Fortinet black logo

CLI Reference

firewall {vip | vip6}

firewall {vip | vip6}

Configure firewall virtual IPs (VIPs) and their associated addresses and port mappings (NAT). Use VIPs to configure destination NAT and server load balancing.

For information about FortiOS Firewall VIPs in general, see Virtual IPs. For information about server load balancing with FortiOS Firewal VIPs see Server Load Balancing.

Proxy mode is required for persistence, HTTP Multiplexing, SSL offloading and other advanced HTTP and SSL features.

note icon SSL server types are not available on all FortiGate models.
config firewall vip
    edit {name}
    # Configure virtual IP for IPv4.
        set name {string}   Virtual IP name. size[63]
        set id {integer}   Custom defined ID. range[0-65535]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set comment {string}   Comment. size[255]
        set type {option}   Configure a static NAT, load balance, server load balance, DNS translation, or FQDN VIP.
                static-nat           Static NAT.
                load-balance         Load balance.
                server-load-balance  Server load balance.
                dns-translation      DNS translation.
                fqdn                 Fully qualified domain name.
        set dns-mapping-ttl {integer}   DNS mapping TTL (Set to zero to use TTL in DNS response, default = 0). range[0-604800]
        set ldb-method {option}   Method used to distribute sessions to real servers.
                static         Distribute to server based on source IP.
                round-robin    Distribute to server based round robin order.
                weighted       Distribute to server based on weight.
                least-session  Distribute to server with lowest session count.
                least-rtt      Distribute to server with lowest Round-Trip-Time.
                first-alive    Distribute to the first server that is alive.
                http-host      Distribute to server based on host field in HTTP header.
        config src-filter
            edit {range}
            # Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces.
                set range {string}   Source-filter range. size[64]
            next
        config service
            edit {name}
            # Service name.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set extip {string}   IP address or address range on the external interface that you want to map to an address or address range on the destination network.
        config extaddr
            edit {name}
            # External FQDN address name.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config mappedip
            edit {range}
            # IP address or address range on the destination network to which the external IP address is mapped.
                set range {string}   Mapped IP range. size[64]
            next
        set mapped-addr {string}   Mapped FQDN address name. size[63] - datasource(s): firewall.address.name
        set extintf {string}   Interface connected to the source network that receives the packets that will be forwarded to the destination network. size[35] - datasource(s): system.interface.name
        set arp-reply {disable | enable}   Enable to respond to ARP requests for this virtual IP address. Enabled by default.
        set server-type {option}   Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).
                http   HTTP
                https  HTTPS
                imaps  IMAPS
                pop3s  POP3S
                smtps  SMTPS
                ssl    SSL
                tcp    TCP
                udp    UDP
                ip     IP
        set persistence {none | http-cookie | ssl-session-id}   Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
                none            None.
                http-cookie     HTTP cookie.
                ssl-session-id  SSL session ID.
        set nat-source-vip {disable | enable}   Enable/disable forcing the source NAT mapped IP to the external IP for all traffic.
        set portforward {disable | enable}   Enable/disable port forwarding.
        set protocol {tcp | udp | sctp | icmp}   Protocol to use when forwarding packets.
                tcp   TCP.
                udp   UDP.
                sctp  SCTP.
                icmp  ICMP.
        set extport {string}   Incoming port number range that you want to map to a port number range on the destination network.
        set mappedport {string}   Port number range on the destination network to which the external port number range is mapped.
        set gratuitous-arp-interval {integer}   Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable. range[5-8640000]
        config srcintf-filter
            edit {interface-name}
            # Interfaces to which the VIP applies. Separate the names with spaces.
                set interface-name {string}   Interface name. size[64] - datasource(s): system.interface.name
            next
        set portmapping-type {1-to-1 | m-to-n}   Port mapping type.
                1-to-1  One to one.
                m-to-n  Many to many.
        config realservers
            edit {id}
            # Select the real servers that this server load balancing VIP will distribute traffic to.
                set id {integer}   Real server ID. range[0-4294967295]
                set ip {ipv4 address any}   IP address of the real server.
                set port {integer}   Port for communicating with the real server. Required if port forwarding is enabled. range[1-65535]
                set status {active | standby | disable}   Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
                        active   Server status active.
                        standby  Server status standby.
                        disable  Server status disable.
                set weight {integer}   Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. range[1-255]
                set holddown-interval {integer}   Time in seconds that the health check monitor continues to monitor and unresponsive server that should be active. range[30-65535]
                set healthcheck {disable | enable | vip}   Enable to check the responsiveness of the real server before forwarding traffic.
                set http-host {string}   HTTP server domain name in HTTP header. size[63]
                set max-connections {integer}   Max number of active connections that can be directed to the real server. When reached, sessions are sent to other real servers. range[0-2147483647]
                set monitor {string}   Name of the health check monitor to use when polling to determine a virtual server's connectivity status. size[64] - datasource(s): firewall.ldb-monitor.name
                set client-ip {string}   Only clients in this IP range can connect to this real server.
            next
        set http-cookie-domain-from-host {disable | enable}   Enable/disable use of HTTP cookie domain from host field in HTTP.
        set http-cookie-domain {string}   Domain that HTTP cookie persistence should apply to. size[35]
        set http-cookie-path {string}   Limit HTTP cookie persistence to the specified path. size[35]
        set http-cookie-generation {integer}   Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. range[0-4294967295]
        set http-cookie-age {integer}   Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. range[0-525600]
        set http-cookie-share {disable | same-ip}   Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
                disable  Only allow HTTP cookie to match this virtual server.
                same-ip  Allow HTTP cookie to match any virtual server with same IP.
        set https-cookie-secure {disable | enable}   Enable/disable verification that inserted HTTPS cookies are secure.
        set http-multiplex {enable | disable}   Enable/disable HTTP multiplexing.
        set http-ip-header {enable | disable}   For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.
        set http-ip-header-name {string}   For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. size[35]
        set outlook-web-access {disable | enable}   Enable to add the Front-End-Https header for Microsoft Outlook Web Access.
        set weblogic-server {disable | enable}   Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.
        set websphere-server {disable | enable}   Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.
        set ssl-mode {half | full}   Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
                half  Client to FortiGate SSL.
                full  Client to FortiGate and FortiGate to Server SSL.
        set ssl-certificate {string}   The name of the SSL certificate to use for SSL acceleration. size[35] - datasource(s): vpn.certificate.local.name
        set ssl-dh-bits {option}   Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
                768   768-bit Diffie-Hellman prime.
                1024  1024-bit Diffie-Hellman prime.
                1536  1536-bit Diffie-Hellman prime.
                2048  2048-bit Diffie-Hellman prime.
                3072  3072-bit Diffie-Hellman prime.
                4096  4096-bit Diffie-Hellman prime.
        set ssl-algorithm {high | medium | low | custom}   Permitted encryption algorithms for SSL sessions according to encryption strength.
                high    High encryption. Allow only AES and ChaCha.
                medium  Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
                low     Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
                custom  Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.
        config ssl-cipher-suites
            edit {priority}
            # SSL/TLS cipher suites acceptable from a client, ordered by priority.
                set priority {integer}   SSL/TLS cipher suites priority. range[0-4294967295]
                set cipher {option}   Cipher suite name.
                        TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256  Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256      Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA           Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-AES-128-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
                        TLS-RSA-WITH-AES-256-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
                        TLS-RSA-WITH-AES-128-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-RSA-WITH-AES-128-GCM-SHA256                Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-RSA-WITH-AES-256-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-RSA-WITH-AES-256-GCM-SHA384                Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
                        TLS-DHE-DSS-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
                        TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
                        TLS-RSA-WITH-SEED-CBC-SHA                      Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
                        TLS-RSA-WITH-ARIA-128-CBC-SHA256               Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-RSA-WITH-ARIA-256-CBC-SHA384               Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
                        TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
                        TLS-ECDHE-RSA-WITH-RC4-128-SHA                 Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
                        TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA            Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-3DES-EDE-CBC-SHA                  Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-RC4-128-MD5                       Cipher suite TLS-RSA-WITH-RC4-128-MD5.
                        TLS-RSA-WITH-RC4-128-SHA                       Cipher suite TLS-RSA-WITH-RC4-128-SHA.
                        TLS-DHE-RSA-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
                        TLS-DHE-DSS-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
                        TLS-RSA-WITH-DES-CBC-SHA                       Cipher suite TLS-RSA-WITH-DES-CBC-SHA.
                set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   SSL/TLS versions that the cipher suite can be used with.
                        ssl-3.0  SSL 3.0.
                        tls-1.0  TLS 1.0.
                        tls-1.1  TLS 1.1.
                        tls-1.2  TLS 1.2.
            next
        set ssl-server-algorithm {option}   Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
                high    High encryption. Allow only AES and ChaCha.
                medium  Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
                low     Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
                custom  Custom encryption. Use ssl-server-cipher-suites to select the cipher suites that are allowed.
                client  Use the same encryption algorithms for both client and server sessions.
        config ssl-server-cipher-suites
            edit {priority}
            # SSL/TLS cipher suites to offer to a server, ordered by priority.
                set priority {integer}   SSL/TLS cipher suites priority. range[0-4294967295]
                set cipher {option}   Cipher suite name.
                        TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256  Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256      Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA           Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-AES-128-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
                        TLS-RSA-WITH-AES-256-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
                        TLS-RSA-WITH-AES-128-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-RSA-WITH-AES-128-GCM-SHA256                Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-RSA-WITH-AES-256-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-RSA-WITH-AES-256-GCM-SHA384                Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
                        TLS-DHE-DSS-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
                        TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
                        TLS-RSA-WITH-SEED-CBC-SHA                      Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
                        TLS-RSA-WITH-ARIA-128-CBC-SHA256               Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-RSA-WITH-ARIA-256-CBC-SHA384               Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
                        TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
                        TLS-ECDHE-RSA-WITH-RC4-128-SHA                 Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
                        TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA            Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-3DES-EDE-CBC-SHA                  Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-RC4-128-MD5                       Cipher suite TLS-RSA-WITH-RC4-128-MD5.
                        TLS-RSA-WITH-RC4-128-SHA                       Cipher suite TLS-RSA-WITH-RC4-128-SHA.
                        TLS-DHE-RSA-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
                        TLS-DHE-DSS-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
                        TLS-RSA-WITH-DES-CBC-SHA                       Cipher suite TLS-RSA-WITH-DES-CBC-SHA.
                set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   SSL/TLS versions that the cipher suite can be used with.
                        ssl-3.0  SSL 3.0.
                        tls-1.0  TLS 1.0.
                        tls-1.1  TLS 1.1.
                        tls-1.2  TLS 1.2.
            next
        set ssl-pfs {require | deny | allow}   Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
                require  Allow only Diffie-Hellman cipher-suites, so PFS is applied.
                deny     Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
                allow    Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
        set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Lowest SSL/TLS version acceptable from a client.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Highest SSL/TLS version acceptable from a client.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-server-min-version {option}   Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
                client   Use same value as client configuration.
        set ssl-server-max-version {option}   Highest SSL/TLS version acceptable from a server. Use the client setting by default.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
                client   Use same value as client configuration.
        set ssl-send-empty-frags {enable | disable}   Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
        set ssl-client-fallback {disable | enable}   Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
        set ssl-client-renegotiation {allow | deny | secure}   Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.
                allow   Allow a SSL client to renegotiate.
                deny    Abort any client initiated SSL re-negotiation attempt.
                secure  Abort any client initiated SSL re-negotiation attempt that does not use RFC 5746 Secure Renegotiation.
        set ssl-client-session-state-type {disable | time | count | both}   How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
                disable  Do not keep session states.
                time     Expire session states after this many minutes.
                count    Expire session states when this maximum is reached.
                both     Expire session states based on time or count, whichever occurs first.
        set ssl-client-session-state-timeout {integer}   Number of minutes to keep client to FortiGate SSL session state. range[1-14400]
        set ssl-client-session-state-max {integer}   Maximum number of client to FortiGate SSL session states to keep. range[1-10000]
        set ssl-server-session-state-type {disable | time | count | both}   How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
                disable  Do not keep session states.
                time     Expire session states after this many minutes.
                count    Expire session states when this maximum is reached.
                both     Expire session states based on time or count, whichever occurs first.
        set ssl-server-session-state-timeout {integer}   Number of minutes to keep FortiGate to Server SSL session state. range[1-14400]
        set ssl-server-session-state-max {integer}   Maximum number of FortiGate to Server SSL session states to keep. range[1-10000]
        set ssl-http-location-conversion {enable | disable}   Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
        set ssl-http-match-host {enable | disable}   Enable/disable HTTP host matching for location conversion.
        set ssl-hpkp {disable | enable | report-only}   Enable/disable including HPKP header in response.
        set ssl-hpkp-primary {string}   Certificate to generate primary HPKP pin from. size[35] - datasource(s): vpn.certificate.local.name,vpn.certificate.ca.name
        set ssl-hpkp-backup {string}   Certificate to generate backup HPKP pin from. size[35] - datasource(s): vpn.certificate.local.name,vpn.certificate.ca.name
        set ssl-hpkp-age {integer}   Number of seconds the client should honour the HPKP setting. range[60-157680000]
        set ssl-hpkp-report-uri {string}   URL to report HPKP violations to. size[255]
        set ssl-hpkp-include-subdomains {disable | enable}   Indicate that HPKP header applies to all subdomains.
        set ssl-hsts {disable | enable}   Enable/disable including HSTS header in response.
        set ssl-hsts-age {integer}   Number of seconds the client should honour the HSTS setting. range[60-157680000]
        set ssl-hsts-include-subdomains {disable | enable}   Indicate that HSTS header applies to all subdomains.
        config monitor
            edit {name}
            # Name of the health check monitor to use when polling to determine a virtual server's connectivity status.
                set name {string}   Health monitor name. size[64] - datasource(s): firewall.ldb-monitor.name
            next
        set max-embryonic-connections {integer}   Maximum number of incomplete connections. range[0-100000]
        set color {integer}   Color of icon on the GUI. range[0-32]
    next
end
config firewall vip6
    edit {name}
    # Configure virtual IP for IPv6.
        set name {string}   Virtual ip6 name. size[63]
        set id {integer}   Custom defined ID. range[0-65535]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set comment {string}   Comment. size[255]
        set type {static-nat | server-load-balance}   Configure a static NAT or server load balance VIP.
                static-nat           Static NAT.
                server-load-balance  Server load balance.
        config src-filter
            edit {range}
            # Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces.
                set range {string}   Source-filter range. size[79]
            next
        set extip {string}   IP address or address range on the external interface that you want to map to an address or address range on the destination network.
        set mappedip {string}   Mapped IP address range in the format startIP-endIP.
        set arp-reply {disable | enable}   Enable to respond to ARP requests for this virtual IP address. Enabled by default.
        set portforward {disable | enable}   Enable port forwarding.
        set protocol {tcp | udp | sctp}   Protocol to use when forwarding packets.
                tcp   TCP.
                udp   UDP.
                sctp  SCTP.
        set extport {string}   Incoming port number range that you want to map to a port number range on the destination network.
        set mappedport {string}   Port number range on the destination network to which the external port number range is mapped.
        set color {integer}   Color of icon on the GUI. range[0-32]
        set ldb-method {option}   Method used to distribute sessions to real servers.
                static         Distribute sessions based on source IP.
                round-robin    Distribute sessions based round robin order.
                weighted       Distribute sessions based on weight.
                least-session  Sends new sessions to the server with the lowest session count.
                least-rtt      Distribute new sessions to the server with lowest Round-Trip-Time.
                first-alive    Distribute sessions to the first server that is alive.
                http-host      Distribute sessions to servers based on host field in HTTP header.
        set server-type {option}   Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).
                http   HTTP
                https  HTTPS
                imaps  IMAPS
                pop3s  POP3S
                smtps  SMTPS
                ssl    SSL
                tcp    TCP
                udp    UDP
                ip     IP
        set persistence {none | http-cookie | ssl-session-id}   Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
                none            None.
                http-cookie     HTTP cookie.
                ssl-session-id  SSL session ID.
        config realservers
            edit {id}
            # Select the real servers that this server load balancing VIP will distribute traffic to.
                set id {integer}   Real server ID. range[0-4294967295]
                set ip {ipv6 address}   IPv6 address of the real server.
                set port {integer}   Port for communicating with the real server. Required if port forwarding is enabled. range[1-65535]
                set status {active | standby | disable}   Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
                        active   Server status active.
                        standby  Server status standby.
                        disable  Server status disable.
                set weight {integer}   Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. range[1-255]
                set holddown-interval {integer}   Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active. range[30-65535]
                set healthcheck {disable | enable | vip}   Enable to check the responsiveness of the real server before forwarding traffic.
                set http-host {string}   HTTP server domain name in HTTP header. size[63]
                set max-connections {integer}   Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers. range[0-2147483647]
                set monitor {string}   Name of the health check monitor to use when polling to determine a virtual server's connectivity status. size[64] - datasource(s): firewall.ldb-monitor.name
                set client-ip {string}   Only clients in this IP range can connect to this real server.
            next
        set http-cookie-domain-from-host {disable | enable}   Enable/disable use of HTTP cookie domain from host field in HTTP.
        set http-cookie-domain {string}   Domain that HTTP cookie persistence should apply to. size[35]
        set http-cookie-path {string}   Limit HTTP cookie persistence to the specified path. size[35]
        set http-cookie-generation {integer}   Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. range[0-4294967295]
        set http-cookie-age {integer}   Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. range[0-525600]
        set http-cookie-share {disable | same-ip}   Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
                disable  Only allow HTTP cookie to match this virtual server.
                same-ip  Allow HTTP cookie to match any virtual server with same IP.
        set https-cookie-secure {disable | enable}   Enable/disable verification that inserted HTTPS cookies are secure.
        set http-multiplex {enable | disable}   Enable/disable HTTP multiplexing.
        set http-ip-header {enable | disable}   For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.
        set http-ip-header-name {string}   For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. size[35]
        set outlook-web-access {disable | enable}   Enable to add the Front-End-Https header for Microsoft Outlook Web Access.
        set weblogic-server {disable | enable}   Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.
        set websphere-server {disable | enable}   Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.
        set ssl-mode {half | full}   Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
                half  Client to FortiGate SSL.
                full  Client to FortiGate and FortiGate to Server SSL.
        set ssl-certificate {string}   The name of the SSL certificate to use for SSL acceleration. size[35] - datasource(s): vpn.certificate.local.name
        set ssl-dh-bits {option}   Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
                768   768-bit Diffie-Hellman prime.
                1024  1024-bit Diffie-Hellman prime.
                1536  1536-bit Diffie-Hellman prime.
                2048  2048-bit Diffie-Hellman prime.
                3072  3072-bit Diffie-Hellman prime.
                4096  4096-bit Diffie-Hellman prime.
        set ssl-algorithm {high | medium | low | custom}   Permitted encryption algorithms for SSL sessions according to encryption strength.
                high    Use AES or 3DES.
                medium  Use AES, 3DES, or RC4.
                low     Use AES, 3DES, RC4, or DES.
                custom  Use config ssl-cipher-suites to select the cipher suites that are allowed.
        config ssl-cipher-suites
            edit {priority}
            # SSL/TLS cipher suites acceptable from a client, ordered by priority.
                set priority {integer}   SSL/TLS cipher suites priority. range[0-4294967295]
                set cipher {option}   Cipher suite name.
                        TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256  Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256      Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA           Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-AES-128-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
                        TLS-RSA-WITH-AES-256-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
                        TLS-RSA-WITH-AES-128-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-RSA-WITH-AES-128-GCM-SHA256                Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-RSA-WITH-AES-256-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-RSA-WITH-AES-256-GCM-SHA384                Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
                        TLS-DHE-DSS-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
                        TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
                        TLS-RSA-WITH-SEED-CBC-SHA                      Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
                        TLS-RSA-WITH-ARIA-128-CBC-SHA256               Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-RSA-WITH-ARIA-256-CBC-SHA384               Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
                        TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
                        TLS-ECDHE-RSA-WITH-RC4-128-SHA                 Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
                        TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA            Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-3DES-EDE-CBC-SHA                  Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-RC4-128-MD5                       Cipher suite TLS-RSA-WITH-RC4-128-MD5.
                        TLS-RSA-WITH-RC4-128-SHA                       Cipher suite TLS-RSA-WITH-RC4-128-SHA.
                        TLS-DHE-RSA-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
                        TLS-DHE-DSS-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
                        TLS-RSA-WITH-DES-CBC-SHA                       Cipher suite TLS-RSA-WITH-DES-CBC-SHA.
                set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   SSL/TLS versions that the cipher suite can be used with.
                        ssl-3.0  SSL 3.0.
                        tls-1.0  TLS 1.0.
                        tls-1.1  TLS 1.1.
                        tls-1.2  TLS 1.2.
            next
        set ssl-server-algorithm {option}   Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
                high    Use AES or 3DES.
                medium  Use AES, 3DES, or RC4.
                low     Use AES, 3DES, RC4, or DES.
                custom  Use config ssl-server-cipher-suites to select the cipher suites that are allowed.
                client  Use the same encryption algorithms for client and server sessions.
        config ssl-server-cipher-suites
            edit {priority}
            # SSL/TLS cipher suites to offer to a server, ordered by priority.
                set priority {integer}   SSL/TLS cipher suites priority. range[0-4294967295]
                set cipher {option}   Cipher suite name.
                        TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256  Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256      Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA           Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-AES-128-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
                        TLS-RSA-WITH-AES-256-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
                        TLS-RSA-WITH-AES-128-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-RSA-WITH-AES-128-GCM-SHA256                Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-RSA-WITH-AES-256-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-RSA-WITH-AES-256-GCM-SHA384                Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
                        TLS-DHE-DSS-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
                        TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
                        TLS-RSA-WITH-SEED-CBC-SHA                      Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
                        TLS-RSA-WITH-ARIA-128-CBC-SHA256               Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-RSA-WITH-ARIA-256-CBC-SHA384               Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
                        TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
                        TLS-ECDHE-RSA-WITH-RC4-128-SHA                 Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
                        TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA            Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-3DES-EDE-CBC-SHA                  Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-RC4-128-MD5                       Cipher suite TLS-RSA-WITH-RC4-128-MD5.
                        TLS-RSA-WITH-RC4-128-SHA                       Cipher suite TLS-RSA-WITH-RC4-128-SHA.
                        TLS-DHE-RSA-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
                        TLS-DHE-DSS-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
                        TLS-RSA-WITH-DES-CBC-SHA                       Cipher suite TLS-RSA-WITH-DES-CBC-SHA.
                set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   SSL/TLS versions that the cipher suite can be used with.
                        ssl-3.0  SSL 3.0.
                        tls-1.0  TLS 1.0.
                        tls-1.1  TLS 1.1.
                        tls-1.2  TLS 1.2.
            next
        set ssl-pfs {require | deny | allow}   Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
                require  Allow only Diffie-Hellman cipher-suites, so PFS is applied.
                deny     Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
                allow    Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
        set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Lowest SSL/TLS version acceptable from a client.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Highest SSL/TLS version acceptable from a client.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-server-min-version {option}   Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
                client   Use same value as client configuration.
        set ssl-server-max-version {option}   Highest SSL/TLS version acceptable from a server. Use the client setting by default.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
                client   Use same value as client configuration.
        set ssl-send-empty-frags {enable | disable}   Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
        set ssl-client-fallback {disable | enable}   Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
        set ssl-client-renegotiation {allow | deny | secure}   Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.
                allow   Allow a SSL client to renegotiate.
                deny    Abort any SSL connection that attempts to renegotiate.
                secure  Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
        set ssl-client-session-state-type {disable | time | count | both}   How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
                disable  Do not keep session states.
                time     Expire session states after this many minutes.
                count    Expire session states when this maximum is reached.
                both     Expire session states based on time or count, whichever occurs first.
        set ssl-client-session-state-timeout {integer}   Number of minutes to keep client to FortiGate SSL session state. range[1-14400]
        set ssl-client-session-state-max {integer}   Maximum number of client to FortiGate SSL session states to keep. range[1-10000]
        set ssl-server-session-state-type {disable | time | count | both}   How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
                disable  Do not keep session states.
                time     Expire session states after this many minutes.
                count    Expire session states when this maximum is reached.
                both     Expire session states based on time or count, whichever occurs first.
        set ssl-server-session-state-timeout {integer}   Number of minutes to keep FortiGate to Server SSL session state. range[1-14400]
        set ssl-server-session-state-max {integer}   Maximum number of FortiGate to Server SSL session states to keep. range[1-10000]
        set ssl-http-location-conversion {enable | disable}   Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
        set ssl-http-match-host {enable | disable}   Enable/disable HTTP host matching for location conversion.
        set ssl-hpkp {disable | enable | report-only}   Enable/disable including HPKP header in response.
        set ssl-hpkp-primary {string}   Certificate to generate primary HPKP pin from. size[35] - datasource(s): vpn.certificate.local.name,vpn.certificate.ca.name
        set ssl-hpkp-backup {string}   Certificate to generate backup HPKP pin from. size[35] - datasource(s): vpn.certificate.local.name,vpn.certificate.ca.name
        set ssl-hpkp-age {integer}   Number of minutes the web browser should keep HPKP. range[60-157680000]
        set ssl-hpkp-report-uri {string}   URL to report HPKP violations to. size[255]
        set ssl-hpkp-include-subdomains {disable | enable}   Indicate that HPKP header applies to all subdomains.
        set ssl-hsts {disable | enable}   Enable/disable including HSTS header in response.
        set ssl-hsts-age {integer}   Number of seconds the client should honour the HSTS setting. range[60-157680000]
        set ssl-hsts-include-subdomains {disable | enable}   Indicate that HSTS header applies to all subdomains.
        config monitor
            edit {name}
            # Name of the health check monitor to use when polling to determine a virtual server's connectivity status.
                set name {string}   Health monitor name. size[64] - datasource(s): firewall.ldb-monitor.name
            next
        set max-embryonic-connections {integer}   Maximum number of incomplete connections. range[0-100000]
    next
end

Additional information

The following section is for those options that require additional explanation.

uuid

Each VIP has a Universally Unique Identifier (UUID) that is automatically assigned. It is a 128 bit value written in hexadecimal. It can be edited.

comment <comment>

Add a comment about the VIP.

type {dns-translation | load-balance | server-load-balance | static-nat}

Select the type of static or dynamic NAT applied by the virtual IP.

  • dns-translation dynamic VIP with DNS translation.
  • load-balance dynamic NAT load balancing with server selection from an IP address range.
  • server-load-balance dynamic NAT load balancing with server selection from among up to eight realservers, determined by your selected load balancing algorithm and server responsiveness monitors. Includes SSL offloading.
  • static-nat Static NAT (the default).
  • fqdn dynamic fully qualified domain name (FQDN) VIP.

ldb-method {first-alive | http-host | least-rtt | least-session | round-robin | static | weighted}

Select the method used by the virtual server to distribute sessions to the real servers. You add real servers to the virtual server using configrealservers.

This option appears only if type is server-loadbalance.

first-alive Always directs requests to the first alive real server. In this case “first” refers to the order of the real servers in the virtual server configuration. For example, if you add real servers A, B and C in that order, then traffic always goes to A as long as it is alive. If A goes down then traffic goes to B and if B goes down the traffic goes to C. If A comes back up, traffic goes to A. Real servers are ordered in the virtual server configuration in the order in which you add them, with the most recently added real server last. If you want to change the order you must delete and re-add real servers as required.

http-host Load balance HTTP requests by the contents of the HOST header.

least-rtt Directs requests to the real server with the least round trip time. The round trip time is determined by a Ping monitor and is defaulted to 0 if no Ping monitors are defined.

least-session Directs requests to the real server that has the least number of current connections. This method works best in environments where the real servers or other equipment you are load balancing have similar capabilities.

round-robin Directs request to the next real server, and treats all real servers as equals regardless of response time or number of connections. Unresponsive real servers are avoided. A separate real server is required.

static (the default) Distributes sessions evenly across all real servers according to the session source IP address. This load balancing method provides some persistence because all sessions from the same source address would always go to the same server. However, the distribution is stateless, so if a real server is added or removed (or goes up or down) the distribution is changed so persistence will be lost. Separate real servers are not required.

(the default) Distributes sessions evenly across all real servers according to the session source IP address. This load balancing method provides some persistence because all sessions from the same source address would always go to the same server. However, the distribution is stateless, so if a real server is added or removed (or goes up or down) the distribution is changed so persistence will be lost. Separate real servers are not required.

weighted Real servers with a higher weight value receive a larger percentage of connections at any one time. Server weights can be set in config realservers set weight.

dns-mapping-ttl

Enter time-to-live for DNS response. Range 0 to 604 800. Available when type is dns-translation. Default is 0 which means use the DNS server's response time.

src-filter <address> [<address>...]

Enter a source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses by spaces.

extip <address>[-<address>]

Enter the IP address or address range on the external interface that you want to map to an address or address range on the destination network.

If type is static-nat and mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

To configure a dynamic virtual IP that accepts connections destined for any IP address, set extip to 0.0.0.0.

mappedip <address> [<address>...]

Enter the IP address or IP address range on the destination network to which the external IP address is mapped.

If type is static-nat and mappedip is an IP address range, FortiOS uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

If type is load-balance and mappedip is an IP address range, the FortiGate unit uses extip as a single IP address to create a one-to-many mapping.

Input each address (separated by spaces) in the format of IP (x.x.x.x), IP subnet (x.x.x.x/y) or IP range (x.x.x.x-y.y.y.y).

extintf <name>

Enter the name of the interface connected to the source network that receives the packets that will be forwarded to the destination network. The interface name can be any FortiGate network interface, VLAN subinterface, IPSec VPN interface, or modem interface.

arp-reply {disable | enable}

Enable to respond to ARP requests for this virtual IP address. Enabled by default.

server-type {http | https | imaps | ip | pop3s | smtps | ssl | tcp | udp}

If the type is server-load-balance, select the protocol to be load balanced by the virtual server (also called the server load balance virtual IP). If you select a general protocol such as ip, tcp, or udp the virtual server load balances all IP, TCP, or UDP sessions. If you select specific protocols such as http, https, or ssl you can apply additional server load balancing features such as persistence and HTTP multiplexing.

  • http load balance only HTTP sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced (usually port 80 for HTTP sessions). You can also configure httpmultiplex. You can also set persistence to http-cookie and configure http-cookiedomain, http-cookie-path, http-cookiegeneration, http-cookie-age, and httpcookie-share settings for cookie persistence.
  • https load balance only HTTPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced (usually port 443 for HTTPS sessions). You can also configure httpmultiplex and set persistence to httpcookie and configure the same http-cookie options as for http virtual servers plus the httpscookie-secure option. You can also set persistence to ssl-session-id. You can also configure the SSL options such as ssl-mode and ssl-certificate and so on. https is available on FortiGate units that support SSL acceleration.
  • imaps load balance only IMAPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced (usually port 993 for IMAPS sessions).
  • ip load balance all sessions accepted by the firewall policy that contains this server load balance virtual IP. Since all sessions are load balanced you don’t have to set the extport.
  • pop3s load balance only POP3S sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced (usually port 995 for POP3S sessions).
  • smtps load balance only SMTPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced (usually port 465 for SMTPS sessions).
  • ssl load balance only SSL sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced. You can also configure the SSL options such as ssl-mode and ssl-certificate and so on.
  • tcp load balance only TCP sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced.
  • udp load balance only UDP sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced.

persistence {none | http-cookie | ssl-session-id}

If the type is server-load-balance, configure persistence for a virtual server to make sure that clients connect to the same server every time they make a request that is part of the same session.

When you configure persistence, the FortiGate load balances a new session to a real server according to the ldb-method. If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server.

Persistence is disabled by default. You can configure persistence if . If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server.

Persistence is disabled by default. You can configure persistence if server-type is set to http, https, or ssl.

  • none No persistence. Sessions are distributed solely according to the ldb-method. Setting ldbmethod to static (the default) results in behavior equivalent to persistence.
  • http-cookie all HTTP or HTTPS sessions with the same HTTP session cookie are sent to the same real server. http-cookie is available if server-type is set to https or ssl. If you select this option you can also configure httpcookie-domain, http-cookie-path, httpcookie- generation, http-cookie-age, and http-cookie-share for HTTP and these settings plus https-cookie-secure for HTTPS.
  • ssl-session-id all sessions with the same SSL session ID are sent to the same real server. sslsession-id is available if server-type is set to https or ssl.

nat-source-vip {disable | enable}

Enable (the default) to prevent unintended servers from using a virtual IP. The virtual IP will be used as the source IP address for connections from the server through the FortiGate.

Disable to use the actual IP address of the server (or the FortiGate destination interface if using NAT) as the source address of connections from the server that pass through the FortiGate unit.

portforward {disable | enable}

Select to enable port forwarding. You must also specify the port forwarding mappings by configuring extport and mappedport. Disabled by default.

protocol {sctp | tcp | udp | icmp}

Select the protocol to use when forwarding packets. The default is tcp.

extport <port-number>

External port number range that you want to map to a port number range on the destination network.

This option only appears if portforward is enabled. If portforward is enabled and you want to configure a static NAT virtual IP that maps a range of external port numbers to a range of destination port numbers, set extport to the port number range. Then set mappedport to the start and end of the destination port range.

When using port number ranges, the external port number range corresponds to a mapped port number range containing an equal number of port numbers, and each port number in the external range is always translated to the same port number in the mapped range.

If type is server-load-balance, extport is available unless server-type is ip. The value of extport changes to 80 if server-type is http and to 443 if server-type is https.

config realservers

The following are the options for config realservers, and are available only if type is server-load-balance.

ip <server-ip>

Enter the IP address of a server in this server load balancing cluster.

port

Enter the port used if port forwarding is enabled.

status {active | disable | standby}

Select whether the server is in the pool of servers currently being used for server load balanced traffic, the server is on standby, or is disabled. Default is active.

  • active The FortiGate unit may forward traffic to the server unless its health check monitors determine that the server is unresponsive, at which time the FortiGate unit temporarily uses a server whose status is standby. The healthcheck monitor will continue to monitor the unresponsive server for the duration of holddown-interval. If this server becomes reliably responsive again, it will be restored to active use, and the standby server will revert to standby.
  • disable The FortiGate unit does not forward traffic to this server, and does not perform health checks. You might use this option to conserve server load balancing resources when you know that a server will be unavailable for a long period, such as when the server is down for repair.
  • standby If a server whose status is active becomes unresponsive, the FortiGate temporarily uses a responsive server whose status is standby until the server whose status is active again becomes reliably responsive. If multiple responsive standby servers are available, the FortiGate selects the standby server with the greatest weight. If a standby server becomes unresponsive, the FortiGate selects another responsive server whose status is standby.

holddown-interval <interval>

Enter the amount of time in seconds that the health check monitor continues to monitor the status of a server whose status is active after it has been detected to be unresponsive. Default is 300 seconds.

If the server is detected to be continuously responsive during this interval, a server whose status is standby is be removed from current use and replaced with this server, which is then used by server load balanced traffic. In this way, server load balancing prefers to use active servers, if they are responsive.

If the server is detected to be unresponsive during the first holddown interval, the server remains out of use for server load balanced traffic, the health check monitor will double the holddown interval once, and continue to monitor the server for the duration of the doubled holddown interval. The health check monitor continues to monitor the server for additional iterations of the doubled holddown interval until connectivity to the server becomes reliable, at which time the holddown interval revert to the configured interval, and the newly responsive active server replaces the standby server in the pool of servers currently in use. In effect, if the status of a server is active but the server is habitually unresponsive, the health check monitor is less likely to restore the server to use by server load balanced traffic until the server’s connectivity becomes more reliable.

This option applies only to real servers whose status is active, but have been detected to be unresponsive or down.

healthcheck {disable | enable}

Enable to check the responsiveness of the server before forwarding traffic. You must also configure monitor. Disabled by default.

max-connections <number>

Enter the limit on the number of active connections directed to a real server. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit.

The default of 0 means unlimited connections.

client-ip <ip_range_ipv4> [<ip_range_ipv4>] [<ip_range_ipv4>] [<ip_range_ipv4>]

Restrict the clients that can connect to a real server according to the client’s source IP address. Use the client-ip option to enter up to four client source IP addresses or address ranges. Separate each IP address or range with a space. The following example shows how to add a single IP address and an IP address range:

set client-ip 192.168.1.90 192.168.1.100-192.168.1.120

Use the client-ip option if you have multiple real servers in a server load balance VIP and you want to control which clients use which real server according to the client’s source IP address. Different real servers in the same virtual server can have the same or overlapping IP addresses and ranges. If an overlap occurs, sessions from the overlapping source addresses are load balanced among the real servers with the overlapping addresses.

If you do not specify a client-ip all clients can use the real server.

weight <weight>

Enter the weight value of a specific server. Servers with a greater weight receive a greater proportion of forwarded connections, or, if their status is standby, are more likely to be selected to temporarily replace servers whose status is active , but that are unresponsive. Valid weight values are between 1 and 255. Default is 1.

This option is available only if ldb-method is weighted.

mappedport <port>

Enter the port number range on the destination network to which the external port number range is mapped.

You can also enter a port number range to forward packets to multiple ports on the destination network.

gratuitous-arp-interval <time>

Configure sending of gratuitous ARP packets by a virtual IP. You can set the time interval between sending the packets. The default is 0, which disables this feature.

srcintf-filter <interface> [<interface>...]

Enter names of the interfaces to which the VIP applies. Separate names with spaces.

http-cookie-domain-from-host {enable | disable}

If enabled, when the FortiGate unit adds a SetCookie to the HTTP(S) response, the Domain attribute in the SetCookie is set to the value of the Host: header, if there was one.

If there was no Host: header, the Domain attribute is set to the value of http-cookie-domain if it is set and if it is not then the Domain attribute will not be included in the SetCookie.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http-cookie. Disabled by default.

http-cookie-domain <domain>

Configure HTTP cookie persistence to restrict the domain that the cookie should apply to. Enter the domain name to restrict the cookie to.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

http-cookie-path <path>

Configure HTTP cookie persistence to limit the cookies to a particular path, for example /new/path.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

http-cookie-generation <generation>

Configure HTTP cookie persistence to invalidate all cookies that have already been generated. The exact value of the generation is not important, only that it is different from any generation that has already been used.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

http-cookie-age <age>

Configure HTTP cookie persistence to change how long the browser caches the cookie. Enter an age in minutes or set the age to 0 to make the browser keep the cookie indefinitely. The range is 0 to 525600 minutes. The default age is 60 minutes.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

http-cookie-share {disable | same-ip}

Configure HTTP cookie persistence to control the sharing of cookies across more than one virtual server. The default setting same-ip means that any cookie generated by one virtual server can be used by another virtual server in the same virtual domain.

Disable to make sure that a cookie generated for a virtual server cannot be used by other virtual servers.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

https-cookie-secure {disable | enable}

Configure HTTP cookie persistence to enable or disable using secure cookies for HTTPS sessions. Secure cookies are disabled by default because they can interfere with cookie sharing across HTTP and HTTPS virtual servers. If enabled, then the Secure tag is added to the cookie inserted by the FortiGate unit.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

http-multiplex {disable | enable}

Enable to use the FortiGate to multiplex multiple client connections into a few connections between the FortiGate and the real server. This can improve performance by reducing server overhead associated with establishing multiple connections. The server must be HTTP/1.1 compliant. Disabled by default.

This option is only available if server-type is http or https.

http-ip-header {disable | enable}

In HTTP multiplexing is enabled, set http-ip-header to enable to add the original client IP address in the XForwarded-For HTTP header. This can be useful in an HTTP multiplexing configuration if you want to be able to see the original client IP address in log messages on the destination web server. If this option is disabled, the HTTP header. This can be useful in an HTTP multiplexing configuration if you want to be able to see the original client IP address in log messages on the destination web server. If this option is disabled, the XForwarded-For header will contain the IP address of the FortiGate unit. Disabled by default.

If enabled the http-ip-header-name option appears and you can specify a different header to add the client IP address to.

This option appears only if type is server-load-balance, server-type is http or https and http-multiplex is enabled.

http-ip-header-name <name>

In an HTTP multiplex configuration, if you enable http-ip-header you can use the http-ip-header-name option to add the original client IP address to a custom http header. Use this option to specify the name of the header to add the IP address to.

The destination server extracts the original client IP address from this header to record log messages that include client IP addresses. If you leave this option blank (the default) the original client IP address is added to the XForwarded-For header.

This option appears only if type is server-load-balance, server-type is http or https and http-multiplex is enabled and http-ip-header is enabled.

outlook-web-access {disable | enable}

If the FortiGate unit provides SSL offloading for Microsoft Outlook Web Access then the Outlook server expects to see a Front-End-Https: on header inserted into the HTTP headers as described in this Microsoft Technical Note. If outlook-web-access is enabled the FortiGate adds this header to all HTTP requests. Disabled by default.

This options is available when type is server-load-balance is enabled and server-type is http or https.

weblogic-server {disable | enable}

Enable or disable adding an HTTP header to indicate SSL offloading for a WebLogic server. Disabled by default.

websphere-server {disable | enable}

Enable or disable adding an HTTP header to indicate SSL offloading for a WebSphere server. Disabled by default.

ssl-mode {full | half}

Select whether or not to accelerate SSL communications with the destination by using the FortiGate to perform SSL operations, and indicate which segments of the connection will receive SSL offloading. Accelerating SSL communications in this way is also called SSL offloading.

  • half (the default) apply SSL acceleration only between the client and the FortiGate. The segment between the FortiGate and the server is clear text. This results in better performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator.
  • full apply SSL acceleration to both parts of the connection: the segment between the client and the FortiGate, and the segment between the FortiGate and the server. The segment between the FortiGate and the server is encrypted, but the handshakes are accelerated. This results in performance which is less than if ssl-mode is set to half, but still improved over no SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the server’s configuration. If this option is set to full then several ssl-server options appear and you can apply different SSL features (such as encryption levels) to the client connection and to the server connection.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-certificate <name>

The name of the SSL certificate to use for SSL acceleration.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full, the same certificate is used for client and server communication.

ssl-dh-bits <bits>

Enter the number of bits used in the Diffie-Hellman exchange for RSA encryption of the SSL connection. Larger prime numbers are associated with greater cryptographic strength. Default is 2048. Values include 768, 1024, 1536, 2048, 3072, and 4096.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full, the ssl-dh-bits setting is used for client and server communication.

ssl-algorithm {high | medium | low | custom}

Set the permitted encryption algorithms for SSL sessions according to encryption strength.

  • high (the default) permit only high encryption algorithms: AES or 3DES.
  • medium permit high (AES, 3DES) or medium (RC4) algorithms.
  • low permit high (AES, 3DES), medium (RC4), or low (DES) algorithms.
  • custom only allow some cipher suites to be used. Use config ssl-cipher-suites to select the cipher suites that are allowed.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full and ssl-server-algorithm is set to client, the ssl-algorithm setting applies to both client and server communication.

If ssl-server-algorithm is not set to client, the ssl-algorithm setting only applies to client communication. You can use the ssl-server-algorithm option to select different algorithms for server communication.

config ssl-cipher-suites

Choose one or more SSL cipher suites to use for SSL sessions. Only available if ssl-algorithm is set to custom. You can also use this command to list the supported SSL cipher suites available to all FortiOS SSL encryption/decryption applications.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full and ssl-server-algorithm is set to client, the configured setting applies to both client and server communication.

If ssl-server-algorithm is not set to client, the config ssl-cipher-suites configuration only applies to client communication. You can use config ssl-cipher-suites to select different cipher suites for server communication.

cipher <cipher-suite-name>

Set the cipher suite name to use. Use ? to list the available cipher suite names.

versions {ssl-3.0 | tls-1.0 | tls-1.1}

Select the SSL/TLS versions that are supported.

ssl-server-algorithm {high | medium | low | custom}

Set the permitted encryption algorithms for SSL server sessions according to encryption strength.

  • high (the default) permit only high encryption algorithms: AES or 3DES.
  • medium permit high (AES, 3DES) or medium (RC4) algorithms.
  • low permit high (AES, 3DES), medium (RC4), or low (DES) algorithms.
  • custom only allow some cipher suites to be used. Use config ssl-server-cipher-suites to select the cipher suites that are allowed.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, and ssl-mode is full.

config ssl-server-cipher-suites

Choose one or more SSL cipher suites to use for SSL server sessions. Only available if ssl-server-algorithm is set to custom. You can also use this command to list the supported SSL cipher suites available to all FortiOS SSL encryption/decryption applications.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, ssl-mode is full, and ssl-server-algorithm is custom.

cipher <cipher-suite-name>

Set the cipher suite name to use. Use ? to list the available cipher suite names.

versions {ssl-3.0 | tls-1.0 | tls-1.1}

Select the SSL/TLS versions that are supported.

ssl-pfs {allow | deny | require}

Select handling of perfect forward secrecy (PFS) by controlling the cipher suites that can be selected. Applies to both client and server sessions.

  • allow allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
  • deny allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
  • require allow only Diffie-Hellman cipher-suites, so PFS is applied. This is the default setitng.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, and ssl-algorithm is not set to custom.

ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

The lowest version of SSL/TLS to allow in SSL sessions. Default is tls-1.0.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full and ssl-server-min-version is set to client, the configured setting applies to both client and server communication. If ssl-server-min-version is not set to client, this option only applies to client communication.

The default is tls-1.1.

ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

The highest version of SSL/TLS to allow in SSL sessions. Default is tls-1.2.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full and ssl-server-max-version is set to client, the configured setting applies to both client and server communication. If ssl-server-max-version is not set to client, this option only applies to client communication.

ssl-server-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}

The lowest version of SSL/TLS to allow in SSL server sessions. Default is client which means the ssl-min-version applies to both client and server sessions.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, and ssl-mode is set to full.

ssl-server-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}

The highest version of SSL/TLS to allow in SSL server sessions. Default is client which means the ssl-max-version applies to both client and server sessions.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, and ssl-mode is set to full.

ssl-send-empty-frags {disable | enable}

Select to precede the record with empty fragments to thwart attacks on CBC IV. You might disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments. Enabled by default.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, and applies only to SSL 3.0 and TLS 1.0.

ssl-client-fallback {disable | enable}

Enable (the default) to prevent Downgrade Attacks on client connections (RFC 7507).

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-client-renegotiation {allow | deny | secure}

Select the SSL secure renegotiation policy. Secure renegotiation complies with RFC 5746 Secure Negotiation Indication.

The vulnerability CVE-2009-3555 affects all SSL/TLS servers that support re-negotiation. FortiOS when configured for SSL/TLS offloading is operating as a SSL/TLS server. The IETF is working on a TLS protocol change that will fix the problem identified by CVE-2009-3555 while still supporting re-negotiation. Until that protocol change is available, you can use the ssl-client-renegotiation option to disable support for SSL/TLS re-negotiation.

  • allow (the default) allow, but do not require secure renegotiation.
  • deny do not allow renegotiation.
  • secure require secure renegotiation.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-client-session-state-type {both | client | disable | time}

The method the FortiGate should use to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

  • both (the default) expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
  • count expire SSL session states when ssl-client-session-state-max is exceeded.
  • disable expire all SSL session states.
  • time expire SSL session states when ssl-client-session-state-timeout is exceeded.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-client-session-state-timeout <timeout>

The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the FortiGate unit. Default is 30 minutes. Range is 1 to 14400.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-client-session-state-max <states>

The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the FortiGate unit. Default is 1000. Range is 0 to 100000.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-server-session-state-type {both | count |disable | time}

The method the FortiGate should use to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

  • both (the default) expire SSL session states when either ssl-server-session-state-max or ssl-server-session-state-timeout is exceeded, regardless of which occurs first.
  • count expire SSL session states when ssl-server-session-state-max is exceeded.
  • disable expire all SSL session states.
  • time expire SSL session states when ssl-server-session-state-timeout is exceeded.

This option appears only if ssl-mode is full.

ssl-server-session-state-timeout <time>

The number of minutes to keep the SSL session states for the segment of the SSL connection between the server and the FortiGate. Default is 30 minutes. Range is 1 to 14400.

This option appears only if ssl-mode is is full.

ssl-server-session-state-max

The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the FortiGate unit. Default is 1000. Range is 0 to 100000.

This option appears only if ssl-mode is full.

ssl-http-location-conversion {disable | enable}

Select to replace http with https in the reply’s Location HTTP header field. For example, the reply, Location: http: //example.com/ would be converted to Location: https://example.com/. Disabled by default.

This option appears only if type is server-loadbalance and server-type is https.

ssl-http-match-host {disable | enable)

Enable (the default settingt) to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field, or, if the Host field does not exist, the host name portion of the request’s URI.

If this option is disabled, conversion occurs regardless of whether the host names in the request and the reply match.

For example, if ssl-http-match-host is enabled, and a request contains Host: example.com and the reply contains Location: http://example.cc/, the Location field does not match the Host field of the original request and the reply’s Location field remains unchanged. If the reply contains Location: http://example.com/, however, then the FortiGate detects the matching host name and converts the reply field to Location: https://example.com/.

This option appears only if type is server-loadbalance and server-type is https and ssl-http-location-conversion is enable.

monitor <name>

The name of the health check monitor for use when polling to determine a virtual server’s connectivity status.

max-embryonic-connections <number>

The maximum number of partially established SSL or HTTP connections. This should be greater than the maximum number of connections you want to establish per second. Default is 1000. Range is 0 to 100000.

This option appears only if type is server-loadbalance and server-type is http, ssl, https, imaps, pop3s, or smtps.

portmapping-type {1-to-1 | m-to-n}

The type of port mapping.

  • 1-to-1 one-to-one mapping (the default).
  • m-to-n load balancing (many to many).

This option appears when type is not set to server-load-balance.

color <integer>

The color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. To see the colors available, you can edit the VIP from the GUI. 1 is the default color which is black. 0 sets the color to the default color.

firewall {vip | vip6}

Configure firewall virtual IPs (VIPs) and their associated addresses and port mappings (NAT). Use VIPs to configure destination NAT and server load balancing.

For information about FortiOS Firewall VIPs in general, see Virtual IPs. For information about server load balancing with FortiOS Firewal VIPs see Server Load Balancing.

Proxy mode is required for persistence, HTTP Multiplexing, SSL offloading and other advanced HTTP and SSL features.

note icon SSL server types are not available on all FortiGate models.
config firewall vip
    edit {name}
    # Configure virtual IP for IPv4.
        set name {string}   Virtual IP name. size[63]
        set id {integer}   Custom defined ID. range[0-65535]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set comment {string}   Comment. size[255]
        set type {option}   Configure a static NAT, load balance, server load balance, DNS translation, or FQDN VIP.
                static-nat           Static NAT.
                load-balance         Load balance.
                server-load-balance  Server load balance.
                dns-translation      DNS translation.
                fqdn                 Fully qualified domain name.
        set dns-mapping-ttl {integer}   DNS mapping TTL (Set to zero to use TTL in DNS response, default = 0). range[0-604800]
        set ldb-method {option}   Method used to distribute sessions to real servers.
                static         Distribute to server based on source IP.
                round-robin    Distribute to server based round robin order.
                weighted       Distribute to server based on weight.
                least-session  Distribute to server with lowest session count.
                least-rtt      Distribute to server with lowest Round-Trip-Time.
                first-alive    Distribute to the first server that is alive.
                http-host      Distribute to server based on host field in HTTP header.
        config src-filter
            edit {range}
            # Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces.
                set range {string}   Source-filter range. size[64]
            next
        config service
            edit {name}
            # Service name.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        set extip {string}   IP address or address range on the external interface that you want to map to an address or address range on the destination network.
        config extaddr
            edit {name}
            # External FQDN address name.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config mappedip
            edit {range}
            # IP address or address range on the destination network to which the external IP address is mapped.
                set range {string}   Mapped IP range. size[64]
            next
        set mapped-addr {string}   Mapped FQDN address name. size[63] - datasource(s): firewall.address.name
        set extintf {string}   Interface connected to the source network that receives the packets that will be forwarded to the destination network. size[35] - datasource(s): system.interface.name
        set arp-reply {disable | enable}   Enable to respond to ARP requests for this virtual IP address. Enabled by default.
        set server-type {option}   Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).
                http   HTTP
                https  HTTPS
                imaps  IMAPS
                pop3s  POP3S
                smtps  SMTPS
                ssl    SSL
                tcp    TCP
                udp    UDP
                ip     IP
        set persistence {none | http-cookie | ssl-session-id}   Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
                none            None.
                http-cookie     HTTP cookie.
                ssl-session-id  SSL session ID.
        set nat-source-vip {disable | enable}   Enable/disable forcing the source NAT mapped IP to the external IP for all traffic.
        set portforward {disable | enable}   Enable/disable port forwarding.
        set protocol {tcp | udp | sctp | icmp}   Protocol to use when forwarding packets.
                tcp   TCP.
                udp   UDP.
                sctp  SCTP.
                icmp  ICMP.
        set extport {string}   Incoming port number range that you want to map to a port number range on the destination network.
        set mappedport {string}   Port number range on the destination network to which the external port number range is mapped.
        set gratuitous-arp-interval {integer}   Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable. range[5-8640000]
        config srcintf-filter
            edit {interface-name}
            # Interfaces to which the VIP applies. Separate the names with spaces.
                set interface-name {string}   Interface name. size[64] - datasource(s): system.interface.name
            next
        set portmapping-type {1-to-1 | m-to-n}   Port mapping type.
                1-to-1  One to one.
                m-to-n  Many to many.
        config realservers
            edit {id}
            # Select the real servers that this server load balancing VIP will distribute traffic to.
                set id {integer}   Real server ID. range[0-4294967295]
                set ip {ipv4 address any}   IP address of the real server.
                set port {integer}   Port for communicating with the real server. Required if port forwarding is enabled. range[1-65535]
                set status {active | standby | disable}   Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
                        active   Server status active.
                        standby  Server status standby.
                        disable  Server status disable.
                set weight {integer}   Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. range[1-255]
                set holddown-interval {integer}   Time in seconds that the health check monitor continues to monitor and unresponsive server that should be active. range[30-65535]
                set healthcheck {disable | enable | vip}   Enable to check the responsiveness of the real server before forwarding traffic.
                set http-host {string}   HTTP server domain name in HTTP header. size[63]
                set max-connections {integer}   Max number of active connections that can be directed to the real server. When reached, sessions are sent to other real servers. range[0-2147483647]
                set monitor {string}   Name of the health check monitor to use when polling to determine a virtual server's connectivity status. size[64] - datasource(s): firewall.ldb-monitor.name
                set client-ip {string}   Only clients in this IP range can connect to this real server.
            next
        set http-cookie-domain-from-host {disable | enable}   Enable/disable use of HTTP cookie domain from host field in HTTP.
        set http-cookie-domain {string}   Domain that HTTP cookie persistence should apply to. size[35]
        set http-cookie-path {string}   Limit HTTP cookie persistence to the specified path. size[35]
        set http-cookie-generation {integer}   Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. range[0-4294967295]
        set http-cookie-age {integer}   Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. range[0-525600]
        set http-cookie-share {disable | same-ip}   Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
                disable  Only allow HTTP cookie to match this virtual server.
                same-ip  Allow HTTP cookie to match any virtual server with same IP.
        set https-cookie-secure {disable | enable}   Enable/disable verification that inserted HTTPS cookies are secure.
        set http-multiplex {enable | disable}   Enable/disable HTTP multiplexing.
        set http-ip-header {enable | disable}   For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.
        set http-ip-header-name {string}   For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. size[35]
        set outlook-web-access {disable | enable}   Enable to add the Front-End-Https header for Microsoft Outlook Web Access.
        set weblogic-server {disable | enable}   Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.
        set websphere-server {disable | enable}   Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.
        set ssl-mode {half | full}   Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
                half  Client to FortiGate SSL.
                full  Client to FortiGate and FortiGate to Server SSL.
        set ssl-certificate {string}   The name of the SSL certificate to use for SSL acceleration. size[35] - datasource(s): vpn.certificate.local.name
        set ssl-dh-bits {option}   Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
                768   768-bit Diffie-Hellman prime.
                1024  1024-bit Diffie-Hellman prime.
                1536  1536-bit Diffie-Hellman prime.
                2048  2048-bit Diffie-Hellman prime.
                3072  3072-bit Diffie-Hellman prime.
                4096  4096-bit Diffie-Hellman prime.
        set ssl-algorithm {high | medium | low | custom}   Permitted encryption algorithms for SSL sessions according to encryption strength.
                high    High encryption. Allow only AES and ChaCha.
                medium  Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
                low     Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
                custom  Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.
        config ssl-cipher-suites
            edit {priority}
            # SSL/TLS cipher suites acceptable from a client, ordered by priority.
                set priority {integer}   SSL/TLS cipher suites priority. range[0-4294967295]
                set cipher {option}   Cipher suite name.
                        TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256  Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256      Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA           Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-AES-128-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
                        TLS-RSA-WITH-AES-256-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
                        TLS-RSA-WITH-AES-128-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-RSA-WITH-AES-128-GCM-SHA256                Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-RSA-WITH-AES-256-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-RSA-WITH-AES-256-GCM-SHA384                Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
                        TLS-DHE-DSS-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
                        TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
                        TLS-RSA-WITH-SEED-CBC-SHA                      Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
                        TLS-RSA-WITH-ARIA-128-CBC-SHA256               Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-RSA-WITH-ARIA-256-CBC-SHA384               Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
                        TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
                        TLS-ECDHE-RSA-WITH-RC4-128-SHA                 Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
                        TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA            Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-3DES-EDE-CBC-SHA                  Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-RC4-128-MD5                       Cipher suite TLS-RSA-WITH-RC4-128-MD5.
                        TLS-RSA-WITH-RC4-128-SHA                       Cipher suite TLS-RSA-WITH-RC4-128-SHA.
                        TLS-DHE-RSA-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
                        TLS-DHE-DSS-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
                        TLS-RSA-WITH-DES-CBC-SHA                       Cipher suite TLS-RSA-WITH-DES-CBC-SHA.
                set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   SSL/TLS versions that the cipher suite can be used with.
                        ssl-3.0  SSL 3.0.
                        tls-1.0  TLS 1.0.
                        tls-1.1  TLS 1.1.
                        tls-1.2  TLS 1.2.
            next
        set ssl-server-algorithm {option}   Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
                high    High encryption. Allow only AES and ChaCha.
                medium  Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
                low     Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
                custom  Custom encryption. Use ssl-server-cipher-suites to select the cipher suites that are allowed.
                client  Use the same encryption algorithms for both client and server sessions.
        config ssl-server-cipher-suites
            edit {priority}
            # SSL/TLS cipher suites to offer to a server, ordered by priority.
                set priority {integer}   SSL/TLS cipher suites priority. range[0-4294967295]
                set cipher {option}   Cipher suite name.
                        TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256  Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256      Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA           Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-AES-128-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
                        TLS-RSA-WITH-AES-256-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
                        TLS-RSA-WITH-AES-128-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-RSA-WITH-AES-128-GCM-SHA256                Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-RSA-WITH-AES-256-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-RSA-WITH-AES-256-GCM-SHA384                Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
                        TLS-DHE-DSS-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
                        TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
                        TLS-RSA-WITH-SEED-CBC-SHA                      Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
                        TLS-RSA-WITH-ARIA-128-CBC-SHA256               Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-RSA-WITH-ARIA-256-CBC-SHA384               Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
                        TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
                        TLS-ECDHE-RSA-WITH-RC4-128-SHA                 Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
                        TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA            Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-3DES-EDE-CBC-SHA                  Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-RC4-128-MD5                       Cipher suite TLS-RSA-WITH-RC4-128-MD5.
                        TLS-RSA-WITH-RC4-128-SHA                       Cipher suite TLS-RSA-WITH-RC4-128-SHA.
                        TLS-DHE-RSA-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
                        TLS-DHE-DSS-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
                        TLS-RSA-WITH-DES-CBC-SHA                       Cipher suite TLS-RSA-WITH-DES-CBC-SHA.
                set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   SSL/TLS versions that the cipher suite can be used with.
                        ssl-3.0  SSL 3.0.
                        tls-1.0  TLS 1.0.
                        tls-1.1  TLS 1.1.
                        tls-1.2  TLS 1.2.
            next
        set ssl-pfs {require | deny | allow}   Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
                require  Allow only Diffie-Hellman cipher-suites, so PFS is applied.
                deny     Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
                allow    Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
        set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Lowest SSL/TLS version acceptable from a client.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Highest SSL/TLS version acceptable from a client.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-server-min-version {option}   Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
                client   Use same value as client configuration.
        set ssl-server-max-version {option}   Highest SSL/TLS version acceptable from a server. Use the client setting by default.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
                client   Use same value as client configuration.
        set ssl-send-empty-frags {enable | disable}   Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
        set ssl-client-fallback {disable | enable}   Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
        set ssl-client-renegotiation {allow | deny | secure}   Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.
                allow   Allow a SSL client to renegotiate.
                deny    Abort any client initiated SSL re-negotiation attempt.
                secure  Abort any client initiated SSL re-negotiation attempt that does not use RFC 5746 Secure Renegotiation.
        set ssl-client-session-state-type {disable | time | count | both}   How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
                disable  Do not keep session states.
                time     Expire session states after this many minutes.
                count    Expire session states when this maximum is reached.
                both     Expire session states based on time or count, whichever occurs first.
        set ssl-client-session-state-timeout {integer}   Number of minutes to keep client to FortiGate SSL session state. range[1-14400]
        set ssl-client-session-state-max {integer}   Maximum number of client to FortiGate SSL session states to keep. range[1-10000]
        set ssl-server-session-state-type {disable | time | count | both}   How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
                disable  Do not keep session states.
                time     Expire session states after this many minutes.
                count    Expire session states when this maximum is reached.
                both     Expire session states based on time or count, whichever occurs first.
        set ssl-server-session-state-timeout {integer}   Number of minutes to keep FortiGate to Server SSL session state. range[1-14400]
        set ssl-server-session-state-max {integer}   Maximum number of FortiGate to Server SSL session states to keep. range[1-10000]
        set ssl-http-location-conversion {enable | disable}   Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
        set ssl-http-match-host {enable | disable}   Enable/disable HTTP host matching for location conversion.
        set ssl-hpkp {disable | enable | report-only}   Enable/disable including HPKP header in response.
        set ssl-hpkp-primary {string}   Certificate to generate primary HPKP pin from. size[35] - datasource(s): vpn.certificate.local.name,vpn.certificate.ca.name
        set ssl-hpkp-backup {string}   Certificate to generate backup HPKP pin from. size[35] - datasource(s): vpn.certificate.local.name,vpn.certificate.ca.name
        set ssl-hpkp-age {integer}   Number of seconds the client should honour the HPKP setting. range[60-157680000]
        set ssl-hpkp-report-uri {string}   URL to report HPKP violations to. size[255]
        set ssl-hpkp-include-subdomains {disable | enable}   Indicate that HPKP header applies to all subdomains.
        set ssl-hsts {disable | enable}   Enable/disable including HSTS header in response.
        set ssl-hsts-age {integer}   Number of seconds the client should honour the HSTS setting. range[60-157680000]
        set ssl-hsts-include-subdomains {disable | enable}   Indicate that HSTS header applies to all subdomains.
        config monitor
            edit {name}
            # Name of the health check monitor to use when polling to determine a virtual server's connectivity status.
                set name {string}   Health monitor name. size[64] - datasource(s): firewall.ldb-monitor.name
            next
        set max-embryonic-connections {integer}   Maximum number of incomplete connections. range[0-100000]
        set color {integer}   Color of icon on the GUI. range[0-32]
    next
end
config firewall vip6
    edit {name}
    # Configure virtual IP for IPv6.
        set name {string}   Virtual ip6 name. size[63]
        set id {integer}   Custom defined ID. range[0-65535]
        set uuid {uuid}   Universally Unique Identifier (UUID; automatically assigned but can be manually reset).
        set comment {string}   Comment. size[255]
        set type {static-nat | server-load-balance}   Configure a static NAT or server load balance VIP.
                static-nat           Static NAT.
                server-load-balance  Server load balance.
        config src-filter
            edit {range}
            # Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces.
                set range {string}   Source-filter range. size[79]
            next
        set extip {string}   IP address or address range on the external interface that you want to map to an address or address range on the destination network.
        set mappedip {string}   Mapped IP address range in the format startIP-endIP.
        set arp-reply {disable | enable}   Enable to respond to ARP requests for this virtual IP address. Enabled by default.
        set portforward {disable | enable}   Enable port forwarding.
        set protocol {tcp | udp | sctp}   Protocol to use when forwarding packets.
                tcp   TCP.
                udp   UDP.
                sctp  SCTP.
        set extport {string}   Incoming port number range that you want to map to a port number range on the destination network.
        set mappedport {string}   Port number range on the destination network to which the external port number range is mapped.
        set color {integer}   Color of icon on the GUI. range[0-32]
        set ldb-method {option}   Method used to distribute sessions to real servers.
                static         Distribute sessions based on source IP.
                round-robin    Distribute sessions based round robin order.
                weighted       Distribute sessions based on weight.
                least-session  Sends new sessions to the server with the lowest session count.
                least-rtt      Distribute new sessions to the server with lowest Round-Trip-Time.
                first-alive    Distribute sessions to the first server that is alive.
                http-host      Distribute sessions to servers based on host field in HTTP header.
        set server-type {option}   Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).
                http   HTTP
                https  HTTPS
                imaps  IMAPS
                pop3s  POP3S
                smtps  SMTPS
                ssl    SSL
                tcp    TCP
                udp    UDP
                ip     IP
        set persistence {none | http-cookie | ssl-session-id}   Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
                none            None.
                http-cookie     HTTP cookie.
                ssl-session-id  SSL session ID.
        config realservers
            edit {id}
            # Select the real servers that this server load balancing VIP will distribute traffic to.
                set id {integer}   Real server ID. range[0-4294967295]
                set ip {ipv6 address}   IPv6 address of the real server.
                set port {integer}   Port for communicating with the real server. Required if port forwarding is enabled. range[1-65535]
                set status {active | standby | disable}   Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
                        active   Server status active.
                        standby  Server status standby.
                        disable  Server status disable.
                set weight {integer}   Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. range[1-255]
                set holddown-interval {integer}   Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active. range[30-65535]
                set healthcheck {disable | enable | vip}   Enable to check the responsiveness of the real server before forwarding traffic.
                set http-host {string}   HTTP server domain name in HTTP header. size[63]
                set max-connections {integer}   Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers. range[0-2147483647]
                set monitor {string}   Name of the health check monitor to use when polling to determine a virtual server's connectivity status. size[64] - datasource(s): firewall.ldb-monitor.name
                set client-ip {string}   Only clients in this IP range can connect to this real server.
            next
        set http-cookie-domain-from-host {disable | enable}   Enable/disable use of HTTP cookie domain from host field in HTTP.
        set http-cookie-domain {string}   Domain that HTTP cookie persistence should apply to. size[35]
        set http-cookie-path {string}   Limit HTTP cookie persistence to the specified path. size[35]
        set http-cookie-generation {integer}   Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. range[0-4294967295]
        set http-cookie-age {integer}   Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. range[0-525600]
        set http-cookie-share {disable | same-ip}   Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
                disable  Only allow HTTP cookie to match this virtual server.
                same-ip  Allow HTTP cookie to match any virtual server with same IP.
        set https-cookie-secure {disable | enable}   Enable/disable verification that inserted HTTPS cookies are secure.
        set http-multiplex {enable | disable}   Enable/disable HTTP multiplexing.
        set http-ip-header {enable | disable}   For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.
        set http-ip-header-name {string}   For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. size[35]
        set outlook-web-access {disable | enable}   Enable to add the Front-End-Https header for Microsoft Outlook Web Access.
        set weblogic-server {disable | enable}   Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.
        set websphere-server {disable | enable}   Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.
        set ssl-mode {half | full}   Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
                half  Client to FortiGate SSL.
                full  Client to FortiGate and FortiGate to Server SSL.
        set ssl-certificate {string}   The name of the SSL certificate to use for SSL acceleration. size[35] - datasource(s): vpn.certificate.local.name
        set ssl-dh-bits {option}   Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
                768   768-bit Diffie-Hellman prime.
                1024  1024-bit Diffie-Hellman prime.
                1536  1536-bit Diffie-Hellman prime.
                2048  2048-bit Diffie-Hellman prime.
                3072  3072-bit Diffie-Hellman prime.
                4096  4096-bit Diffie-Hellman prime.
        set ssl-algorithm {high | medium | low | custom}   Permitted encryption algorithms for SSL sessions according to encryption strength.
                high    Use AES or 3DES.
                medium  Use AES, 3DES, or RC4.
                low     Use AES, 3DES, RC4, or DES.
                custom  Use config ssl-cipher-suites to select the cipher suites that are allowed.
        config ssl-cipher-suites
            edit {priority}
            # SSL/TLS cipher suites acceptable from a client, ordered by priority.
                set priority {integer}   SSL/TLS cipher suites priority. range[0-4294967295]
                set cipher {option}   Cipher suite name.
                        TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256  Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256      Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA           Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-AES-128-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
                        TLS-RSA-WITH-AES-256-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
                        TLS-RSA-WITH-AES-128-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-RSA-WITH-AES-128-GCM-SHA256                Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-RSA-WITH-AES-256-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-RSA-WITH-AES-256-GCM-SHA384                Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
                        TLS-DHE-DSS-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
                        TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
                        TLS-RSA-WITH-SEED-CBC-SHA                      Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
                        TLS-RSA-WITH-ARIA-128-CBC-SHA256               Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-RSA-WITH-ARIA-256-CBC-SHA384               Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
                        TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
                        TLS-ECDHE-RSA-WITH-RC4-128-SHA                 Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
                        TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA            Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-3DES-EDE-CBC-SHA                  Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-RC4-128-MD5                       Cipher suite TLS-RSA-WITH-RC4-128-MD5.
                        TLS-RSA-WITH-RC4-128-SHA                       Cipher suite TLS-RSA-WITH-RC4-128-SHA.
                        TLS-DHE-RSA-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
                        TLS-DHE-DSS-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
                        TLS-RSA-WITH-DES-CBC-SHA                       Cipher suite TLS-RSA-WITH-DES-CBC-SHA.
                set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   SSL/TLS versions that the cipher suite can be used with.
                        ssl-3.0  SSL 3.0.
                        tls-1.0  TLS 1.0.
                        tls-1.1  TLS 1.1.
                        tls-1.2  TLS 1.2.
            next
        set ssl-server-algorithm {option}   Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
                high    Use AES or 3DES.
                medium  Use AES, 3DES, or RC4.
                low     Use AES, 3DES, RC4, or DES.
                custom  Use config ssl-server-cipher-suites to select the cipher suites that are allowed.
                client  Use the same encryption algorithms for client and server sessions.
        config ssl-server-cipher-suites
            edit {priority}
            # SSL/TLS cipher suites to offer to a server, ordered by priority.
                set priority {integer}   SSL/TLS cipher suites priority. range[0-4294967295]
                set cipher {option}   Cipher suite name.
                        TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256  Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256      Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA               Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-AES-128-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-128-GCM-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-CBC-SHA256            Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-AES-256-GCM-SHA384            Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256          Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA             Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
                        TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384          Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA           Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
                        TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
                        TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384        Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-AES-128-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
                        TLS-RSA-WITH-AES-256-CBC-SHA                   Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
                        TLS-RSA-WITH-AES-128-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
                        TLS-RSA-WITH-AES-128-GCM-SHA256                Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
                        TLS-RSA-WITH-AES-256-CBC-SHA256                Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
                        TLS-RSA-WITH-AES-256-GCM-SHA384                Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA              Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256           Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA          Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA          Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
                        TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256       Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
                        TLS-DHE-RSA-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
                        TLS-DHE-DSS-WITH-SEED-CBC-SHA                  Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
                        TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256           Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
                        TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384           Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
                        TLS-RSA-WITH-SEED-CBC-SHA                      Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
                        TLS-RSA-WITH-ARIA-128-CBC-SHA256               Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-RSA-WITH-ARIA-256-CBC-SHA384               Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
                        TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384         Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
                        TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
                        TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384       Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
                        TLS-ECDHE-RSA-WITH-RC4-128-SHA                 Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
                        TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA            Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA              Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-3DES-EDE-CBC-SHA                  Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
                        TLS-RSA-WITH-RC4-128-MD5                       Cipher suite TLS-RSA-WITH-RC4-128-MD5.
                        TLS-RSA-WITH-RC4-128-SHA                       Cipher suite TLS-RSA-WITH-RC4-128-SHA.
                        TLS-DHE-RSA-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
                        TLS-DHE-DSS-WITH-DES-CBC-SHA                   Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
                        TLS-RSA-WITH-DES-CBC-SHA                       Cipher suite TLS-RSA-WITH-DES-CBC-SHA.
                set versions {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   SSL/TLS versions that the cipher suite can be used with.
                        ssl-3.0  SSL 3.0.
                        tls-1.0  TLS 1.0.
                        tls-1.1  TLS 1.1.
                        tls-1.2  TLS 1.2.
            next
        set ssl-pfs {require | deny | allow}   Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
                require  Allow only Diffie-Hellman cipher-suites, so PFS is applied.
                deny     Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
                allow    Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
        set ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Lowest SSL/TLS version acceptable from a client.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}   Highest SSL/TLS version acceptable from a client.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-server-min-version {option}   Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
                client   Use same value as client configuration.
        set ssl-server-max-version {option}   Highest SSL/TLS version acceptable from a server. Use the client setting by default.
                ssl-3.0  SSL 3.0.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
                client   Use same value as client configuration.
        set ssl-send-empty-frags {enable | disable}   Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
        set ssl-client-fallback {disable | enable}   Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
        set ssl-client-renegotiation {allow | deny | secure}   Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.
                allow   Allow a SSL client to renegotiate.
                deny    Abort any SSL connection that attempts to renegotiate.
                secure  Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
        set ssl-client-session-state-type {disable | time | count | both}   How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
                disable  Do not keep session states.
                time     Expire session states after this many minutes.
                count    Expire session states when this maximum is reached.
                both     Expire session states based on time or count, whichever occurs first.
        set ssl-client-session-state-timeout {integer}   Number of minutes to keep client to FortiGate SSL session state. range[1-14400]
        set ssl-client-session-state-max {integer}   Maximum number of client to FortiGate SSL session states to keep. range[1-10000]
        set ssl-server-session-state-type {disable | time | count | both}   How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
                disable  Do not keep session states.
                time     Expire session states after this many minutes.
                count    Expire session states when this maximum is reached.
                both     Expire session states based on time or count, whichever occurs first.
        set ssl-server-session-state-timeout {integer}   Number of minutes to keep FortiGate to Server SSL session state. range[1-14400]
        set ssl-server-session-state-max {integer}   Maximum number of FortiGate to Server SSL session states to keep. range[1-10000]
        set ssl-http-location-conversion {enable | disable}   Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
        set ssl-http-match-host {enable | disable}   Enable/disable HTTP host matching for location conversion.
        set ssl-hpkp {disable | enable | report-only}   Enable/disable including HPKP header in response.
        set ssl-hpkp-primary {string}   Certificate to generate primary HPKP pin from. size[35] - datasource(s): vpn.certificate.local.name,vpn.certificate.ca.name
        set ssl-hpkp-backup {string}   Certificate to generate backup HPKP pin from. size[35] - datasource(s): vpn.certificate.local.name,vpn.certificate.ca.name
        set ssl-hpkp-age {integer}   Number of minutes the web browser should keep HPKP. range[60-157680000]
        set ssl-hpkp-report-uri {string}   URL to report HPKP violations to. size[255]
        set ssl-hpkp-include-subdomains {disable | enable}   Indicate that HPKP header applies to all subdomains.
        set ssl-hsts {disable | enable}   Enable/disable including HSTS header in response.
        set ssl-hsts-age {integer}   Number of seconds the client should honour the HSTS setting. range[60-157680000]
        set ssl-hsts-include-subdomains {disable | enable}   Indicate that HSTS header applies to all subdomains.
        config monitor
            edit {name}
            # Name of the health check monitor to use when polling to determine a virtual server's connectivity status.
                set name {string}   Health monitor name. size[64] - datasource(s): firewall.ldb-monitor.name
            next
        set max-embryonic-connections {integer}   Maximum number of incomplete connections. range[0-100000]
    next
end

Additional information

The following section is for those options that require additional explanation.

uuid

Each VIP has a Universally Unique Identifier (UUID) that is automatically assigned. It is a 128 bit value written in hexadecimal. It can be edited.

comment <comment>

Add a comment about the VIP.

type {dns-translation | load-balance | server-load-balance | static-nat}

Select the type of static or dynamic NAT applied by the virtual IP.

  • dns-translation dynamic VIP with DNS translation.
  • load-balance dynamic NAT load balancing with server selection from an IP address range.
  • server-load-balance dynamic NAT load balancing with server selection from among up to eight realservers, determined by your selected load balancing algorithm and server responsiveness monitors. Includes SSL offloading.
  • static-nat Static NAT (the default).
  • fqdn dynamic fully qualified domain name (FQDN) VIP.

ldb-method {first-alive | http-host | least-rtt | least-session | round-robin | static | weighted}

Select the method used by the virtual server to distribute sessions to the real servers. You add real servers to the virtual server using configrealservers.

This option appears only if type is server-loadbalance.

first-alive Always directs requests to the first alive real server. In this case “first” refers to the order of the real servers in the virtual server configuration. For example, if you add real servers A, B and C in that order, then traffic always goes to A as long as it is alive. If A goes down then traffic goes to B and if B goes down the traffic goes to C. If A comes back up, traffic goes to A. Real servers are ordered in the virtual server configuration in the order in which you add them, with the most recently added real server last. If you want to change the order you must delete and re-add real servers as required.

http-host Load balance HTTP requests by the contents of the HOST header.

least-rtt Directs requests to the real server with the least round trip time. The round trip time is determined by a Ping monitor and is defaulted to 0 if no Ping monitors are defined.

least-session Directs requests to the real server that has the least number of current connections. This method works best in environments where the real servers or other equipment you are load balancing have similar capabilities.

round-robin Directs request to the next real server, and treats all real servers as equals regardless of response time or number of connections. Unresponsive real servers are avoided. A separate real server is required.

static (the default) Distributes sessions evenly across all real servers according to the session source IP address. This load balancing method provides some persistence because all sessions from the same source address would always go to the same server. However, the distribution is stateless, so if a real server is added or removed (or goes up or down) the distribution is changed so persistence will be lost. Separate real servers are not required.

(the default) Distributes sessions evenly across all real servers according to the session source IP address. This load balancing method provides some persistence because all sessions from the same source address would always go to the same server. However, the distribution is stateless, so if a real server is added or removed (or goes up or down) the distribution is changed so persistence will be lost. Separate real servers are not required.

weighted Real servers with a higher weight value receive a larger percentage of connections at any one time. Server weights can be set in config realservers set weight.

dns-mapping-ttl

Enter time-to-live for DNS response. Range 0 to 604 800. Available when type is dns-translation. Default is 0 which means use the DNS server's response time.

src-filter <address> [<address>...]

Enter a source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses by spaces.

extip <address>[-<address>]

Enter the IP address or address range on the external interface that you want to map to an address or address range on the destination network.

If type is static-nat and mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

To configure a dynamic virtual IP that accepts connections destined for any IP address, set extip to 0.0.0.0.

mappedip <address> [<address>...]

Enter the IP address or IP address range on the destination network to which the external IP address is mapped.

If type is static-nat and mappedip is an IP address range, FortiOS uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

If type is load-balance and mappedip is an IP address range, the FortiGate unit uses extip as a single IP address to create a one-to-many mapping.

Input each address (separated by spaces) in the format of IP (x.x.x.x), IP subnet (x.x.x.x/y) or IP range (x.x.x.x-y.y.y.y).

extintf <name>

Enter the name of the interface connected to the source network that receives the packets that will be forwarded to the destination network. The interface name can be any FortiGate network interface, VLAN subinterface, IPSec VPN interface, or modem interface.

arp-reply {disable | enable}

Enable to respond to ARP requests for this virtual IP address. Enabled by default.

server-type {http | https | imaps | ip | pop3s | smtps | ssl | tcp | udp}

If the type is server-load-balance, select the protocol to be load balanced by the virtual server (also called the server load balance virtual IP). If you select a general protocol such as ip, tcp, or udp the virtual server load balances all IP, TCP, or UDP sessions. If you select specific protocols such as http, https, or ssl you can apply additional server load balancing features such as persistence and HTTP multiplexing.

  • http load balance only HTTP sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced (usually port 80 for HTTP sessions). You can also configure httpmultiplex. You can also set persistence to http-cookie and configure http-cookiedomain, http-cookie-path, http-cookiegeneration, http-cookie-age, and httpcookie-share settings for cookie persistence.
  • https load balance only HTTPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced (usually port 443 for HTTPS sessions). You can also configure httpmultiplex and set persistence to httpcookie and configure the same http-cookie options as for http virtual servers plus the httpscookie-secure option. You can also set persistence to ssl-session-id. You can also configure the SSL options such as ssl-mode and ssl-certificate and so on. https is available on FortiGate units that support SSL acceleration.
  • imaps load balance only IMAPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced (usually port 993 for IMAPS sessions).
  • ip load balance all sessions accepted by the firewall policy that contains this server load balance virtual IP. Since all sessions are load balanced you don’t have to set the extport.
  • pop3s load balance only POP3S sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced (usually port 995 for POP3S sessions).
  • smtps load balance only SMTPS sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced (usually port 465 for SMTPS sessions).
  • ssl load balance only SSL sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced. You can also configure the SSL options such as ssl-mode and ssl-certificate and so on.
  • tcp load balance only TCP sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced.
  • udp load balance only UDP sessions with destination port number that matches the extport setting. Change extport to match the destination port of the sessions to be load balanced.

persistence {none | http-cookie | ssl-session-id}

If the type is server-load-balance, configure persistence for a virtual server to make sure that clients connect to the same server every time they make a request that is part of the same session.

When you configure persistence, the FortiGate load balances a new session to a real server according to the ldb-method. If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server.

Persistence is disabled by default. You can configure persistence if . If the session has an HTTP cookie or an SSL session ID, the FortiGate unit sends all subsequent sessions with the same HTTP cookie or SSL session ID to the same real server.

Persistence is disabled by default. You can configure persistence if server-type is set to http, https, or ssl.

  • none No persistence. Sessions are distributed solely according to the ldb-method. Setting ldbmethod to static (the default) results in behavior equivalent to persistence.
  • http-cookie all HTTP or HTTPS sessions with the same HTTP session cookie are sent to the same real server. http-cookie is available if server-type is set to https or ssl. If you select this option you can also configure httpcookie-domain, http-cookie-path, httpcookie- generation, http-cookie-age, and http-cookie-share for HTTP and these settings plus https-cookie-secure for HTTPS.
  • ssl-session-id all sessions with the same SSL session ID are sent to the same real server. sslsession-id is available if server-type is set to https or ssl.

nat-source-vip {disable | enable}

Enable (the default) to prevent unintended servers from using a virtual IP. The virtual IP will be used as the source IP address for connections from the server through the FortiGate.

Disable to use the actual IP address of the server (or the FortiGate destination interface if using NAT) as the source address of connections from the server that pass through the FortiGate unit.

portforward {disable | enable}

Select to enable port forwarding. You must also specify the port forwarding mappings by configuring extport and mappedport. Disabled by default.

protocol {sctp | tcp | udp | icmp}

Select the protocol to use when forwarding packets. The default is tcp.

extport <port-number>

External port number range that you want to map to a port number range on the destination network.

This option only appears if portforward is enabled. If portforward is enabled and you want to configure a static NAT virtual IP that maps a range of external port numbers to a range of destination port numbers, set extport to the port number range. Then set mappedport to the start and end of the destination port range.

When using port number ranges, the external port number range corresponds to a mapped port number range containing an equal number of port numbers, and each port number in the external range is always translated to the same port number in the mapped range.

If type is server-load-balance, extport is available unless server-type is ip. The value of extport changes to 80 if server-type is http and to 443 if server-type is https.

config realservers

The following are the options for config realservers, and are available only if type is server-load-balance.

ip <server-ip>

Enter the IP address of a server in this server load balancing cluster.

port

Enter the port used if port forwarding is enabled.

status {active | disable | standby}

Select whether the server is in the pool of servers currently being used for server load balanced traffic, the server is on standby, or is disabled. Default is active.

  • active The FortiGate unit may forward traffic to the server unless its health check monitors determine that the server is unresponsive, at which time the FortiGate unit temporarily uses a server whose status is standby. The healthcheck monitor will continue to monitor the unresponsive server for the duration of holddown-interval. If this server becomes reliably responsive again, it will be restored to active use, and the standby server will revert to standby.
  • disable The FortiGate unit does not forward traffic to this server, and does not perform health checks. You might use this option to conserve server load balancing resources when you know that a server will be unavailable for a long period, such as when the server is down for repair.
  • standby If a server whose status is active becomes unresponsive, the FortiGate temporarily uses a responsive server whose status is standby until the server whose status is active again becomes reliably responsive. If multiple responsive standby servers are available, the FortiGate selects the standby server with the greatest weight. If a standby server becomes unresponsive, the FortiGate selects another responsive server whose status is standby.

holddown-interval <interval>

Enter the amount of time in seconds that the health check monitor continues to monitor the status of a server whose status is active after it has been detected to be unresponsive. Default is 300 seconds.

If the server is detected to be continuously responsive during this interval, a server whose status is standby is be removed from current use and replaced with this server, which is then used by server load balanced traffic. In this way, server load balancing prefers to use active servers, if they are responsive.

If the server is detected to be unresponsive during the first holddown interval, the server remains out of use for server load balanced traffic, the health check monitor will double the holddown interval once, and continue to monitor the server for the duration of the doubled holddown interval. The health check monitor continues to monitor the server for additional iterations of the doubled holddown interval until connectivity to the server becomes reliable, at which time the holddown interval revert to the configured interval, and the newly responsive active server replaces the standby server in the pool of servers currently in use. In effect, if the status of a server is active but the server is habitually unresponsive, the health check monitor is less likely to restore the server to use by server load balanced traffic until the server’s connectivity becomes more reliable.

This option applies only to real servers whose status is active, but have been detected to be unresponsive or down.

healthcheck {disable | enable}

Enable to check the responsiveness of the server before forwarding traffic. You must also configure monitor. Disabled by default.

max-connections <number>

Enter the limit on the number of active connections directed to a real server. If the maximum number of connections is reached for the real server, the FortiGate unit will automatically switch all further connection requests to another server until the connection number drops below the specified limit.

The default of 0 means unlimited connections.

client-ip <ip_range_ipv4> [<ip_range_ipv4>] [<ip_range_ipv4>] [<ip_range_ipv4>]

Restrict the clients that can connect to a real server according to the client’s source IP address. Use the client-ip option to enter up to four client source IP addresses or address ranges. Separate each IP address or range with a space. The following example shows how to add a single IP address and an IP address range:

set client-ip 192.168.1.90 192.168.1.100-192.168.1.120

Use the client-ip option if you have multiple real servers in a server load balance VIP and you want to control which clients use which real server according to the client’s source IP address. Different real servers in the same virtual server can have the same or overlapping IP addresses and ranges. If an overlap occurs, sessions from the overlapping source addresses are load balanced among the real servers with the overlapping addresses.

If you do not specify a client-ip all clients can use the real server.

weight <weight>

Enter the weight value of a specific server. Servers with a greater weight receive a greater proportion of forwarded connections, or, if their status is standby, are more likely to be selected to temporarily replace servers whose status is active , but that are unresponsive. Valid weight values are between 1 and 255. Default is 1.

This option is available only if ldb-method is weighted.

mappedport <port>

Enter the port number range on the destination network to which the external port number range is mapped.

You can also enter a port number range to forward packets to multiple ports on the destination network.

gratuitous-arp-interval <time>

Configure sending of gratuitous ARP packets by a virtual IP. You can set the time interval between sending the packets. The default is 0, which disables this feature.

srcintf-filter <interface> [<interface>...]

Enter names of the interfaces to which the VIP applies. Separate names with spaces.

http-cookie-domain-from-host {enable | disable}

If enabled, when the FortiGate unit adds a SetCookie to the HTTP(S) response, the Domain attribute in the SetCookie is set to the value of the Host: header, if there was one.

If there was no Host: header, the Domain attribute is set to the value of http-cookie-domain if it is set and if it is not then the Domain attribute will not be included in the SetCookie.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http-cookie. Disabled by default.

http-cookie-domain <domain>

Configure HTTP cookie persistence to restrict the domain that the cookie should apply to. Enter the domain name to restrict the cookie to.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

http-cookie-path <path>

Configure HTTP cookie persistence to limit the cookies to a particular path, for example /new/path.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

http-cookie-generation <generation>

Configure HTTP cookie persistence to invalidate all cookies that have already been generated. The exact value of the generation is not important, only that it is different from any generation that has already been used.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

http-cookie-age <age>

Configure HTTP cookie persistence to change how long the browser caches the cookie. Enter an age in minutes or set the age to 0 to make the browser keep the cookie indefinitely. The range is 0 to 525600 minutes. The default age is 60 minutes.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

http-cookie-share {disable | same-ip}

Configure HTTP cookie persistence to control the sharing of cookies across more than one virtual server. The default setting same-ip means that any cookie generated by one virtual server can be used by another virtual server in the same virtual domain.

Disable to make sure that a cookie generated for a virtual server cannot be used by other virtual servers.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

https-cookie-secure {disable | enable}

Configure HTTP cookie persistence to enable or disable using secure cookies for HTTPS sessions. Secure cookies are disabled by default because they can interfere with cookie sharing across HTTP and HTTPS virtual servers. If enabled, then the Secure tag is added to the cookie inserted by the FortiGate unit.

This option is available when type is server-loadbalance, server-type is http or https and persistence is http or https.

http-multiplex {disable | enable}

Enable to use the FortiGate to multiplex multiple client connections into a few connections between the FortiGate and the real server. This can improve performance by reducing server overhead associated with establishing multiple connections. The server must be HTTP/1.1 compliant. Disabled by default.

This option is only available if server-type is http or https.

http-ip-header {disable | enable}

In HTTP multiplexing is enabled, set http-ip-header to enable to add the original client IP address in the XForwarded-For HTTP header. This can be useful in an HTTP multiplexing configuration if you want to be able to see the original client IP address in log messages on the destination web server. If this option is disabled, the HTTP header. This can be useful in an HTTP multiplexing configuration if you want to be able to see the original client IP address in log messages on the destination web server. If this option is disabled, the XForwarded-For header will contain the IP address of the FortiGate unit. Disabled by default.

If enabled the http-ip-header-name option appears and you can specify a different header to add the client IP address to.

This option appears only if type is server-load-balance, server-type is http or https and http-multiplex is enabled.

http-ip-header-name <name>

In an HTTP multiplex configuration, if you enable http-ip-header you can use the http-ip-header-name option to add the original client IP address to a custom http header. Use this option to specify the name of the header to add the IP address to.

The destination server extracts the original client IP address from this header to record log messages that include client IP addresses. If you leave this option blank (the default) the original client IP address is added to the XForwarded-For header.

This option appears only if type is server-load-balance, server-type is http or https and http-multiplex is enabled and http-ip-header is enabled.

outlook-web-access {disable | enable}

If the FortiGate unit provides SSL offloading for Microsoft Outlook Web Access then the Outlook server expects to see a Front-End-Https: on header inserted into the HTTP headers as described in this Microsoft Technical Note. If outlook-web-access is enabled the FortiGate adds this header to all HTTP requests. Disabled by default.

This options is available when type is server-load-balance is enabled and server-type is http or https.

weblogic-server {disable | enable}

Enable or disable adding an HTTP header to indicate SSL offloading for a WebLogic server. Disabled by default.

websphere-server {disable | enable}

Enable or disable adding an HTTP header to indicate SSL offloading for a WebSphere server. Disabled by default.

ssl-mode {full | half}

Select whether or not to accelerate SSL communications with the destination by using the FortiGate to perform SSL operations, and indicate which segments of the connection will receive SSL offloading. Accelerating SSL communications in this way is also called SSL offloading.

  • half (the default) apply SSL acceleration only between the client and the FortiGate. The segment between the FortiGate and the server is clear text. This results in better performance, but cannot be used in failover configurations where the failover path does not have an SSL accelerator.
  • full apply SSL acceleration to both parts of the connection: the segment between the client and the FortiGate, and the segment between the FortiGate and the server. The segment between the FortiGate and the server is encrypted, but the handshakes are accelerated. This results in performance which is less than if ssl-mode is set to half, but still improved over no SSL acceleration, and can be used in failover configurations where the failover path does not have an SSL accelerator. If the server is already configured to use SSL, this also enables SSL acceleration without requiring changes to the server’s configuration. If this option is set to full then several ssl-server options appear and you can apply different SSL features (such as encryption levels) to the client connection and to the server connection.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-certificate <name>

The name of the SSL certificate to use for SSL acceleration.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full, the same certificate is used for client and server communication.

ssl-dh-bits <bits>

Enter the number of bits used in the Diffie-Hellman exchange for RSA encryption of the SSL connection. Larger prime numbers are associated with greater cryptographic strength. Default is 2048. Values include 768, 1024, 1536, 2048, 3072, and 4096.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full, the ssl-dh-bits setting is used for client and server communication.

ssl-algorithm {high | medium | low | custom}

Set the permitted encryption algorithms for SSL sessions according to encryption strength.

  • high (the default) permit only high encryption algorithms: AES or 3DES.
  • medium permit high (AES, 3DES) or medium (RC4) algorithms.
  • low permit high (AES, 3DES), medium (RC4), or low (DES) algorithms.
  • custom only allow some cipher suites to be used. Use config ssl-cipher-suites to select the cipher suites that are allowed.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full and ssl-server-algorithm is set to client, the ssl-algorithm setting applies to both client and server communication.

If ssl-server-algorithm is not set to client, the ssl-algorithm setting only applies to client communication. You can use the ssl-server-algorithm option to select different algorithms for server communication.

config ssl-cipher-suites

Choose one or more SSL cipher suites to use for SSL sessions. Only available if ssl-algorithm is set to custom. You can also use this command to list the supported SSL cipher suites available to all FortiOS SSL encryption/decryption applications.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full and ssl-server-algorithm is set to client, the configured setting applies to both client and server communication.

If ssl-server-algorithm is not set to client, the config ssl-cipher-suites configuration only applies to client communication. You can use config ssl-cipher-suites to select different cipher suites for server communication.

cipher <cipher-suite-name>

Set the cipher suite name to use. Use ? to list the available cipher suite names.

versions {ssl-3.0 | tls-1.0 | tls-1.1}

Select the SSL/TLS versions that are supported.

ssl-server-algorithm {high | medium | low | custom}

Set the permitted encryption algorithms for SSL server sessions according to encryption strength.

  • high (the default) permit only high encryption algorithms: AES or 3DES.
  • medium permit high (AES, 3DES) or medium (RC4) algorithms.
  • low permit high (AES, 3DES), medium (RC4), or low (DES) algorithms.
  • custom only allow some cipher suites to be used. Use config ssl-server-cipher-suites to select the cipher suites that are allowed.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, and ssl-mode is full.

config ssl-server-cipher-suites

Choose one or more SSL cipher suites to use for SSL server sessions. Only available if ssl-server-algorithm is set to custom. You can also use this command to list the supported SSL cipher suites available to all FortiOS SSL encryption/decryption applications.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, ssl-mode is full, and ssl-server-algorithm is custom.

cipher <cipher-suite-name>

Set the cipher suite name to use. Use ? to list the available cipher suite names.

versions {ssl-3.0 | tls-1.0 | tls-1.1}

Select the SSL/TLS versions that are supported.

ssl-pfs {allow | deny | require}

Select handling of perfect forward secrecy (PFS) by controlling the cipher suites that can be selected. Applies to both client and server sessions.

  • allow allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
  • deny allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
  • require allow only Diffie-Hellman cipher-suites, so PFS is applied. This is the default setitng.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, and ssl-algorithm is not set to custom.

ssl-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

The lowest version of SSL/TLS to allow in SSL sessions. Default is tls-1.0.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full and ssl-server-min-version is set to client, the configured setting applies to both client and server communication. If ssl-server-min-version is not set to client, this option only applies to client communication.

The default is tls-1.1.

ssl-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2}

The highest version of SSL/TLS to allow in SSL sessions. Default is tls-1.2.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps. If ssl-mode is set to full and ssl-server-max-version is set to client, the configured setting applies to both client and server communication. If ssl-server-max-version is not set to client, this option only applies to client communication.

ssl-server-min-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}

The lowest version of SSL/TLS to allow in SSL server sessions. Default is client which means the ssl-min-version applies to both client and server sessions.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, and ssl-mode is set to full.

ssl-server-max-version {ssl-3.0 | tls-1.0 | tls-1.1 | tls-1.2 | client}

The highest version of SSL/TLS to allow in SSL server sessions. Default is client which means the ssl-max-version applies to both client and server sessions.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, and ssl-mode is set to full.

ssl-send-empty-frags {disable | enable}

Select to precede the record with empty fragments to thwart attacks on CBC IV. You might disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments. Enabled by default.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps, and applies only to SSL 3.0 and TLS 1.0.

ssl-client-fallback {disable | enable}

Enable (the default) to prevent Downgrade Attacks on client connections (RFC 7507).

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-client-renegotiation {allow | deny | secure}

Select the SSL secure renegotiation policy. Secure renegotiation complies with RFC 5746 Secure Negotiation Indication.

The vulnerability CVE-2009-3555 affects all SSL/TLS servers that support re-negotiation. FortiOS when configured for SSL/TLS offloading is operating as a SSL/TLS server. The IETF is working on a TLS protocol change that will fix the problem identified by CVE-2009-3555 while still supporting re-negotiation. Until that protocol change is available, you can use the ssl-client-renegotiation option to disable support for SSL/TLS re-negotiation.

  • allow (the default) allow, but do not require secure renegotiation.
  • deny do not allow renegotiation.
  • secure require secure renegotiation.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-client-session-state-type {both | client | disable | time}

The method the FortiGate should use to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

  • both (the default) expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
  • count expire SSL session states when ssl-client-session-state-max is exceeded.
  • disable expire all SSL session states.
  • time expire SSL session states when ssl-client-session-state-timeout is exceeded.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-client-session-state-timeout <timeout>

The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the FortiGate unit. Default is 30 minutes. Range is 1 to 14400.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-client-session-state-max <states>

The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the FortiGate unit. Default is 1000. Range is 0 to 100000.

This option appears only if type is server-loadbalance and server-type is ssl, https, imaps, pop3s, or smtps.

ssl-server-session-state-type {both | count |disable | time}

The method the FortiGate should use to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

  • both (the default) expire SSL session states when either ssl-server-session-state-max or ssl-server-session-state-timeout is exceeded, regardless of which occurs first.
  • count expire SSL session states when ssl-server-session-state-max is exceeded.
  • disable expire all SSL session states.
  • time expire SSL session states when ssl-server-session-state-timeout is exceeded.

This option appears only if ssl-mode is full.

ssl-server-session-state-timeout <time>

The number of minutes to keep the SSL session states for the segment of the SSL connection between the server and the FortiGate. Default is 30 minutes. Range is 1 to 14400.

This option appears only if ssl-mode is is full.

ssl-server-session-state-max

The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the FortiGate unit. Default is 1000. Range is 0 to 100000.

This option appears only if ssl-mode is full.

ssl-http-location-conversion {disable | enable}

Select to replace http with https in the reply’s Location HTTP header field. For example, the reply, Location: http: //example.com/ would be converted to Location: https://example.com/. Disabled by default.

This option appears only if type is server-loadbalance and server-type is https.

ssl-http-match-host {disable | enable)

Enable (the default settingt) to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field, or, if the Host field does not exist, the host name portion of the request’s URI.

If this option is disabled, conversion occurs regardless of whether the host names in the request and the reply match.

For example, if ssl-http-match-host is enabled, and a request contains Host: example.com and the reply contains Location: http://example.cc/, the Location field does not match the Host field of the original request and the reply’s Location field remains unchanged. If the reply contains Location: http://example.com/, however, then the FortiGate detects the matching host name and converts the reply field to Location: https://example.com/.

This option appears only if type is server-loadbalance and server-type is https and ssl-http-location-conversion is enable.

monitor <name>

The name of the health check monitor for use when polling to determine a virtual server’s connectivity status.

max-embryonic-connections <number>

The maximum number of partially established SSL or HTTP connections. This should be greater than the maximum number of connections you want to establish per second. Default is 1000. Range is 0 to 100000.

This option appears only if type is server-loadbalance and server-type is http, ssl, https, imaps, pop3s, or smtps.

portmapping-type {1-to-1 | m-to-n}

The type of port mapping.

  • 1-to-1 one-to-one mapping (the default).
  • m-to-n load balancing (many to many).

This option appears when type is not set to server-load-balance.

color <integer>

The color of the icon in the GUI. There are 32 defined colors numbered 1 to 32. To see the colors available, you can edit the VIP from the GUI. 1 is the default color which is black. 0 sets the color to the default color.