config load-balance real-server-ssl-profile
Use this command to configure real server profiles. A real server profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.
Table 12 provides a summary of the predefined profiles. You can select predefined profiles in the real server configuration, or you can create user-defined profiles.
Profile | Defaults |
---|---|
LB_RS_SSL_PROF_DEFAULT |
|
LB_RS_SSL_PROF_ECDSA |
|
LB_RS_SSL_PROF_ECDSA_SSLV3 |
|
LB_RS_SSL_PROF_ECDSA_TLS12 |
|
LB_RS_SSL_PROF_ENULL |
Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed. |
LB_RS_SSL_PROF_HIGH |
|
LB_RS_SSL_PROF_LOW_SSLV3 |
|
LB_RS_SSL_PROF_MEDIUM |
|
LB_RS_SSL_PROF_NONE | SSL is disabled. |
Before you begin:
- You must have read-write permission for load balance settings.
Syntax
config load-balance real-sever-ssl-profile
edit <name>
set ssl {enable|disable}
set allow-ssl-versions {sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3}
set server-cert-verify <datasource>
set ssl-ciphers {ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA eNULL }
set ssl-customize-ciphers-flag {enable|disable}
set ssl-customized-ciphers <string>
set ssl-session-reuse {enable|disable}
set ssl-session-reuse-limit <integer>
set ssl-sni-forward {enable|disable}
set ssl-tls-ticket-reuse {enable|disable}
server-OCSP-stapling-support {enable|disable}
set rfc7919-comply {enable|disable}
set supported-groups {secp256r1 secp384r1 secp521r1 x25519 x448 ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192}
next
end
ssl |
Enable/disable SSL for the connection between the FortiADC and the real server. |
allow-ssl-versions |
Specify a space-separated list of allowed SSL versions.
Note:
|
server-cert-verify |
Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and can include OCSP and CRL checks. |
ssl-ciphers |
Specify the supported SSL ciphers in a space-separated list. Ciphers are listed from strongest to weakest:
*These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F). |
ssl-customize-ciphers-flag |
Enable/disable use of user-specified cipher suites. |
ssl-customized-ciphers |
If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites. An empty string is allowed. If empty, the default cipher suite list is used. |
ssl-session-reuse |
Enable/disable SSL session reuse. |
ssl-session-reuse-limit |
The default is 0 (disabled). The valid range is 0-1048576. |
ssl-sni-forward |
Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded. |
ssl-tls-ticket-reuse |
Enable/disable TLS ticket-based session reuse. |
server-OCSP-stapling-support |
Enable/disable server Note: Only when verify is enabled does this command take effect. |
rfc7919-comply |
Enable/disable parameters to comply with RFC 7919. Note:
|
supported-groups |
The supported-groups option is available if rfc7919-comply is enabled. Specify the supported group objects from the following:
At least one item from the FFDHE group must be selected. Note: The RFC 7919 Comply feature requires certain cipher selections to correspond with the Supported Group selection.
|
Example
FortiADC-VM # config load-balance real-server-ssl-profile
FortiADC-VM (real-server-ss~-) # get
== [ LB_RS_SSL_PROF_NONE ]
== [ LB_RS_SSL_PROF_LOW_SSLV2 ]
== [ LB_RS_SSL_PROF_LOW_SSLV3 ]
== [ LB_RS_SSL_PROF_MEDIUM ]
== [ LB_RS_SSL_PROF_HIGH ]
== [ LB_RS_SSL_PROF_ECDSA ]
== [ LB_RS_SSL_PROF_ECDSA_SSLV3 ]
== [ LB_RS_SSL_PROF_ECDSA_TLS12 ]
== [ LB_RS_SSL_PROF_ENULL ]
== [ LB_RS_SSL_PROF_DEFAULT ]
FortiADC-VM (real-server-ss~-) # edit RS-SSL-PROFILE-USER-DEFINED
Add new entry 'RS-SSL-PROFILE-USER-DEFINED' for node 3862
FortiADC-VM (RS-SSL-PROFILE~U) # set ssl enable
FortiADC-VM (RS-SSL-PROFILE~U) # get
ssl : enable
server-cert-verify :
ssl-sni-forward : disable
ssl-session-reuse : disable
ssl-customize-ciphers-flag : disable
ssl-ciphers : DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2
FortiADC-VM (RS-SSL-PROFILE~U) # set ssl-session-reuse enable
FortiADC-VM (RS-SSL-PROFILE~U) # set allow-ssl-versions tlsv1.2
FortiADC-VM (RS-SSL-PROFILE~U) # end
FortiADC-VM #