Hi, I’m using a FortiGate 200G and trying to provide HTTPS services using Virtual Servers. My backend is running on Kubernetes.

Environment

I have two HTTPS Virtual Servers configured on the same public IP (203.0.113.10:443):

1. VIP #1
   • Certificate: *.example-a.com
   • Load balancing: HTTP-HOST
   • Backends:
     • app1.example-a.com → 10.0.0.1:443
     • app2.example-a.com → 10.0.0.2:443
2. VIP #2
   • Certificate: *.example-b.com
   • Load balancing: HTTP-HOST
   • Backends:
     • app.example-b.com → 10.0.0.3:443

• SSL offloading is enabled (client ↔ FortiGate: full SSL)

Issue

• Requests to example-a.com domains work as expected → Correct certificate (*.example-a.com) is presented
• However, when accessing example-b.com domains → The correct certificate (*.example-b.com) is NOT presented → Instead, the *.example-a.com certificate is returned

Question

• Is it supported to use multiple Virtual Servers with different certificates on the same IP:443 in FortiGate?
• Does this require SNI-based certificate selection, and if so, how should it be configured in this scenario?
• Or is this behavior expected due to a limitation of SSL offloading with Virtual Servers?