect Florian Thiele with 10 years of FortiGate and PRTG experience, provides step-by-step configuration for implementing Fortinet FortiGate as a reverse proxy with TLS 1.2 security.
A while back, the Paessler blog published posts describing how to use a reverse proxy to load off utilization from a PRTG server. One of the posts covered general information of how to do it, while the other described how to do it with a KEMP LoadMaster. Here I'll explain how to do it with FortiGate firewalls.
Before starting, please read the following disclaimer, as this is about a sensitive part of your cybersecurity.
Please note: This is a guest article. I have carefully compiled this information and it is provided to the best of my knowledge. As the solution is not part of PRTG itself, it is not officially supported by Paessler or PRTG Technical Support. Yet, we wanted to share it with you as it might be of interest for many PRTG users.
You must also be aware that if you configure any of the parts incorrectly, you may leave yourself open to an intruder gaining access to anything configured within PRTG. This includes User ID's, passwords, IP names, etc. In other words: no warranties are expressed or implied. Paessler, its employees or partners cannot be held liable for any damages that you may incur as a result of employing a Reverse Proxy.
Fortinet's documentation is available from their website: (http://docs.fortinet.com). There's also a handbook about FortiGate server loadbalancing: http://docs.fortinet.com/d/fortigate-server-load-balancing-56
Important: Only FortiGate FortiOS 5.4, 5.6 and above support TLS 1.2 in the load balancing feature. FortiOS 5.2, 5.0, 4.3 and lower only support TLS 1.1 and TLS 1.0. TLS 1.2 is strongly recommended.
Ready to implement enterprise-grade network monitoring?
👉 Download PRTG's free 30-day trial and start monitoring your FortiGate infrastructure today. No credit card required.
Why Use FortiGate as a Reverse Proxy for PRTG?
Using FortiGate as a reverse proxy for PRTG Network Monitor offers several critical advantages for network monitoring infrastructure:
Security Benefits:
- SSL/TLS Offloading: FortiGate handles encryption/decryption, reducing PRTG web server load
- Centralized Certificate Management: Manage SSL certificates on FortiGate instead of individual servers
- Advanced Threat Protection: FortiGate's security features protect PRTG from external threats and vulnerabilities
- IP Whitelisting: Control access to PRTG through FortiGate firewall policy rules
Performance Advantages:
- Load Distribution: Balance traffic across multiple PRTG web servers if needed
- Connection Optimization: FortiGate's hardware acceleration improves response times
- Bandwidth Management: Control and prioritize PRTG web interface traffic through SD-WAN policies
Operational Efficiency:
- Single Point of Access: Simplify external PRTG access through one gateway
- Unified Monitoring: Use PRTG's FortiGate sensors to monitor the reverse proxy itself via API
Step 1: Configure FortiGate Virtual Server for PRTG Reverse Proxy
Go to Policy & Objects > Virtual Servers and add a virtual server using the GUI:
Create a new virtual server, select HTTPS as the "Type", enter the external IP address (extip) and TCP port, and select the certificate. The certificate has to be loaded in the FortiGate's certificate store (Go to System > Certificates).
Create a new Real Server (realservers), and enter the internal IP address and TCP port where your PRTG web server is listening.
Step 2: Implement FortiGate Security Hardening for Reverse Proxy
Go to the CLI of the FortiGate device using SSH, or use the web browser interface's CLI console widget.
There, enter the following config:
config firewall vip edit vs_PRTG-webserver01 <-- Name of the chosen virtual server set ssl-max-version tls-1.2 <-- Recommendation is to only allow TLS 1.2 set ssl-min-version tls-1.2 <-- Recommendation is to only allow TLS 1.2 set ssl-server-algorithm custom <-- Recommendation to harden ciphers config ssl-server-cipher-suites edit 1 set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 next edit 2 set cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 next end set ssl-dh-bits 2048 <-- Recommendation to use minimum of 2048 bit for DH* ssl-client-renegotiation secure <-- Recommendation to increase client renegotiation ssl-client-fallback enable <-- Recommendation to enable downgrade attack prevention (TLS_FALLBACK_SCSV, RFC 7507 https://tools.ietf.org/html/rfc7507) end
*Note: Only FortiGate models with CP9 ASIC processors support 3072/4096 bit DH (Diffie-Hellman) keys in the hardware; other models have to use the FortiGate CPU. FortiGate models with CP8 ASIC processors support up to 2048 bit DH keys in the hardware. For more information about this, go here:
From FortiOS5.6 and above, FortiGate offers HSTS, which should be used to enforce HTTPS and prevent MitM-Attacks. HSTS can be activated as follows:
set ssl-hsts enable set ssl-hsts-age 31536000 set ssl-hsts-include-subdomains enable
For more information about load balancing FortiGate devices, take a look at their documentation:
Step 3: Check the Configuration
Check the configuration again as follows via CLI:
config firewall vip edit vs_PRTG-webserver01 FortiGate1500D-HA01 (vs_PRTG-webserver01) # get name : vs_PRTG-webserver01 id : 0 uuid : 123456ab-cdef-1234-4567-1234567890ab comment : virtual server PRTG webserver type : server-load-balance src-filter : extip : 192.168.0.1 extintf : WAN (wan1) arp-reply : enable server-type : https nat-source-vip : disable gratuitous-arp-interval: 0 srcintf-filter : http-ip-header : disable monitor : color : 0 ldb-method : static persistence : none extport : 443 realservers: == [ 1 ] id: 1 ip: 172.30.0.171 port: 80 status: active holddown-interval: 300 max-connections: 0 http-multiplex : disable ssl-mode : half ssl-certificate : trusted-certificate-loaded-in-certificate-store ssl-dh-bits : 2048 ssl-algorithm : custom ssl-server-cipher-suites: TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 ssl-server-algorithm: client ssl-pfs : allow ssl-min-version : tls-1.2 ssl-max-version : tls-1.2 ssl-server-min-version: client ssl-server-max-version: client ssl-send-empty-frags: enable ssl-client-fallback : enable ssl-client-renegotiation: secure ssl-client-session-state-type: both ssl-client-session-state-timeout: 30 ssl-client-session-state-max: 1000 ssl-server-session-state-type: both ssl-server-session-state-timeout: 60 ssl-server-session-state-max: 100 max-embryonic-connections: 1000
Step 4. Add a WAN1 with the Virtual Server.
Go to Policy & Objects > IPv4 Policy and add a WAN1 to the internal security policy that includes the virtual server using the GUI.
In this firewall policy, you can also apply UTM profiles (like Anti-Virus, Intrusion-Prevention, Application Control, etc.) to the load balanced sessions. This provides an additional layer of protection similar to a web application firewall.
config firewall policy edit 0 <-- uses next free policy-id set srcintf wan1 set srcaddr all set dstintf internal set dstaddr vs_PRTG-webserver01 set action accept set schedule always set service HTTP <-- service-port of real-server, not virtual server set nat enable <-- only if necessary in your network setup set utm-status enable set profile-protocol-options default set av-profile scan set ips-profile high_security end
This firewall policy configuration includes:
- srcintf: Source interface (WAN1)
- srcaddr: Source address objects
- dstintf: Destination interface (internal network)
- dstaddr: Destination address (your virtual IP virtual server)
- UTM profiles for enhanced cybersecurity
Step5: Test the Configuration
To check if everything worked, you can use different public tools to check your settings. One popular (and good) TLS-checking tool is the tool from SSLLabs: https://www.ssllabs.com/ssltest/analyze.html
In order to make it even more secure, the PRTG webservice can be limited to dedicated IP addresses or (dynamic) FQDNs by setting source-addresses ("set srcaddr") to an address object group in the firewall policy. The best way to protect your PRTG is to use VPN (IPSec or SSL VPN), and use a Web Application Firewall like FortiWeb.
If you want to read more from me in the future, watch out for posts on my new blog: https://how2itsec.blogspot.com/
Troubleshooting Common FortiGate Reverse Proxy Issues
Connection Timeouts:
- Symptom: PRTG web interface loads slowly or times out
- Solution: Verify FortiGate virtual server health checks are properly configured in the config
- Check: Ensure PRTG web server is responding on the configured internal TCP port
- PRTG Monitoring: Use FortiGate System Statistics sensor to check session limits via API
SSL Certificate Warnings:
- Symptom: Web browsers display certificate errors when accessing PRTG
- Solution: Verify the SSL certificate loaded in FortiGate matches your PRTG domain
- Check: Confirm certificate chain includes all intermediate certificates
- Best Practice: Use certificates from trusted Certificate Authorities for production
TLS Version Mismatches:
- Symptom: Connection failures with "protocol version" errors in web browser
- Solution: Verify FortiOS version supports TLS 1.2 (requires FortiOS 5.4+)
- Check: Confirm client web browsers support TLS 1.2
- Security Note: Never downgrade to TLS 1.0 or 1.1 for compatibility
High CPU Usage on FortiGate:
- Symptom: FortiGate CPU consistently above 80% due to SSL offloading
- Solution: SSL/TLS decryption is CPU-intensive; consider FortiGate hardware upgrade
- PRTG Monitoring: FortiGate System Statistics sensor will alert at 90% CPU
- Optimization: Review session timeout settings in firewall policy to reduce concurrent connections
Authentication Failures:
- Symptom: PRTG login fails through reverse proxy but works directly
- Solution: Verify FortiGate is passing authentication headers correctly in the virtual server config
- Check: Review FortiGate logs via CLI or GUI for authentication-related errors
- Configuration: Ensure no conflicting authentication policies on FortiGate
- Advanced: Consider LDAP integration for centralized authentication
VPN and Reverse Proxy Conflicts:
- Symptom: SSL VPN (FortiClient) connections fail when reverse proxy is active
- Solution: Ensure SSL VPN and reverse proxy use different extintf and extip addresses
- Check: Verify proxy policy doesn't conflict with VPN tunnel configurations
- Port Forwarding: Confirm port forwarding rules don't overlap between services
Web Proxy and Explicit Proxy Issues:
- Symptom: Explicit proxy settings interfere with reverse proxy operation
- Solution: Separate web proxy and reverse proxy configurations on different interfaces
- Check: Review proxy server settings in FortiOS config
- Web Cache: Disable web cache for PRTG traffic to ensure real-time data
Secure your PRTG deployment with FortiGate reverse proxy and monitor everything from one platform. Download PRTG now and get 30 days of full functionality to test FortiGate integration in your environment.
You there!
