Configuring a FortiGate reverse proxy for PRTG Network Monitor enables secure external access to your monitoring infrastructure while offloading SSL/TLS processing from your PRTG server. This comprehensive guide, written by IT Security Architect Florian Thiele with 10 years of FortiGate and PRTG experience, provides step-by-step configuration for implementing Fortinet FortiGate as a reverse proxy with TLS 1.2 security.
A while back, the Paessler blog published posts describing how to use a reverse proxy to load off utilization from a PRTG server. One of the posts covered general information of how to do it, while the other described how to do it with a KEMP LoadMaster. Here I'll explain how to do it with FortiGate firewalls.
Before starting, please read the following disclaimer, as this is about a sensitive part of your cybersecurity.
Please note: This is a guest article. I have carefully compiled this information and it is provided to the best of my knowledge. As the solution is not part of PRTG itself, it is not officially supported by Paessler or PRTG Technical Support. Yet, we wanted to share it with you as it might be of interest for many PRTG users.
You must also be aware that if you configure any of the parts incorrectly, you may leave yourself open to an intruder gaining access to anything configured within PRTG. This includes User ID's, passwords, IP names, etc. In other words: no warranties are expressed or implied. Paessler, its employees or partners cannot be held liable for any damages that you may incur as a result of employing a Reverse Proxy.
Fortinet's documentation is available from their website: (http://docs.fortinet.com). There's also a handbook about FortiGate server loadbalancing: http://docs.fortinet.com/d/fortigate-server-load-balancing-56
Important: Only FortiGate FortiOS 5.4, 5.6 and above support TLS 1.2 in the load balancing feature. FortiOS 5.2, 5.0, 4.3 and lower only support TLS 1.1 and TLS 1.0. TLS 1.2 is strongly recommended.
👉 Download PRTG's free 30-day trial and start monitoring your FortiGate infrastructure today. No credit card required.
Using FortiGate as a reverse proxy for PRTG Network Monitor offers several critical advantages for network monitoring infrastructure:
Security Benefits:
Performance Advantages:
Operational Efficiency:
Go to Policy & Objects > Virtual Servers and add a virtual server using the GUI:
Create a new virtual server, select HTTPS as the "Type", enter the external IP address (extip) and TCP port, and select the certificate. The certificate has to be loaded in the FortiGate's certificate store (Go to System > Certificates).
Create a new Real Server (realservers), and enter the internal IP address and TCP port where your PRTG web server is listening.
Go to the CLI of the FortiGate device using SSH, or use the web browser interface's CLI console widget.
There, enter the following config:
config firewall vip edit vs_PRTG-webserver01 <-- Name of the chosen virtual server set ssl-max-version tls-1.2 <-- Recommendation is to only allow TLS 1.2 set ssl-min-version tls-1.2 <-- Recommendation is to only allow TLS 1.2 set ssl-server-algorithm custom <-- Recommendation to harden ciphers config ssl-server-cipher-suites edit 1 set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 next edit 2 set cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 next end set ssl-dh-bits 2048 <-- Recommendation to use minimum of 2048 bit for DH* ssl-client-renegotiation secure <-- Recommendation to increase client renegotiation ssl-client-fallback enable <-- Recommendation to enable downgrade attack prevention (TLS_FALLBACK_SCSV, RFC 7507 https://tools.ietf.org/html/rfc7507) end
*Note: Only FortiGate models with CP9 ASIC processors support 3072/4096 bit DH (Diffie-Hellman) keys in the hardware; other models have to use the FortiGate CPU. FortiGate models with CP8 ASIC processors support up to 2048 bit DH keys in the hardware. For more information about this, go here:
From FortiOS5.6 and above, FortiGate offers HSTS, which should be used to enforce HTTPS and prevent MitM-Attacks. HSTS can be activated as follows:
set ssl-hsts enable set ssl-hsts-age 31536000 set ssl-hsts-include-subdomains enable
For more information about load balancing FortiGate devices, take a look at their documentation:
Check the configuration again as follows via CLI:
config firewall vip edit vs_PRTG-webserver01 FortiGate1500D-HA01 (vs_PRTG-webserver01) # get name : vs_PRTG-webserver01 id : 0 uuid : 123456ab-cdef-1234-4567-1234567890ab comment : virtual server PRTG webserver type : server-load-balance src-filter : extip : 192.168.0.1 extintf : WAN (wan1) arp-reply : enable server-type : https nat-source-vip : disable gratuitous-arp-interval: 0 srcintf-filter : http-ip-header : disable monitor : color : 0 ldb-method : static persistence : none extport : 443 realservers: == [ 1 ] id: 1 ip: 172.30.0.171 port: 80 status: active holddown-interval: 300 max-connections: 0 http-multiplex : disable ssl-mode : half ssl-certificate : trusted-certificate-loaded-in-certificate-store ssl-dh-bits : 2048 ssl-algorithm : custom ssl-server-cipher-suites: TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 ssl-server-algorithm: client ssl-pfs : allow ssl-min-version : tls-1.2 ssl-max-version : tls-1.2 ssl-server-min-version: client ssl-server-max-version: client ssl-send-empty-frags: enable ssl-client-fallback : enable ssl-client-renegotiation: secure ssl-client-session-state-type: both ssl-client-session-state-timeout: 30 ssl-client-session-state-max: 1000 ssl-server-session-state-type: both ssl-server-session-state-timeout: 60 ssl-server-session-state-max: 100 max-embryonic-connections: 1000
Go to Policy & Objects > IPv4 Policy and add a WAN1 to the internal security policy that includes the virtual server using the GUI.
In this firewall policy, you can also apply UTM profiles (like Anti-Virus, Intrusion-Prevention, Application Control, etc.) to the load balanced sessions. This provides an additional layer of protection similar to a web application firewall.
config firewall policy edit 0 <-- uses next free policy-id set srcintf wan1 set srcaddr all set dstintf internal set dstaddr vs_PRTG-webserver01 set action accept set schedule always set service HTTP <-- service-port of real-server, not virtual server set nat enable <-- only if necessary in your network setup set utm-status enable set profile-protocol-options default set av-profile scan set ips-profile high_security end
This firewall policy configuration includes:
To check if everything worked, you can use different public tools to check your settings. One popular (and good) TLS-checking tool is the tool from SSLLabs: https://www.ssllabs.com/ssltest/analyze.html
In order to make it even more secure, the PRTG webservice can be limited to dedicated IP addresses or (dynamic) FQDNs by setting source-addresses ("set srcaddr") to an address object group in the firewall policy. The best way to protect your PRTG is to use VPN (IPSec or SSL VPN), and use a Web Application Firewall like FortiWeb.
If you want to read more from me in the future, watch out for posts on my new blog: https://how2itsec.blogspot.com/
Connection Timeouts:
SSL Certificate Warnings:
TLS Version Mismatches:
High CPU Usage on FortiGate:
Authentication Failures:
VPN and Reverse Proxy Conflicts:
Web Proxy and Explicit Proxy Issues:
Secure your PRTG deployment with FortiGate reverse proxy and monitor everything from one platform. Download PRTG now and get 30 days of full functionality to test FortiGate integration in your environment.