Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 6.1.4 CLI Reference
    6.1.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config load-balance client-ssl-profile

    config load-balance client-ssl-profile

    Use this command to configure SSL-type real servers using the client-ssl-profile.

    Note: This command is related to "config load-balance certificate-caching" on page 1.

    Profile Description
    LB_CLIENT_SSL_PROF_DEFAULT

    This is the default client SSL load-balancing profile. It's a basic profile that can be used for all client SSL load-balancing scenarios.

    Recommended SSL versions:

    • SSLv3
    • TLSv1.0
    • TLSv1.1
    • TLSv1.2
    • TLSv1.3
    LB_CLIENT_SSL_PROF_FORWARD_PROXY

    This profile is used when the SSL Forward Proxy feature is enabled. It works in tandem with Forward Proxy Certificate Caching, i.e., LB_CERT_RAM_CACHING_DEFAULT), and Forward Proxy Local Signing CA, i.e., SSLPROXY_LOCAL_CA.

    Recommended SSL versions:

    • SSLv3
    • TLSv1.0
    • TLSv1.1
    • TLSv1.2
    • TLSv1.3
    LB_CLIENT_SSL_PROF_HTTP2

    This profile applies to HTTP2 protocol only.

    Recommended SSL version:

    • TLSv1.2
    • TLSv1.3

    Syntax

    config load-balance client-ssl-profile

    edit <name>

    set client-certificate-verify <verify_profile_name>

    set client-sni-required <enable/disable>

    set forward-proxy <enable/disable>

    set local-certificate-group <local_certificate_group_name>

    set ssl-allowed-versions <sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3>

    set ssl-ciphers <one or more ciphers>

    set ssl-customize-ciphers-flag <enable/disable>

    set forward-client-certificate <enable/disable>

    set forward-client-certificate-header <customized_header_name>

    set forward-proxy-certificate-caching <cache_name>

    set forward-proxy-local-signing-CA <local_ca>

    set forward-proxy-intermediate-ca-group <intermediate_ca>

    set backend-ssl-OCSP-stapling-support <enable/disable>

    set reject-ocsp-stapling-with-missing-nextupdate <enable/disable>

    set reject-revoked-unknown-ocsp-stapling <enable/disable>

    set ocsp-stapling-skew-time <integer>

    set ssl-auto-chain-flag <enable/disable>

    set client-certificate-verify-option required/ optional

    set ssl-session-cache-flag enable/disable

    set use-tls-tickets enable/disable

    set renegotiation <enable/disable>

    set ssl-dynamic-record-sizing <enable/disable>

    set ssl-dh-param-size <1024bit/2048bit/4096bit>

    set ssl-auto-chain-flag <enable/disable>

    next

    end

    client-certificate-verify Specify a certificate validation policy.
    client-sni-required If enabled, clients are required to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. This will allow FortiADC to select the appropriate local server certificate to present to the client.
    forward-proxy Enable/disable SSL forward proxy.
    local-certificate-group

    Configure the local certificate group that includes the certificates the virtual server presents to SSL/TLS clients.

    Note: This MUST be the backend server's certificate, NOT the appliance’s GUI web server certificate.
    ssl-allowed-versions Specify the allowed SSL versions in a space-separated list.
    ssl-ciphers Specify the supported SSL ciphers in a space-separated list.
    ssl-customize-ciphers-flag Enable/disable the use of user-specified cipher suites.
    forward-client-certificate Enable/disable. If enabled, FortiADC will send the whole client certificate encoded in the BASE64 code in the specified HTTP header, which is either the X-Client-Cert or a user-defined header.
    forward-client-certificate-header The default is X-Client-Cert, but you can customize it using this command.
    forward-proxy-certificate-caching Select cache RAM to store re_signed certificates.
    forward-proxy-local-signing-CA Set the CA used to sign the server certificate.
    forward-proxy-intermediate-ca-group Set the intermediate CA group used to sign the server certificate.
    backend-ssl-sni-forward Enable/disable forwarding the server's SNI.
    backend-ssl-customize-ciphers-flag Enable/disable customized ciphers used to connect to the real server.
    backend-ssl-customized-ciphers ECDSA Set the cipher used to connect to the real server.
    backend-allow-ssl-versions Set the SSL version used to connect to the real server.

    backend-ssl-OCSP-stapling-support

    Enable or disable. Disabled by default.

    Note: This parameter is available only when backend-certificate-verify is configured and forward-proxy is enabled.

    reject-ocsp-stapling-with-missing-nextupdate

    Enable or disable reject-ocsp-response-with-missing-nextupdate. Disabled by default.

    Note: When disabled, FortiADC will accept OCSP responses without the next-update time. If enabled, FortiADC will reject OCSP responses without the next-update time.

    reject-revoked-unknown-ocsp-stapling

    Enable or disable reject-revoked-unknown-ocsp-stapling. Enabled by default.

    Note: When enabled, FortiADC will reject OCSP responses whose status is revoked or unknown.

    ocsp-stapling-skew-time

    The default is 0 (in seconds). It means the skew time of this updated time and next updated time.

    ssl-auto-chain-flag

    Enabled by default. It means that when the configured certificate is used in the same client-ssl-profile as the local certificate, and the local certificate is issued by the CA set in the Client Certificate Verify section, ADC will automatically form a certificate chain to the client.
    client-certificate-verify-option

    Choose either of the following:

    • required—If this option is set as required, then a client certificate is required for verification.
    • optional—If this option is set as optional, then the system needs to work with a script such as OPTIONAL_CLIENT_AUTHENTICATION. In that case, FortiADC will accept SSL handshake for the initial transaction, and then lets the script to control the subsequent actions.
    ssl-session-cache-flag

    Enable to store SSL session in cache. This option is automatically disabled when the client-certificate-verify-option is set to optional.
    use-tls-tickets

    Enable to allow reusing SSL tickets. This option is automatically disabled when the client-certificate-verify-option is set to optional.
    set client-ssl profile renegotiation

    Enable or disable SSL renegotiation from the client side.

    Note: The feature is disabled by default.

    ssl-dynamic-record-sizing

    Allows ADC to dynamically adjust the size of TLS records based on the state of the connection, in order to prevent bottlenecks caused by the buffering of TLS record fragments.

    Note: The feature is disabled by default.

    ssl-dh-param-size

    Specify the pubkey length in Diffie Hellman. Default is 1024.

    ssl-auto-chain-flag

    Set it to disable to make ADC present only local certificates.

    Note: If the CA, when configured in "Client Certificate Verify," happens to accidentally issue the configured local certificates, the ADC will present chain certificates to the client. In this event, set ssl-auto-chain-flag to disable.

    Default is enable.

    Example 1: Create a new client-SSL profile and quote it in virtual server configuration

    Step 1: Configure a client SSL profile

    config load-balance client-sssl-profile

    edit "csp1"

    set ssl-customize-ciphers-flag disable

    set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

    set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

    set forward-proxy enable

    unset client-certificate-verify

    set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT

    set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

    unset forward-proxy-intermediate-ca-group

    unset backend-certificate-verify

    set backend-ssl-sni-forward enable

    set backend-ssl-customize-ciphers-flag enable

    set backend-ssl-customized-ciphers test

    set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

    set ssl-auto-chain-flag-enable

    next

    Step 2: Quote the client SSL profile in virtual server configuration:

    config load-balance virtual-server

    edit "https_vS1"

    set client-ssl-profile csp1

    next

    end

    Example 2: Create a certificate-caching object and quote it in the client SSL profile

    config load-balance certificate-caching

    edit "1"

    set max-certificate-cache-size 100M

    set max-entries 10000

    next

    config load-balance client-ssl-profile

    edit "test"

    set forward-proxy-certificate-caching 1

    set forward-proxy-local-signing-CA ca1

    set forward-proxy-intermediate-ca-group inter_group

    set backend-ssl-sni-forward enable

    set backend-ssl-customize-ciphers-flag disable

    set backend-ssl-customized-ciphers ECDHE-ECDSA-AES256-GCM-SHA384 (when backend-ssl-customize-ciphers-flag dis enable)

    set backend-ssl-customize-ciphers-flag enable/disable

    set backend-ssl-ciphers DHE-RSA-AES256-SHA DES-CBC3-SHA

    set backend-allow-ssl-versions tlsv1.1 tlsv1.2

    End

    Example 3: Create a client-certificate-verify object and quote it in the client SSL profile

    config load-balance client-sssl-profile

    edit "csp1"

    set ssl-customize-ciphers-flag disable

    set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

    set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2 set forward-proxy enable

    unset client-certificate-verify

    set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

    unset forward-proxy-intermediate-ca-group

    set client-certificate-verify verify

    set client-certificate-verify-option required

    set ssl-session-cache-flag enable

    set use-tls-tickets enable

    set backend-ssl-sni-forward enable

    set backend-ssl-customize-ciphers-flag enable

    set backend-ssl-customized-ciphers test

    set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

    set ssl-auto-chain-flag-enable

    next

    Previous
    Next

    config load-balance client-ssl-profile

    config load-balance client-ssl-profile

    Use this command to configure SSL-type real servers using the client-ssl-profile.

    Note: This command is related to "config load-balance certificate-caching" on page 1.

    Profile Description
    LB_CLIENT_SSL_PROF_DEFAULT

    This is the default client SSL load-balancing profile. It's a basic profile that can be used for all client SSL load-balancing scenarios.

    Recommended SSL versions:

    • SSLv3
    • TLSv1.0
    • TLSv1.1
    • TLSv1.2
    • TLSv1.3
    LB_CLIENT_SSL_PROF_FORWARD_PROXY

    This profile is used when the SSL Forward Proxy feature is enabled. It works in tandem with Forward Proxy Certificate Caching, i.e., LB_CERT_RAM_CACHING_DEFAULT), and Forward Proxy Local Signing CA, i.e., SSLPROXY_LOCAL_CA.

    Recommended SSL versions:

    • SSLv3
    • TLSv1.0
    • TLSv1.1
    • TLSv1.2
    • TLSv1.3
    LB_CLIENT_SSL_PROF_HTTP2

    This profile applies to HTTP2 protocol only.

    Recommended SSL version:

    • TLSv1.2
    • TLSv1.3

    Syntax

    config load-balance client-ssl-profile

    edit <name>

    set client-certificate-verify <verify_profile_name>

    set client-sni-required <enable/disable>

    set forward-proxy <enable/disable>

    set local-certificate-group <local_certificate_group_name>

    set ssl-allowed-versions <sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3>

    set ssl-ciphers <one or more ciphers>

    set ssl-customize-ciphers-flag <enable/disable>

    set forward-client-certificate <enable/disable>

    set forward-client-certificate-header <customized_header_name>

    set forward-proxy-certificate-caching <cache_name>

    set forward-proxy-local-signing-CA <local_ca>

    set forward-proxy-intermediate-ca-group <intermediate_ca>

    set backend-ssl-OCSP-stapling-support <enable/disable>

    set reject-ocsp-stapling-with-missing-nextupdate <enable/disable>

    set reject-revoked-unknown-ocsp-stapling <enable/disable>

    set ocsp-stapling-skew-time <integer>

    set ssl-auto-chain-flag <enable/disable>

    set client-certificate-verify-option required/ optional

    set ssl-session-cache-flag enable/disable

    set use-tls-tickets enable/disable

    set renegotiation <enable/disable>

    set ssl-dynamic-record-sizing <enable/disable>

    set ssl-dh-param-size <1024bit/2048bit/4096bit>

    set ssl-auto-chain-flag <enable/disable>

    next

    end

    client-certificate-verify Specify a certificate validation policy.
    client-sni-required If enabled, clients are required to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. This will allow FortiADC to select the appropriate local server certificate to present to the client.
    forward-proxy Enable/disable SSL forward proxy.
    local-certificate-group

    Configure the local certificate group that includes the certificates the virtual server presents to SSL/TLS clients.

    Note: This MUST be the backend server's certificate, NOT the appliance’s GUI web server certificate.
    ssl-allowed-versions Specify the allowed SSL versions in a space-separated list.
    ssl-ciphers Specify the supported SSL ciphers in a space-separated list.
    ssl-customize-ciphers-flag Enable/disable the use of user-specified cipher suites.
    forward-client-certificate Enable/disable. If enabled, FortiADC will send the whole client certificate encoded in the BASE64 code in the specified HTTP header, which is either the X-Client-Cert or a user-defined header.
    forward-client-certificate-header The default is X-Client-Cert, but you can customize it using this command.
    forward-proxy-certificate-caching Select cache RAM to store re_signed certificates.
    forward-proxy-local-signing-CA Set the CA used to sign the server certificate.
    forward-proxy-intermediate-ca-group Set the intermediate CA group used to sign the server certificate.
    backend-ssl-sni-forward Enable/disable forwarding the server's SNI.
    backend-ssl-customize-ciphers-flag Enable/disable customized ciphers used to connect to the real server.
    backend-ssl-customized-ciphers ECDSA Set the cipher used to connect to the real server.
    backend-allow-ssl-versions Set the SSL version used to connect to the real server.

    backend-ssl-OCSP-stapling-support

    Enable or disable. Disabled by default.

    Note: This parameter is available only when backend-certificate-verify is configured and forward-proxy is enabled.

    reject-ocsp-stapling-with-missing-nextupdate

    Enable or disable reject-ocsp-response-with-missing-nextupdate. Disabled by default.

    Note: When disabled, FortiADC will accept OCSP responses without the next-update time. If enabled, FortiADC will reject OCSP responses without the next-update time.

    reject-revoked-unknown-ocsp-stapling

    Enable or disable reject-revoked-unknown-ocsp-stapling. Enabled by default.

    Note: When enabled, FortiADC will reject OCSP responses whose status is revoked or unknown.

    ocsp-stapling-skew-time

    The default is 0 (in seconds). It means the skew time of this updated time and next updated time.

    ssl-auto-chain-flag

    Enabled by default. It means that when the configured certificate is used in the same client-ssl-profile as the local certificate, and the local certificate is issued by the CA set in the Client Certificate Verify section, ADC will automatically form a certificate chain to the client.
    client-certificate-verify-option

    Choose either of the following:

    • required—If this option is set as required, then a client certificate is required for verification.
    • optional—If this option is set as optional, then the system needs to work with a script such as OPTIONAL_CLIENT_AUTHENTICATION. In that case, FortiADC will accept SSL handshake for the initial transaction, and then lets the script to control the subsequent actions.
    ssl-session-cache-flag

    Enable to store SSL session in cache. This option is automatically disabled when the client-certificate-verify-option is set to optional.
    use-tls-tickets

    Enable to allow reusing SSL tickets. This option is automatically disabled when the client-certificate-verify-option is set to optional.
    set client-ssl profile renegotiation

    Enable or disable SSL renegotiation from the client side.

    Note: The feature is disabled by default.

    ssl-dynamic-record-sizing

    Allows ADC to dynamically adjust the size of TLS records based on the state of the connection, in order to prevent bottlenecks caused by the buffering of TLS record fragments.

    Note: The feature is disabled by default.

    ssl-dh-param-size

    Specify the pubkey length in Diffie Hellman. Default is 1024.

    ssl-auto-chain-flag

    Set it to disable to make ADC present only local certificates.

    Note: If the CA, when configured in "Client Certificate Verify," happens to accidentally issue the configured local certificates, the ADC will present chain certificates to the client. In this event, set ssl-auto-chain-flag to disable.

    Default is enable.

    Example 1: Create a new client-SSL profile and quote it in virtual server configuration

    Step 1: Configure a client SSL profile

    config load-balance client-sssl-profile

    edit "csp1"

    set ssl-customize-ciphers-flag disable

    set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

    set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

    set forward-proxy enable

    unset client-certificate-verify

    set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT

    set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

    unset forward-proxy-intermediate-ca-group

    unset backend-certificate-verify

    set backend-ssl-sni-forward enable

    set backend-ssl-customize-ciphers-flag enable

    set backend-ssl-customized-ciphers test

    set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

    set ssl-auto-chain-flag-enable

    next

    Step 2: Quote the client SSL profile in virtual server configuration:

    config load-balance virtual-server

    edit "https_vS1"

    set client-ssl-profile csp1

    next

    end

    Example 2: Create a certificate-caching object and quote it in the client SSL profile

    config load-balance certificate-caching

    edit "1"

    set max-certificate-cache-size 100M

    set max-entries 10000

    next

    config load-balance client-ssl-profile

    edit "test"

    set forward-proxy-certificate-caching 1

    set forward-proxy-local-signing-CA ca1

    set forward-proxy-intermediate-ca-group inter_group

    set backend-ssl-sni-forward enable

    set backend-ssl-customize-ciphers-flag disable

    set backend-ssl-customized-ciphers ECDHE-ECDSA-AES256-GCM-SHA384 (when backend-ssl-customize-ciphers-flag dis enable)

    set backend-ssl-customize-ciphers-flag enable/disable

    set backend-ssl-ciphers DHE-RSA-AES256-SHA DES-CBC3-SHA

    set backend-allow-ssl-versions tlsv1.1 tlsv1.2

    End

    Example 3: Create a client-certificate-verify object and quote it in the client SSL profile

    config load-balance client-sssl-profile

    edit "csp1"

    set ssl-customize-ciphers-flag disable

    set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

    set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2 set forward-proxy enable

    unset client-certificate-verify

    set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

    unset forward-proxy-intermediate-ca-group

    set client-certificate-verify verify

    set client-certificate-verify-option required

    set ssl-session-cache-flag enable

    set use-tls-tickets enable

    set backend-ssl-sni-forward enable

    set backend-ssl-customize-ciphers-flag enable

    set backend-ssl-customized-ciphers test

    set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

    set ssl-auto-chain-flag-enable

    next

    Previous
    Next