Handbook

Introduction
Chapter 1: What's New
Chapter 2: Key Concepts and Features
- Server load balancing
- Link load balancing
- Global load balancing
- Security
- High availability
- Virtual domains
Chapter 3: Getting Started
- Step 1: Install the appliance
- Step 2: Configure the management interface
- Step 3: Configure basic network settings
- Step 4: Test connectivity to destination servers
- Step 5: Complete product registration, licensing, and upgrades
- Step 6: Configure a basic server load balancing policy
- Step 7: Test the deployment
- Step 8: Back up the configuration
Chapter 4: Server Load Balancing
- Server load balancing basics
- Server load balancing configuration overview
- Configuring virtual servers
- Using content rewriting rules
- HSTS and HPKP support
- Configuring content routes
- Using source pools
- Using schedule pools
- Using clone pools
- Configuring Application profiles
- WebSocket load-balancing
- Configuring MSSQL profiles
- Configuring MySQL profiles
- Configuring client SSL profiles
- Configuring HTTP2 profiles
- Configuring load-balancing (LB) methods
- Configuring persistence rules
- Configuring error pages
- Configuring decompression rules
- Configuring Captcha
- Creating a PageSpeed configuration
- Creating PageSpeed profiles
- PageSpeed support and restrictions
- Configuring compression rules
- Compression and decompression
- Configuring caching rules
- Using real server pools
- Configuring real servers
- Configuring real server SSL profiles
- Using scripts
- Configuring an L2 exception list
- Creating a Web Filter Profile configuration
- Using the Web Category tab
- Configuring certificate caching
- TCP multiplexing
Chapter 5: Link Load Balancing
- Link load balancing basics
- Link load balancing configuration overview
- Configuring link policies
- Configuring a link group
- Configuring gateway links
- Configuring persistence rules
- Configuring proximity route settings
- Configuring a virtual tunnel group
Chapter 6: Global Load Balancing
- Global load balancing basics
- Global load balancing configuration overview
- Configuring servers
- Configuring a global load balance link
- Configuring data centers
- Configuring hosts
- Configuring wizard
- Configuring virtual server pools
- Configuring location lists
- Logical Topology
- Configuring a Global DNS policy
- Configuring DNS zones
- Configuring general settings
- Configuring the trust anchor key
- Configuring DNS64
- Configuring the DSSET list
- Configuring an address group
- Configuring remote DNS servers
- Configuring the response rate limit
Chapter 7: Network Security
- Security features basics
- Managing IP Reputation policy settings
- Configure IP reputation exception
- Configure IP reputation block list
- Using the Geo IP block list
- Using the Geo IP whitelist
- Special Geo codes
- Enabling denial of service protection
- Configuring an IPv4 firewall policy
- Configuring an IPv6 firewall policy
- Configuring an IPv4 connection limit policy
- Configuring an IPv6 connection limit policy
- Anti-virus
- Configuring IPS
Chapter 8: DoS Protection
- Configuring DoS Protection Profile
- Configuring HTTP access limit policy
- Configuring HTTP connection flood policy
- Configuring an HTTP request flood policy
- Configuring an IP fragmentation policy
- Configuring a TCP SYN flood protection policy
- Configuring a TCP slow data flood protection policy
Chapter 9: Web Application Firewall
- Web application firewall basics
- Web application firewall configuration overview
- Configuring a WAF Profile
- Configuring an OWASP TOP10 profile
- Configuring WAF Action objects
- Configuring a Web Attack Signature policy
- Configuring a URL Protection policy
- Configuring an Advanced Protection policy
- Configuring an HTTP Protocol Constraint policy
- Configuring CSRF protection
- Configuring brute force attack detection
- Configuring an SQL/XSS Injection Detection policy
- Configuring WAF Exception objects
- Configuring a Bot Detection policy
- Configuring a Credential Stuffing Defense Policy
- Configuring a Cookie Security policy
- Configuring sensitive data protection
- Configuring Cross-Origin Resource Sharing (CORS) protection
- Configuring XML Detection
- Configuring JSON detection
- Importing XML schema
- Uploading WSDL files
- Importing JSON schema
- Configuring OpenAPI Detection
- Importing OpenAPI schema
- Configuring API Gateway
- Configuring Input Validation
- Web Vulnerability Scanner
  - WVS Profile
  - WVS Login
  - WVS Exceptions
  - Scan History
  - Scan Integration
- Web Anti-Defacement
Chapter 10: User Authentication
- Configuring AD FS Proxy
- Configuring authentication policies
- Configuring user groups
- Configuring customized authentication form
- Using the local authentication server
- Using an LDAP authentication server
- Using a RADIUS authentication server
- Configuring Duo authentication server support
- Configuring an NTLM authentication server
- Using Kerberos Authentication Relay
- Two-factor authentication
- OAuth 2.0 authentication
- Using HTTP Basic SSO
- SAML and SSO
  - Configure a SAML service provider
  - Import IDP Metadata
Chapter 11: Shared Resources
- Configuring health checks
- Configuring health check monitor
- Creating schedule groups
- Creating IP address objects
- Configuring address groups
- Creating IPv6 address objects
- Configuring address groups
- Managing the ISP address books
- Creating service objects
- Creating service groups
- Configuring WCCP
Chapter 12: Basic Networking
- Configuring network interfaces
- Configuring management interface
- Linking VDOMs for inter-VDOM routing
- Configuring static routes
- Configuring policy routes
Chapter 13: System Management
- Configuring basic system settings
- Configuring system time
- Configuring pre-login disclaimer messages
- Updating firmware
- Configuring an SMTP mail server
- Connecting to FortiGuard services
- Configuring FortiGuard service settings
- Pushing/pulling configurations
- Backing up and restoring the configuration
- SCP support for configuration backup
- Rebooting, resetting, and shutting down the system
- Create a traffic group
- Manage administrator users
  - Create administrator users
  - Configure access profiles
  - Enable password policies
- Configuring SNMP
  - Download SNMP MIBs
  - Configure SNMP threshold
  - Configure SNMP v1/v2
  - Configure SNMP v3
- Managing and validating certificates
  - Generating a certificate signing request
  - Creating a local certificate group
  - Importing intermediate CAs
  - Creating an intermediate CA group
  - OCSP stapling
- Validating certificates
  - Importing CRLs
  - Adding OCSPs
  - Importing OCSP signing certificates
  - Importing CAs
  - Creating a CA group
- Configuring SNMP trap servers
- Configuring an email alert object
- Configuring a syslog object
- HSM Integration
Chapter 14: Logging and Reporting
- Using the event log
- Using the security log
- Using the traffic log
- Using the script log
- Configuring local log settings
- Configuring syslog settings
- Configuring fast stats log settings
- Configuring report email
- Configuring reports
- Configuring report queries
- Configuring fast reports
- Display logs via CLI
Chapter 15: High Availability Deployments
- HA feature overview
- HA system requirements
- HA synchronization
- Configuring HA settings
- Monitoring an HA cluster
- Updating firmware for an HA cluster
- Deploying an active-passive cluster
- Deploying an active-active cluster
- Advantages of HA Active-Active-VRRP
- Deploying an active-active-VRRP cluster
Chapter 16: Virtual Domains
- Virtual domain basics
- Enabling the virtual domain feature
- Creating a virtual domain
- Assigning network interfaces and admin users to VDOMs
- Virtual domain policies
- Disabling a virtual domain
Chapter 17: SSL Offloading
- SSL offloading
- SSL decryption by forward proxy
- SSL profile configurations
- Certificate guidelines
- SSL/TLS versions and cipher suites
- Exceptions list
- SSL traffic mirroring
Chapter 18: Advanced Networking
- NAT
  - Configure source NAT
  - Configuring 1-to-1 NAT
- QoS
- OSPF
- ISP Routes
  - Reverse path route caching
- BGP
- Access list vs. prefix list
- Configuring an IPv4 access list
- Configuring an IPv6 access list
- Configuring an IPv4 prefix list
- Configuring an IPv6 prefix list
- Transparent mode
Chapter 19: Best Practices and Fine-tuning
- Regular backups
- Security
- Performance tips
- High availability
Chapter 20: Troubleshooting
- Logs
- Tools
- Save debug file
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
- Additional resources
Chapter 21: System Dashboard
- Widgets
- Dashboard management tools
Chapter 22: FortiView
- Physical Topology
- HA Status
- Server Load Balance
- Link Load Balance
  - Logical Topology
  - Link Group
- Global Load Balance
  - Logical Topology
  - Host
- Security
- All Segments
Chapter 23: Security Fabric
- Automation
- Fabric connectors
- External connectors
Appendix A: Fortinet MIBs
Appendix B: Port Numbers
Appendix C: Scripts
- Events and actions
- Predefined scripts
- Predefined Commands
- Control structures
- Operators
- String library
- Special characters
- Examples
Appendix D: Maximum Configuration Values
Change Log

Home FortiADC 6.2.6 Handbook

6.2.6

Configuring client SSL profiles

A client SSL profile is used to manage the SSL session between the client and the proxy. It allows FortiADC to accept and terminate client requests sent via the SSL protocol. The Client SSL Profile page provides the settings for configuring client-side SSL connections, and displays all the client SSL profiles that have been configured on the system.

Before you begin creating a client SSL profile:

You must have already created configuration objects for certificates, certificate caching, and certificate verify if you want to include them in the profile.
You must have Read-Write permission for Load Balance settings.

To configure custom profiles:

Go to Server Load Balance > Application Resources. Click the Client SSL Profile tab.
Click Create New to display the configuration editor.
Complete the configuration as described in Client SSL profile configuration guidelines.
Save the configuration.

You can clone a predefined client SSL profile to help you get started with a user-defined configuration.

To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page.

Client SSL profile configuration guidelines
Type	Profile Configuration Guidelines
Name	Specify a unique name for the client SSL profile.
Customized SSL Ciphers Flag	Enable or disable the use of user-specified cipher suites. If enabled, you must specify a colon-separated, ordered list of a customized SSL cipher suites. See below.
Customized SSL Ciphers	Available only when the Customized SSL Cipher Flag is enabled (see above). Specify a colon-separated, ordered list of a customized SSL cipher suites. Note: FortiADC will use the default SSL cipher suite if the field is left empty.
SSL Ciphers	Ciphers are listed from strongest to weakest: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-CAMELLIA256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-CAMELLIA256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-CAMELLIA128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA eNULL Note: We recommend retaining the default list. If necessary, you can deselect the SSL ciphers that you do not want to support.
TLSv1.3 Cipher Suite List	TLSv1.3 ciphers are listed as following: TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 Note: This option only available if the TLSv1.3 is checked.
Allowed SSL Versions	You have the following options: SSLv3 TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3 We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support. Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started. Please make sure that the SSL versions are continuous. IF not, an error message should be returned.
Client Certificate Verify	Select the client certificate verify configuration object.
Client Certificate Verify Mode	Available only when the Client Certificate Verify is selected. Required by default.
SSL Session Cache Flag	Allows to the same SSL client attempts to reconnect to this SSL server and requests a resumption of a previous SSL session. Note: This feature doesn’t support TLSv1.3
Use TLS Tickets	Allows resuming TLS sessions by storing key material encrypted on the clients. Note: This feature doesn’t support TLSv1.3
Client Certificate Forward	Disabled by default. When enabled, you must specify the client certificate forward header. See below.
Client Certificate Forward Header	When Client Certificate Forward is enabled (see above), specify the client certificate forward header.
Forward Proxy	By default, (SSL) Forward Proxy is disabled. When enabled, you'll have to configure additional settings noted below.
Client SNI Required	Require clients to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. Then, the FortiADC system can select the appropriate local server certificate to present to the client.
Local Certificate Group	Select a local certificate group that includes the certificates this virtual server presents to SSL/TLS clients. This should be the backend servers' certificate, NOT the appliance's GUI web server certificate. See Manage certificates.
Reject OCSP Stapling with Missing Nextupdate	This flag is meaningful only when you have configured OCSP stapling in Local Certificate Group. By default, this option is disabled (unselected). In that case, FortiADC accepts all OCSP responses, including those in which the next update field is not set. If enabled, and the next update field is not set in an OCSP stapling response, FortiADC will not load this OCSP stapling response or present it to clients during the SSL/TLS handshake.
Renegotiation	Enable or disable SSL renegotiation from the client side. Note: The feature is disabled by default. When enabled, you must configure the options below.
Renegotiation Interval	Specify the minimum interval between two successive client-initiated SSL renegotiation requests. The unit of measurement can be second, minute, or hour, e.g., 100s, 20m, or 1h. Note: The default is -1, which disables the function. 0 means ‘Indefinite’. FortiADC will terminate the connection once the threshold is exceeded.
SSL DH Parameter Size	Specify the pubkey length in Diffie Hellman. Default is 1024.
SSL Renegotiate Period	Specify the period in second (default), minute, or hour at which FortiADC will initiate SSL renegotiation. Note: The default is 0, which disables the function.
SSL Renegotiate Size	Specify the amount (MB) of application data that must have been transmitted over the SSL connection whenFortiADC initiates SSL renegotiation. Note: The default is 0, which disables the function.
Secure Renegotiation	Select one of the following: Request—FortiADC requests secure renegotiation of SSL connections. Require—(Default) Specifies thatFortiADC requires secure renegotiation of SSL connections. In this mode, FortiADC permits initial SSL handshakes from clients, but terminates renegotiation requests from clients that do not support secure renegotiation. Require Strict—FortiADC requires strict secure renegotiation of SSL connections. In this mode, FortiADC denies initial SSL handshakes from clients that do not support secure renegotiation.
Dynamic record sizing	Allows ADC to dynamically adjust the size of TLS records based on the state of the connection, in order to prevent bottlenecks caused by the buffering of TLS record fragments. Note: The feature is disabled by default.
Note: The following fields become available only when Forward Proxy is enabled.
Forward Proxy Certificate Caching	Select a Forward Proxy Certificate Caching rule.
Forward Proxy Local Signing CA	Select a Forward Proxy Local Signing CA.
Forward Proxy Intermediate CA Group	Select a Forward Proxy Intermediate CA Group.
Backend SSL SNI Forward	Disabled by default. Enable it to let FortiADC forward Server Name Indication (SNI) from the client to the back end.
Backend Customized SSL Ciphers Flag	Enabled by default. In this case, you must specify the backend customized SS ciphers. See below.
Backend Customized SSL Ciphers	Specify the customized SSL ciphers to be supported at the back end.
Backend SSL Cipher Suite List	Select the cipher from the list to be supported at the back end.
Backend TLSv1.3 Cipher Suite List	TLSv1.3 ciphers are listed as following: TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_CCM_SHA256 TLS_AES_128_CCM_8_SHA256 Note: This option only available if the backendTLSv1.3 is checked.
Backend Allowed SSL Versions	We recommend retaining the default list. If necessary, you can deselect SSL versions you do not want to support. Note: FortiADC does not support session reuse for SSLv2 at the client side. Instead, a new SSL session is started.
Backend SSL OCSP Stapling Support	Disabled by default. Enable it to let FortiADC support OCSP stapling at the backend.