Fortinet black logo

CLI Reference

firewall ssl setting

firewall ssl setting

Use this command to configure SSL proxy settings so that you can apply antivirus scanning, web filtering, FortiGuard web filtering, spam filtering, data leak prevention (DLP), and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic by using the config firewall profile command.

To perform SSL content scanning and inspection, the FortiGate unit does the following:

  • intercepts and decrypts HTTPS, IMAPS, POP3S, and SMTPS sessions between clients and servers (FortiGate SSL acceleration speeds up decryption)
  • applies content inspection to decrypted content, including:
  • HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP., and content archiving
  • HTTPS web filtering and FortiGuard web filtering
  • IMAPS, POP3S, and SMTPS spam filtering
  • re-encrypts the sessions and forwards them to their destinations.
config firewall ssl setting
    set proxy-connect-timeout {integer}   Time limit to make an internal connection to the appropriate proxy process (1 - 60 sec, default = 30). range[1-60]
    set ssl-dh-bits {768 | 1024 | 1536 | 2048}   Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).
            768   768-bit Diffie-Hellman prime.
            1024  1024-bit Diffie-Hellman prime.
            1536  1536-bit Diffie-Hellman prime.
            2048  2048-bit Diffie-Hellman prime.
    set ssl-send-empty-frags {enable | disable}   Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).
    set no-matching-cipher-action {bypass | drop}   Bypass or drop the connection when no matching cipher is found.
            bypass  Bypass connection.
            drop    Drop connection.
    set cert-cache-capacity {integer}   Maximum capacity of the host certificate cache (0 - 500, default = 200). range[0-500]
    set cert-cache-timeout {integer}   Time limit to keep certificate cache (1 - 120 min, default = 10). range[1-120]
    set session-cache-capacity {integer}   Capacity of the SSL session cache (--Obsolete--) (1 - 1000, default = 500). range[0-1000]
    set session-cache-timeout {integer}   Time limit to keep SSL session state (1 - 60 min, default = 20). range[1-60]
    set kxp-queue-threshold {integer}   Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU (0 - 512, default = 16). range[0-512]
    set ssl-queue-threshold {integer}   Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU (0 - 512, default = 32). range[0-512]
    set abbreviate-handshake {enable | disable}   Enable/disable use of SSL abbreviated handshake.
end

Additional information

The following section is for those options that require additional explanation.

firewall ssl setting

Use this command to configure SSL proxy settings so that you can apply antivirus scanning, web filtering, FortiGuard web filtering, spam filtering, data leak prevention (DLP), and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic by using the config firewall profile command.

To perform SSL content scanning and inspection, the FortiGate unit does the following:

  • intercepts and decrypts HTTPS, IMAPS, POP3S, and SMTPS sessions between clients and servers (FortiGate SSL acceleration speeds up decryption)
  • applies content inspection to decrypted content, including:
  • HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP., and content archiving
  • HTTPS web filtering and FortiGuard web filtering
  • IMAPS, POP3S, and SMTPS spam filtering
  • re-encrypts the sessions and forwards them to their destinations.
config firewall ssl setting
    set proxy-connect-timeout {integer}   Time limit to make an internal connection to the appropriate proxy process (1 - 60 sec, default = 30). range[1-60]
    set ssl-dh-bits {768 | 1024 | 1536 | 2048}   Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).
            768   768-bit Diffie-Hellman prime.
            1024  1024-bit Diffie-Hellman prime.
            1536  1536-bit Diffie-Hellman prime.
            2048  2048-bit Diffie-Hellman prime.
    set ssl-send-empty-frags {enable | disable}   Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).
    set no-matching-cipher-action {bypass | drop}   Bypass or drop the connection when no matching cipher is found.
            bypass  Bypass connection.
            drop    Drop connection.
    set cert-cache-capacity {integer}   Maximum capacity of the host certificate cache (0 - 500, default = 200). range[0-500]
    set cert-cache-timeout {integer}   Time limit to keep certificate cache (1 - 120 min, default = 10). range[1-120]
    set session-cache-capacity {integer}   Capacity of the SSL session cache (--Obsolete--) (1 - 1000, default = 500). range[0-1000]
    set session-cache-timeout {integer}   Time limit to keep SSL session state (1 - 60 min, default = 20). range[1-60]
    set kxp-queue-threshold {integer}   Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU (0 - 512, default = 16). range[0-512]
    set ssl-queue-threshold {integer}   Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU (0 - 512, default = 32). range[0-512]
    set abbreviate-handshake {enable | disable}   Enable/disable use of SSL abbreviated handshake.
end

Additional information

The following section is for those options that require additional explanation.