Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.4.4 Handbook
    7.4.4
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring real server SSL profiles

    Configuring real server SSL profiles

    A real server SSL profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.

    SSL profiles illustrates the basic idea of client-side and server-side profiles.

    SSL profiles

    Predefined real server profiles provides a summary of the predefined profiles. You can select predefined profiles in the real server pool configuration, or you can create user-defined profiles.

    Predefined real server profiles
    Profile Defaults
    LB_RS_SSL_PROF_DEFAULT
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3
    • Cipher suite list: custom
    LB_RS_SSL_PROF_ECDSA
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA,
    LB_RS_SSL_PROF_ECDSA_SSLV3
    • Allow version: SSLv3
    • Cipher suite list: ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA,
    LB_RS_SSL_PROF_ECDSA_TLS12
    • Allow version: TLSv1.2
    • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,
    LB_RS_SSL_PROF_ENULL
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: eNull

    Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed.
    LB_RS_SSL_PROF_HIGH
    • Allow version TLSv1.2
    • Cipher suite list: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 AES256-GCM-SHA384 AES256-SHA256,
    LB_RS_SSL_PROF_LOW_SSLV3
    • Allow version SSLv3
    • Cipher suite list: DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
    LB_RS_SSL_PROF_MEDIUM
    • Allow version: TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
    NONE
    • SSL is disabled.
    Before you begin:
    • You must have Read-Write permission for Load Balance settings.
    To configure custom real server profiles:
    1. Go to Server Load Balance > Real Server Pool.
    2. Click the Server SSL tab.
    3. Click Create New to display the configuration editor.
    4. Complete the configuration as described in Real Server SSL Profile configuration guidelines.
    5. Save the configuration.

    You can clone a predefined configuration object to help you get started with a user-defined configuration.

    To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page.

    Real Server SSL Profile configuration guidelines
    Settings Guidelines
    Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the real server pool configuration.

    Note: After you initially save the configuration, you cannot edit the name.
    SSL

    Enable/disable SSL for the connection between the FortiADC and the real server.
    Note: The following fields become available only when SSL is enabled. See above.

    Customized SSL Ciphers Flag

    Enable/disable use of user-specified cipher suites. When enabled, you must select a Customized SSL Cipher. See below.

    Customized SSL Ciphers

    If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

    An empty string is allowed. If empty, the default cipher suite list is used.

    The names you enter are validated against the form of the cipher suite short names published on the OpenSSL website:

    https://www.openssl.org/docs/manprimary/apps/ciphers.html

    SSL Cipher Suite List

    Ciphers are listed from strongest to weakest:

    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES256-SHA384

    • ECDHE-ECDSA-CAMELLIA256-SHA384

    • *ECDHE-ECDSA-AES256-SHA
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • *ECDHE-ECDSA-AES128-SHA256

    • ECDHE-ECDSA-CAMELLIA128-SHA256

    • *ECDHE-ECDSA-AES128-SHA
    • ECDHE-ECDSA-DES-CBC3-SHA
    • ECDHE-ECDSA-RC4-SHA
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-SHA384

    • ECDHE-RSA-CAMELLIA256-SHA384

    • *ECDHE-RSA-AES256-SHA
    • DHE-RSA-AES256-GCM-SHA384
    • *DHE-RSA-AES256-SHA256

    • DHE-RSA-CAMELLIA256-SHA256

    • *DHE-RSA-AES256-SHA

    • DHE-RSA-CAMELLIA256-SHA

    • AES256-GCM-SHA384
    • *AES256-SHA256
    • *AES256-SHA
    • ECDHE-RSA-AES128-GCM-SHA256
    • *ECDHE-RSA-AES128-SHA256

    • ECDHE-RSA-CAMELLIA128-SHA256

    • *ECDHE-RSA-AES128-SHA
    • DHE-RSA-AES128-GCM-SHA256
    • *DHE-RSA-AES128-SHA256

    • DHE-RSA-CAMELLIA128-SHA256

    • *DHE-RSA-AES128-SHA
    • AES128-GCM-SHA256
    • *AES128-SHA256
    • *AES128-SHA
    • ECDHE-RSA-RC4-SHA
    • RC4-SHA
    • RC4-MD5
    • ECDHE-RSA-DES-CBC3-SHA
    • EDH-RSA-DES-CBC3-SHA
    • DES-CBC3-SHA
    • EDH-RSA-DES-CBC-SHA
    • DES-CBC-SHA
    • eNULL

    *These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F).

    Note: We recommend retaining the default list. If necessary, you can deselect the SSL ciphers that you do not want to support.

    TLSv1.3 Cipher Suite List

    TLSv1.3 ciphers are listed as following:

    • TLS_AES_256_GCM_SHA384
    • TLS_AES_128_GCM_SHA256
    • TLS_CHACHA20_POLY1305_SHA256
    • TLS_AES_128_CCM_SHA256
    • TLS_AES_128_CCM_8_SHA256

    Note: This option only available if the TLSv1.3 is checked.
    Allowed SSL Versions

    You have the following options:

    • SSLv3
    • TLSv1.0
    • TLSv1.1
    • TLSv1.2
    • TLSv1.3

    Note:

    • Please make sure that the SSL version is continuous. If not, an error message should be returned.

    • RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If RFC 7919 Comply is enabled and SSLv3 or TLSv1.3 is selected in Allowed SSL Versions, an error message will display.
    Certificate Verify Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and may include OCSP and CRL checks.

    Local Certificate

    Select a local certificate object. This should be the backend servers' certificate, NOT the appliance's GUI web server certificate. See Manage Certificates.
    SNI Forward Flag Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded.
    Session Reuse Flag Enable/disable SSL session reuse.
    Session Reuse Limit The default is 0 (disabled). The valid range is 0-1048576.
    TLS Ticket Flag Enable/disable TLS ticket-based session reuse.
    Renegotiation

    This option controls how FortiADC responds to mid-stream SSL reconnection requests either initiated by real servers or forced by FortiADC.

    Note:

    • This option is enabled by default.
    • When disabled, you must select an option for Renegotiation-Deny-Action.
    Renegotiation Period

    Specify the interval from the initial connect time that FortiADC renegotiates an SSL session. The unit of measurement can be second (default), minute, or hour, e.g., 100s, 20m, or 1h.

    Note:

    • The default is 0, which disables the function.
    • If a custom value is set, FortiADC will renegotiate the SSL session accordingly. For example, if you set the renegotiate period to 3600s (or 3600, 60m, or 1h), FortiADC will renegotiate the SSL session at least once an hour.
    Renegotiate Size

    Specify the amount (in MB) of application data that must have been transmitted over the secure connection before FortiADC initiates the renegotiation of an SSL session.

    Note: The default is 0, which disables the function.

    Secure Renegotiation

    Select one of the following options:

    • RequestFortiADC requests secure renegotiation of SSL connections.
    • RequireFortiADC requires secure renegotiation of SSL connections. In this mode, FortiADC allows initial SSL handshakes from real servers, but terminates renegotiation from real servers that do not support secure renegotiation.
    • Require StrictFortiADC requires strict secure renegotiation of SSL connections. In this mode, FortiADC denies initial SSL handshakes from real servers that do not support secure renegotiation.
    Renegotiation-Deny-Action

    This option becomes available when Renegotiation is disabled on the server side. In that case, you must select an action that FortiADC will take when denying an SSL renegotiation request:

    • Ignore (default)—Ignores SSL renegotiation requests.
    • Terminate— Terminates SSL connections.

    RFC 7919 Comply

    Enable/disable parameters to comply with RFC 7919.

    Note: RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If RFC 7919 Comply is enabled and SSLv3 or TLSv1.3 is selected in Allowed SSL Versions, an error message will display.

    Supported Groups

    The Supported Groups option is available if RFC 7919 Comply is enabled.

    Specify the supported group objects from the following:

    • secp256r1

    • secp384r1

    • secp521r1

    • x25519

    • x448

    • ffdhe2048

    • ffdhe3072

    • ffdhe4096

    • ffdhe6144

    • ffdhe8192

    At least one item from the FFDHE group must be selected.

    Note:

    The RFC 7919 Comply feature requires certain cipher selections to correspond with the Supported Group selection.

    • If a FFDHE group is selected (for example, ffdhe2048), then at least one cipher must be DHE-RSA (for example, DHE-RSA-AES256-SHA256).

    • If the Supported Group includes groups other than FFDHE (such as a SECP group, secp256r1), then at least one cipher must be ECDHE (for example, ECDHE-ECDSA-AES256-GCM-SHA384).

    • If a ECDHE cipher is selected (for example, ECDHE-ECDSA-AES256-GCM-SHA384), then the Supported Group must include at least one group that is not FFDHE (such as a SECP group, secp256r1).
    Previous
    Next

    Configuring real server SSL profiles

    Configuring real server SSL profiles

    A real server SSL profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.

    SSL profiles illustrates the basic idea of client-side and server-side profiles.

    SSL profiles

    Predefined real server profiles provides a summary of the predefined profiles. You can select predefined profiles in the real server pool configuration, or you can create user-defined profiles.

    Predefined real server profiles
    Profile Defaults
    LB_RS_SSL_PROF_DEFAULT
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3
    • Cipher suite list: custom
    LB_RS_SSL_PROF_ECDSA
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA,
    LB_RS_SSL_PROF_ECDSA_SSLV3
    • Allow version: SSLv3
    • Cipher suite list: ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA,
    LB_RS_SSL_PROF_ECDSA_TLS12
    • Allow version: TLSv1.2
    • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,
    LB_RS_SSL_PROF_ENULL
    • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: eNull

    Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed.
    LB_RS_SSL_PROF_HIGH
    • Allow version TLSv1.2
    • Cipher suite list: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 AES256-GCM-SHA384 AES256-SHA256,
    LB_RS_SSL_PROF_LOW_SSLV3
    • Allow version SSLv3
    • Cipher suite list: DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
    LB_RS_SSL_PROF_MEDIUM
    • Allow version: TLSv1.0, TLSv1.1, and TLSv1.2
    • Cipher suite list: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
    NONE
    • SSL is disabled.
    Before you begin:
    • You must have Read-Write permission for Load Balance settings.
    To configure custom real server profiles:
    1. Go to Server Load Balance > Real Server Pool.
    2. Click the Server SSL tab.
    3. Click Create New to display the configuration editor.
    4. Complete the configuration as described in Real Server SSL Profile configuration guidelines.
    5. Save the configuration.

    You can clone a predefined configuration object to help you get started with a user-defined configuration.

    To clone a configuration object, click the clone icon that appears in the tools column on the configuration summary page.

    Real Server SSL Profile configuration guidelines
    Settings Guidelines
    Name Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. You reference this name in the real server pool configuration.

    Note: After you initially save the configuration, you cannot edit the name.
    SSL

    Enable/disable SSL for the connection between the FortiADC and the real server.
    Note: The following fields become available only when SSL is enabled. See above.

    Customized SSL Ciphers Flag

    Enable/disable use of user-specified cipher suites. When enabled, you must select a Customized SSL Cipher. See below.

    Customized SSL Ciphers

    If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

    An empty string is allowed. If empty, the default cipher suite list is used.

    The names you enter are validated against the form of the cipher suite short names published on the OpenSSL website:

    https://www.openssl.org/docs/manprimary/apps/ciphers.html

    SSL Cipher Suite List

    Ciphers are listed from strongest to weakest:

    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES256-SHA384

    • ECDHE-ECDSA-CAMELLIA256-SHA384

    • *ECDHE-ECDSA-AES256-SHA
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • *ECDHE-ECDSA-AES128-SHA256

    • ECDHE-ECDSA-CAMELLIA128-SHA256

    • *ECDHE-ECDSA-AES128-SHA
    • ECDHE-ECDSA-DES-CBC3-SHA
    • ECDHE-ECDSA-RC4-SHA
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-SHA384

    • ECDHE-RSA-CAMELLIA256-SHA384

    • *ECDHE-RSA-AES256-SHA
    • DHE-RSA-AES256-GCM-SHA384
    • *DHE-RSA-AES256-SHA256

    • DHE-RSA-CAMELLIA256-SHA256

    • *DHE-RSA-AES256-SHA

    • DHE-RSA-CAMELLIA256-SHA

    • AES256-GCM-SHA384
    • *AES256-SHA256
    • *AES256-SHA
    • ECDHE-RSA-AES128-GCM-SHA256
    • *ECDHE-RSA-AES128-SHA256

    • ECDHE-RSA-CAMELLIA128-SHA256

    • *ECDHE-RSA-AES128-SHA
    • DHE-RSA-AES128-GCM-SHA256
    • *DHE-RSA-AES128-SHA256

    • DHE-RSA-CAMELLIA128-SHA256

    • *DHE-RSA-AES128-SHA
    • AES128-GCM-SHA256
    • *AES128-SHA256
    • *AES128-SHA
    • ECDHE-RSA-RC4-SHA
    • RC4-SHA
    • RC4-MD5
    • ECDHE-RSA-DES-CBC3-SHA
    • EDH-RSA-DES-CBC3-SHA
    • DES-CBC3-SHA
    • EDH-RSA-DES-CBC-SHA
    • DES-CBC-SHA
    • eNULL

    *These ciphers are fully supported by hardware SSL (in 400F, 1200F, 2200F, 4200F and 5000F).

    Note: We recommend retaining the default list. If necessary, you can deselect the SSL ciphers that you do not want to support.

    TLSv1.3 Cipher Suite List

    TLSv1.3 ciphers are listed as following:

    • TLS_AES_256_GCM_SHA384
    • TLS_AES_128_GCM_SHA256
    • TLS_CHACHA20_POLY1305_SHA256
    • TLS_AES_128_CCM_SHA256
    • TLS_AES_128_CCM_8_SHA256

    Note: This option only available if the TLSv1.3 is checked.
    Allowed SSL Versions

    You have the following options:

    • SSLv3
    • TLSv1.0
    • TLSv1.1
    • TLSv1.2
    • TLSv1.3

    Note:

    • Please make sure that the SSL version is continuous. If not, an error message should be returned.

    • RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If RFC 7919 Comply is enabled and SSLv3 or TLSv1.3 is selected in Allowed SSL Versions, an error message will display.
    Certificate Verify Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and may include OCSP and CRL checks.

    Local Certificate

    Select a local certificate object. This should be the backend servers' certificate, NOT the appliance's GUI web server certificate. See Manage Certificates.
    SNI Forward Flag Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded.
    Session Reuse Flag Enable/disable SSL session reuse.
    Session Reuse Limit The default is 0 (disabled). The valid range is 0-1048576.
    TLS Ticket Flag Enable/disable TLS ticket-based session reuse.
    Renegotiation

    This option controls how FortiADC responds to mid-stream SSL reconnection requests either initiated by real servers or forced by FortiADC.

    Note:

    • This option is enabled by default.
    • When disabled, you must select an option for Renegotiation-Deny-Action.
    Renegotiation Period

    Specify the interval from the initial connect time that FortiADC renegotiates an SSL session. The unit of measurement can be second (default), minute, or hour, e.g., 100s, 20m, or 1h.

    Note:

    • The default is 0, which disables the function.
    • If a custom value is set, FortiADC will renegotiate the SSL session accordingly. For example, if you set the renegotiate period to 3600s (or 3600, 60m, or 1h), FortiADC will renegotiate the SSL session at least once an hour.
    Renegotiate Size

    Specify the amount (in MB) of application data that must have been transmitted over the secure connection before FortiADC initiates the renegotiation of an SSL session.

    Note: The default is 0, which disables the function.

    Secure Renegotiation

    Select one of the following options:

    • RequestFortiADC requests secure renegotiation of SSL connections.
    • RequireFortiADC requires secure renegotiation of SSL connections. In this mode, FortiADC allows initial SSL handshakes from real servers, but terminates renegotiation from real servers that do not support secure renegotiation.
    • Require StrictFortiADC requires strict secure renegotiation of SSL connections. In this mode, FortiADC denies initial SSL handshakes from real servers that do not support secure renegotiation.
    Renegotiation-Deny-Action

    This option becomes available when Renegotiation is disabled on the server side. In that case, you must select an action that FortiADC will take when denying an SSL renegotiation request:

    • Ignore (default)—Ignores SSL renegotiation requests.
    • Terminate— Terminates SSL connections.

    RFC 7919 Comply

    Enable/disable parameters to comply with RFC 7919.

    Note: RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If RFC 7919 Comply is enabled and SSLv3 or TLSv1.3 is selected in Allowed SSL Versions, an error message will display.

    Supported Groups

    The Supported Groups option is available if RFC 7919 Comply is enabled.

    Specify the supported group objects from the following:

    • secp256r1

    • secp384r1

    • secp521r1

    • x25519

    • x448

    • ffdhe2048

    • ffdhe3072

    • ffdhe4096

    • ffdhe6144

    • ffdhe8192

    At least one item from the FFDHE group must be selected.

    Note:

    The RFC 7919 Comply feature requires certain cipher selections to correspond with the Supported Group selection.

    • If a FFDHE group is selected (for example, ffdhe2048), then at least one cipher must be DHE-RSA (for example, DHE-RSA-AES256-SHA256).

    • If the Supported Group includes groups other than FFDHE (such as a SECP group, secp256r1), then at least one cipher must be ECDHE (for example, ECDHE-ECDSA-AES256-GCM-SHA384).

    • If a ECDHE cipher is selected (for example, ECDHE-ECDSA-AES256-GCM-SHA384), then the Supported Group must include at least one group that is not FFDHE (such as a SECP group, secp256r1).
    Previous
    Next