Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 6.0.0 CLI Reference
    6.0.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config load-balance real-server-ssl-profile

    config load-balance real-server-ssl-profile

    Use this command to configure real server profiles. A real server profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.

    Table 12 provides a summary of the predefined profiles. You can select predefined profiles in the real server configuration, or you can create user-defined profiles.

    Predefined real server profiles
    Profile Defaults
    LB_RS_SSL_PROF_DEFAULT
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: custom
    LB_RS_SSL_PROF_ECDSA
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
    LB_RS_SSL_PROF_ECDSA_SSLV3
    • Allow version: SSLv3
    • Cipher suite list: ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
    LB_RS_SSL_PROF_ECDSA_TLS12
    • Allow version: TLSv1.2
    • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256
    LB_RS_SSL_PROF_ENULL
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: eNull

    Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed.
    LB_RS_SSL_PROF_HIGH
    • Allow version TLSv1.2
    • Cipher suite list: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 AES256-GCM-SHA384 AES256-SHA256
    LB_RS_SSL_PROF_LOW_SSLV3
    • Allow version SSLv3
    • Cipher suite list: DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
    LB_RS_SSL_PROF_MEDIUM
    • Allow version: TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
    LB_RS_SSL_PROF_NONE SSL is disabled.

    Before you begin:

    • You must have read-write permission for load balance settings.

    Syntax

    config load-balance real-sever-ssl-profile

    edit <name>

    set ssl {enable|disable}

    set allow-ssl-versions {sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3}

    set server-cert-verify <datasource>

    set ssl-ciphers {ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA eNULL }

    set ssl-customize-ciphers-flag {enable|disable}

    set ssl-customized-ciphers <string>

    set ssl-session-reuse {enable|disable}

    set ssl-session-reuse-limit <integer>

    set ssl-sni-forward {enable|disable}

    set ssl-tls-ticket-reuse {enable|disable}

    next

    end

    ssl

    		Enable/disable SSL for the connection between the FortiADC and the real server.

    allow-ssl-versions

    		Specify a space-separated list of allowed SSL versions.

    server-cert-verify

    		 Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and can include OCSP and CRL checks.

    ssl-ciphers

    		Specify a space-separated, ordered list of supported SSL ciphers.

    ssl-customize-ciphers-flag

    		 Enable/disable use of user-specified cipher suites.

    ssl-customized-ciphers

    If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

    An empty string is allowed. If empty, the default cipher suite list is used.

    ssl-session-reuse

    		Enable/disable SSL session reuse.

    ssl-session-reuse-limit

    		The default is 0 (disabled). The valid range is 0-1048576.

    ssl-sni-forward

    		Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded.

    ssl-tls-ticket-reuse

    		Enable/disable TLS ticket-based session reuse.

    server-OCSP-stapling-support

    Enable/disable server ocsp_stapling. The default is disable.

    Note: Only when verify is enabled does this command take effect.

    Example

    FortiADC-VM # config load-balance real-server-ssl-profile

    FortiADC-VM (real-server-ss~-) # get

    == [ LB_RS_SSL_PROF_NONE ]

    == [ LB_RS_SSL_PROF_LOW_SSLV2 ]

    == [ LB_RS_SSL_PROF_LOW_SSLV3 ]

    == [ LB_RS_SSL_PROF_MEDIUM ]

    == [ LB_RS_SSL_PROF_HIGH ]

    == [ LB_RS_SSL_PROF_ECDSA ]

    == [ LB_RS_SSL_PROF_ECDSA_SSLV3 ]

    == [ LB_RS_SSL_PROF_ECDSA_TLS12 ]

    == [ LB_RS_SSL_PROF_ENULL ]

    == [ LB_RS_SSL_PROF_DEFAULT ]

    FortiADC-VM (real-server-ss~-) # edit RS-SSL-PROFILE-USER-DEFINED

    Add new entry 'RS-SSL-PROFILE-USER-DEFINED' for node 3862

    FortiADC-VM (RS-SSL-PROFILE~U) # set ssl enable

    FortiADC-VM (RS-SSL-PROFILE~U) # get

    ssl : enable

    server-cert-verify :

    ssl-sni-forward : disable

    ssl-session-reuse : disable

    ssl-customize-ciphers-flag : disable

    ssl-ciphers : DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

    allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2

    FortiADC-VM (RS-SSL-PROFILE~U) # set ssl-session-reuse enable

    FortiADC-VM (RS-SSL-PROFILE~U) # set allow-ssl-versions tlsv1.2

    FortiADC-VM (RS-SSL-PROFILE~U) # end

    FortiADC-VM #

    Previous
    Next

    config load-balance real-server-ssl-profile

    config load-balance real-server-ssl-profile

    Use this command to configure real server profiles. A real server profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.

    Table 12 provides a summary of the predefined profiles. You can select predefined profiles in the real server configuration, or you can create user-defined profiles.

    Predefined real server profiles
    Profile Defaults
    LB_RS_SSL_PROF_DEFAULT
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: custom
    LB_RS_SSL_PROF_ECDSA
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
    LB_RS_SSL_PROF_ECDSA_SSLV3
    • Allow version: SSLv3
    • Cipher suite list: ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
    LB_RS_SSL_PROF_ECDSA_TLS12
    • Allow version: TLSv1.2
    • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256
    LB_RS_SSL_PROF_ENULL
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: eNull

    Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed.
    LB_RS_SSL_PROF_HIGH
    • Allow version TLSv1.2
    • Cipher suite list: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 AES256-GCM-SHA384 AES256-SHA256
    LB_RS_SSL_PROF_LOW_SSLV3
    • Allow version SSLv3
    • Cipher suite list: DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
    LB_RS_SSL_PROF_MEDIUM
    • Allow version: TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
    LB_RS_SSL_PROF_NONE SSL is disabled.

    Before you begin:

    • You must have read-write permission for load balance settings.

    Syntax

    config load-balance real-sever-ssl-profile

    edit <name>

    set ssl {enable|disable}

    set allow-ssl-versions {sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3}

    set server-cert-verify <datasource>

    set ssl-ciphers {ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA eNULL }

    set ssl-customize-ciphers-flag {enable|disable}

    set ssl-customized-ciphers <string>

    set ssl-session-reuse {enable|disable}

    set ssl-session-reuse-limit <integer>

    set ssl-sni-forward {enable|disable}

    set ssl-tls-ticket-reuse {enable|disable}

    next

    end

    ssl

    		Enable/disable SSL for the connection between the FortiADC and the real server.

    allow-ssl-versions

    		Specify a space-separated list of allowed SSL versions.

    server-cert-verify

    		 Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and can include OCSP and CRL checks.

    ssl-ciphers

    		Specify a space-separated, ordered list of supported SSL ciphers.

    ssl-customize-ciphers-flag

    		 Enable/disable use of user-specified cipher suites.

    ssl-customized-ciphers

    If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

    An empty string is allowed. If empty, the default cipher suite list is used.

    ssl-session-reuse

    		Enable/disable SSL session reuse.

    ssl-session-reuse-limit

    		The default is 0 (disabled). The valid range is 0-1048576.

    ssl-sni-forward

    		Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded.

    ssl-tls-ticket-reuse

    		Enable/disable TLS ticket-based session reuse.

    server-OCSP-stapling-support

    Enable/disable server ocsp_stapling. The default is disable.

    Note: Only when verify is enabled does this command take effect.

    Example

    FortiADC-VM # config load-balance real-server-ssl-profile

    FortiADC-VM (real-server-ss~-) # get

    == [ LB_RS_SSL_PROF_NONE ]

    == [ LB_RS_SSL_PROF_LOW_SSLV2 ]

    == [ LB_RS_SSL_PROF_LOW_SSLV3 ]

    == [ LB_RS_SSL_PROF_MEDIUM ]

    == [ LB_RS_SSL_PROF_HIGH ]

    == [ LB_RS_SSL_PROF_ECDSA ]

    == [ LB_RS_SSL_PROF_ECDSA_SSLV3 ]

    == [ LB_RS_SSL_PROF_ECDSA_TLS12 ]

    == [ LB_RS_SSL_PROF_ENULL ]

    == [ LB_RS_SSL_PROF_DEFAULT ]

    FortiADC-VM (real-server-ss~-) # edit RS-SSL-PROFILE-USER-DEFINED

    Add new entry 'RS-SSL-PROFILE-USER-DEFINED' for node 3862

    FortiADC-VM (RS-SSL-PROFILE~U) # set ssl enable

    FortiADC-VM (RS-SSL-PROFILE~U) # get

    ssl : enable

    server-cert-verify :

    ssl-sni-forward : disable

    ssl-session-reuse : disable

    ssl-customize-ciphers-flag : disable

    ssl-ciphers : DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

    allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2

    FortiADC-VM (RS-SSL-PROFILE~U) # set ssl-session-reuse enable

    FortiADC-VM (RS-SSL-PROFILE~U) # set allow-ssl-versions tlsv1.2

    FortiADC-VM (RS-SSL-PROFILE~U) # end

    FortiADC-VM #

    Previous
    Next