Do we need SSL Certificate on both Firewall and WAF for inbound traffic?

We have a website hosted behind WAF(FortiWeb) and Firewall (FortiGate). The WAF already has the server valid SSL Certificate from public CA. Do we need to install SSL certificate on Firewall also for inbound traffic to make it more secure ? Will Unscanned https traffic reach the firewall first compromise the network ?

Resume CV templates website with search engine traffic

For sale a website with resume (CV) templates for different job positions. Site is getting some traffic from search engines and Google Images.
All content is currently made of HTML files (not WordPress nor SQL db) but you can convert it back to WordPress thanks to some cheap services online. Files and images are about 200MB.


Why are you selling this site?
Need to free some space on server
How is it monetized? Not monetized…

Resume CV templates website with search engine traffic

Why is it possible for all programs / apps to see all network traffic?

I am reading about sandboxing, specifically for Android and Linux based systems (like snap apps). Each app is isolated and can only see its own files, i.e. each app has its own environment. What I don’t understand is why can each app see all network traffic being sent? On Android I can install HTTP Canary which works by being a VPN and then allows you to see all traffic sent from your device. On my PC I can use Wireshark and monitor all traffic sent from my computer. My question is, why is this possible? Why do all programs have the ability to see all network traffic? Shouldn’t true sandboxing result in only each app being able to see its own network traffic? I am thinking that it’s because all programs have access to the network adapter, i.e. all programs should be able to use the network adapter, and thus each program can see everything that enters and exits the network adapter. Wouldn’t it be better if some form of channels were used, so each app can only see its own channel in the network adapter? I know that as soon as the traffic leaves the device, every device nearby can monitor the wireless traffic, as it is in the air (it’s encrypted however). However it’s only before it leaves the network adapter that I don’t understand, why all programs can see all traffic.

Circumventing inbound traffic rule by faking reply traffic

My question is about security groups/firewalls and protecting a virtual private cloud from the external world. Here is a description of VPC default policy for inbound/outbound traffic (on AWS):

Each security group by default contains an outbound rule that allows access to any IP address. It’s important to note that when an instance sends traffic out, the security group will allow reply traffic to reach the instance, regardless of what inbound rules are configured.

I was wondering if there exists an attack vector where a malicious user tries to circumvent the VPC’s inbound policy (i.e. block all traffic) by tricking it into thinking that the incoming traffic is a “reply” traffic? Does such attack have a name in the literature?

I can also think of a scenario where a target machine T (within a VPC) sends a request to some valid server V, but the malicious user M sends a malicious response to T (tricking it into believing that it comes from V) before T receives the actual response from V, thence circumventing T‘s inbound traffic policy.