Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

firewall ssl-server

Use this command set up connections to SSL servers.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set ssl-min-version ssl-3.0

The ssl-3.0 option has been removed from ssl-min-version.

config firewall ssl-server
    edit {name}
    # Configure SSL servers.
        set name {string}   Server name. size[35]
        set ip {ipv4 address any}   IPv4 address of the SSL server.
        set port {integer}   Server service port (1 - 65535, default = 443). range[1-65535]
        set ssl-mode {half | full}   SSL/TLS mode for encryption and decryption of traffic.
                half  Client to FortiGate SSL.
                full  Client to FortiGate and FortiGate to Server SSL.
        set add-header-x-forwarded-proto {enable | disable}   Enable/disable adding an X-Forwarded-Proto header to forwarded requests.
        set mapped-port {integer}   Mapped server service port (1 - 65535, default = 80). range[1-65535]
        set ssl-cert {string}   Name of certificate for SSL connections to this server (default = "Fortinet_CA_SSL"). size[35] - datasource(s): vpn.certificate.local.name
        set ssl-dh-bits {768 | 1024 | 1536 | 2048}   Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).
                768   768-bit Diffie-Hellman prime.
                1024  1024-bit Diffie-Hellman prime.
                1536  1536-bit Diffie-Hellman prime.
                2048  2048-bit Diffie-Hellman prime.
        set ssl-algorithm {high | medium | low}   Relative strength of encryption algorithms accepted in negotiation.
                high    High encryption. Allow only AES and ChaCha
                medium  Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
                low     Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
        set ssl-client-renegotiation {allow | deny | secure}   Allow or block client renegotiation by server.
                allow   Allow a SSL client to renegotiate.
                deny    Abort any SSL connection that attempts to renegotiate.
                secure  Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
        set ssl-min-version {tls-1.0 | tls-1.1 | tls-1.2}   Lowest SSL/TLS version to negotiate.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-max-version {tls-1.0 | tls-1.1 | tls-1.2}   Highest SSL/TLS version to negotiate.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-send-empty-frags {enable | disable}   Enable/disable sending empty fragments to avoid attack on CBC IV.
        set url-rewrite {enable | disable}   Enable/disable rewriting the URL.
    next
end

Additional information

The following section is for those options that require additional explanation.

edit <ssl-server-name>

Enter a name for the SSL server. It can be any name and this name is not used by other FortiGate configurations.

add-header-x-forwarded-proto

Optionally add X-Forwarded-Proto header. This is available when ssl-mode is half.

Default Value: enable

ip

Enter an IP address for the SSL server. This IP address should be the same as the IP address of the HTTP server that this SSL server will be offloading for. When a session is accepted by a WAN optimization rule with SSL offloading enabled, the destination IP address of the session is matched with this IP address to select the SSL server configuration to use.

port

Enter a port number to be used by the SSL server. Usually this would be port 443 for an HTTPS server. When a session is accepted by a WAN optimization rule with SSL offloading enabled, the destination port of the session is matched with this port to select the SSL server configuration to use.

ssl-mode

Default Value: full

ssl-cert

Select the certificate to be used for this SSL server. The certificate should be the HTTP server CA used by the HTTP server that this SSL server configuration will be offloading for.

The certificate must be a local certificate added to the FortiGate unit using the config vpn certificate local command. For more information, see vpn certificate local.

The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.

Default Value: 1024

ssl-dh-bits

Select the size of the Diffie-Hellman prime used in DHE_RSA negotiation. Larger primes may cause a performance reduction but are more secure.

ssl-min-version

Select the lowest or oldest SSL/TLS version to offer when negotiating.

ssl-max-version

Select the highest or newest SSL/TLS version to offer when negotiating.

ssl-send-empty-frags

Enable or disable sending empty fragments before sending the actual payload. Sending empty fragments is a technique used to avoid cipher-block chaining (CBC) plaintext attacks if the initiation vector (IV) is known. Also called the CBC IV. Some SSL implementations are not compatible with sending empty fragments. Change ssl-sendempty- frags to disable if required by your SSL implementation.

Default Value: enable

url-rewrite

Enable to rewrite Location header of HTTP redirection response(3XX response). This is available when ssl-mode is half.

Default Value: disable

firewall ssl-server

Use this command set up connections to SSL servers.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set ssl-min-version ssl-3.0

The ssl-3.0 option has been removed from ssl-min-version.

config firewall ssl-server
    edit {name}
    # Configure SSL servers.
        set name {string}   Server name. size[35]
        set ip {ipv4 address any}   IPv4 address of the SSL server.
        set port {integer}   Server service port (1 - 65535, default = 443). range[1-65535]
        set ssl-mode {half | full}   SSL/TLS mode for encryption and decryption of traffic.
                half  Client to FortiGate SSL.
                full  Client to FortiGate and FortiGate to Server SSL.
        set add-header-x-forwarded-proto {enable | disable}   Enable/disable adding an X-Forwarded-Proto header to forwarded requests.
        set mapped-port {integer}   Mapped server service port (1 - 65535, default = 80). range[1-65535]
        set ssl-cert {string}   Name of certificate for SSL connections to this server (default = "Fortinet_CA_SSL"). size[35] - datasource(s): vpn.certificate.local.name
        set ssl-dh-bits {768 | 1024 | 1536 | 2048}   Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).
                768   768-bit Diffie-Hellman prime.
                1024  1024-bit Diffie-Hellman prime.
                1536  1536-bit Diffie-Hellman prime.
                2048  2048-bit Diffie-Hellman prime.
        set ssl-algorithm {high | medium | low}   Relative strength of encryption algorithms accepted in negotiation.
                high    High encryption. Allow only AES and ChaCha
                medium  Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
                low     Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
        set ssl-client-renegotiation {allow | deny | secure}   Allow or block client renegotiation by server.
                allow   Allow a SSL client to renegotiate.
                deny    Abort any SSL connection that attempts to renegotiate.
                secure  Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
        set ssl-min-version {tls-1.0 | tls-1.1 | tls-1.2}   Lowest SSL/TLS version to negotiate.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-max-version {tls-1.0 | tls-1.1 | tls-1.2}   Highest SSL/TLS version to negotiate.
                tls-1.0  TLS 1.0.
                tls-1.1  TLS 1.1.
                tls-1.2  TLS 1.2.
        set ssl-send-empty-frags {enable | disable}   Enable/disable sending empty fragments to avoid attack on CBC IV.
        set url-rewrite {enable | disable}   Enable/disable rewriting the URL.
    next
end

Additional information

The following section is for those options that require additional explanation.

edit <ssl-server-name>

Enter a name for the SSL server. It can be any name and this name is not used by other FortiGate configurations.

add-header-x-forwarded-proto

Optionally add X-Forwarded-Proto header. This is available when ssl-mode is half.

Default Value: enable

ip

Enter an IP address for the SSL server. This IP address should be the same as the IP address of the HTTP server that this SSL server will be offloading for. When a session is accepted by a WAN optimization rule with SSL offloading enabled, the destination IP address of the session is matched with this IP address to select the SSL server configuration to use.

port

Enter a port number to be used by the SSL server. Usually this would be port 443 for an HTTPS server. When a session is accepted by a WAN optimization rule with SSL offloading enabled, the destination port of the session is matched with this port to select the SSL server configuration to use.

ssl-mode

Default Value: full

ssl-cert

Select the certificate to be used for this SSL server. The certificate should be the HTTP server CA used by the HTTP server that this SSL server configuration will be offloading for.

The certificate must be a local certificate added to the FortiGate unit using the config vpn certificate local command. For more information, see vpn certificate local.

The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.

Default Value: 1024

ssl-dh-bits

Select the size of the Diffie-Hellman prime used in DHE_RSA negotiation. Larger primes may cause a performance reduction but are more secure.

ssl-min-version

Select the lowest or oldest SSL/TLS version to offer when negotiating.

ssl-max-version

Select the highest or newest SSL/TLS version to offer when negotiating.

ssl-send-empty-frags

Enable or disable sending empty fragments before sending the actual payload. Sending empty fragments is a technique used to avoid cipher-block chaining (CBC) plaintext attacks if the initiation vector (IV) is known. Also called the CBC IV. Some SSL implementations are not compatible with sending empty fragments. Change ssl-sendempty- frags to disable if required by your SSL implementation.

Default Value: enable

url-rewrite

Enable to rewrite Location header of HTTP redirection response(3XX response). This is available when ssl-mode is half.

Default Value: disable