Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.2.1
Copy Link

Configure virtual IP for IPv6.

  config firewall vip6
      Description: Configure virtual IP for IPv6.
      edit <name>
          set id {integer}
          set uuid {uuid}
          set comment {var-string}
          set type [static-nat|server-load-balance]
          set src-filter <range1>, <range2>, ...
          set extip {user}
          set mappedip {user}
          set arp-reply [disable|enable]
          set portforward [disable|enable]
          set protocol [tcp|udp|...]
          set extport {user}
          set mappedport {user}
          set color {integer}
          set ldb-method [static|round-robin|...]
          set server-type [http|https|...]
          set http-redirect [enable|disable]
          set persistence [none|http-cookie|...]
          config realservers
              Description: Select the real servers that this server load balancing VIP will distribute traffic to.
              edit <id>
                  set ip {ipv6-address}
                  set port {integer}
                  set status [active|standby|...]
                  set weight {integer}
                  set holddown-interval {integer}
                  set healthcheck [disable|enable|...]
                  set http-host {string}
                  set max-connections {integer}
                  set monitor {string}
                  set client-ip {user}
              next
          end
          set http-cookie-domain-from-host [disable|enable]
          set http-cookie-domain {string}
          set http-cookie-path {string}
          set http-cookie-generation {integer}
          set http-cookie-age {integer}
          set http-cookie-share [disable|same-ip]
          set https-cookie-secure [disable|enable]
          set http-multiplex [enable|disable]
          set http-ip-header [enable|disable]
          set http-ip-header-name {string}
          set outlook-web-access [disable|enable]
          set weblogic-server [disable|enable]
          set websphere-server [disable|enable]
          set ssl-mode [half|full]
          set ssl-certificate {string}
          set ssl-dh-bits [768|1024|...]
          set ssl-algorithm [high|medium|...]
          config ssl-cipher-suites
              Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
              edit <priority>
                  set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                  set versions {option1}, {option2}, ...
              next
          end
          set ssl-server-algorithm [high|medium|...]
          config ssl-server-cipher-suites
              Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
              edit <priority>
                  set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                  set versions {option1}, {option2}, ...
              next
          end
          set ssl-pfs [require|deny|...]
          set ssl-min-version [ssl-3.0|tls-1.0|...]
          set ssl-max-version [ssl-3.0|tls-1.0|...]
          set ssl-server-min-version [ssl-3.0|tls-1.0|...]
          set ssl-server-max-version [ssl-3.0|tls-1.0|...]
          set ssl-send-empty-frags [enable|disable]
          set ssl-client-fallback [disable|enable]
          set ssl-client-renegotiation [allow|deny|...]
          set ssl-client-session-state-type [disable|time|...]
          set ssl-client-session-state-timeout {integer}
          set ssl-client-session-state-max {integer}
          set ssl-client-rekey-count {integer}
          set ssl-server-session-state-type [disable|time|...]
          set ssl-server-session-state-timeout {integer}
          set ssl-server-session-state-max {integer}
          set ssl-http-location-conversion [enable|disable]
          set ssl-http-match-host [enable|disable]
          set ssl-hpkp [disable|enable|...]
          set ssl-hpkp-primary {string}
          set ssl-hpkp-backup {string}
          set ssl-hpkp-age {integer}
          set ssl-hpkp-report-uri {var-string}
          set ssl-hpkp-include-subdomains [disable|enable]
          set ssl-hsts [disable|enable]
          set ssl-hsts-age {integer}
          set ssl-hsts-include-subdomains [disable|enable]
          set monitor <name1>, <name2>, ...
          set max-embryonic-connections {integer}
      next
  end

config firewall vip6

Parameter Name Description Type Size
id Custom defined ID. integer Minimum value: 0 Maximum value: 65535
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
comment Comment. var-string Maximum length: 255
type Configure a static NAT or server load balance VIP.
static-nat: Static NAT.
server-load-balance: Server load balance.
option -
src-filter <range> Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces.
Source-filter range.
string Maximum length: 79
extip IP address or address range on the external interface that you want to map to an address or address range on the destination network. user Not Specified
mappedip Mapped IP address range in the format startIP-endIP. user Not Specified
arp-reply Enable to respond to ARP requests for this virtual IP address. Enabled by default.
disable: Disable ARP reply.
enable: Enable ARP reply.
option -
portforward Enable port forwarding.
disable: Disable port forward.
enable: Enable/disable port forwarding.
option -
protocol Protocol to use when forwarding packets.
tcp: TCP.
udp: UDP.
sctp: SCTP.
option -
extport Incoming port number range that you want to map to a port number range on the destination network. user Not Specified
mappedport Port number range on the destination network to which the external port number range is mapped. user Not Specified
color Color of icon on the GUI. integer Minimum value: 0 Maximum value: 32
ldb-method Method used to distribute sessions to real servers.
static: Distribute sessions based on source IP.
round-robin: Distribute sessions based round robin order.
weighted: Distribute sessions based on weight.
least-session: Sends new sessions to the server with the lowest session count.
least-rtt: Distribute new sessions to the server with lowest Round-Trip-Time.
first-alive: Distribute sessions to the first server that is alive.
http-host: Distribute sessions to servers based on host field in HTTP header.
option -
server-type Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).
http: HTTP
https: HTTPS
imaps: IMAPS
pop3s: POP3S
smtps: SMTPS
ssl: SSL
tcp: TCP
udp: UDP
ip: IP
option -
http-redirect Enable/disable redirection of HTTP to HTTPS
enable: Enable redirection of HTTP to HTTPS.
disable: Disable redirection of HTTP to HTTPS.
option -
persistence Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
none: None.
http-cookie: HTTP cookie.
ssl-session-id: SSL session ID.
option -
http-cookie-domain-from-host Enable/disable use of HTTP cookie domain from host field in HTTP.
disable: Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).
enable: Enable use of HTTP cookie domain from host field in HTTP.
option -
http-cookie-domain Domain that HTTP cookie persistence should apply to. string Maximum length: 35
http-cookie-path Limit HTTP cookie persistence to the specified path. string Maximum length: 35
http-cookie-generation Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. integer Minimum value: 0 Maximum value: 4294967295
http-cookie-age Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. integer Minimum value: 0 Maximum value: 525600
http-cookie-share Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
disable: Only allow HTTP cookie to match this virtual server.
same-ip: Allow HTTP cookie to match any virtual server with same IP.
option -
https-cookie-secure Enable/disable verification that inserted HTTPS cookies are secure.
disable: Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.
enable: Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.
option -
http-multiplex Enable/disable HTTP multiplexing.
enable: Enable HTTP session multiplexing.
disable: Disable HTTP session multiplexing.
option -
http-ip-header For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.
enable: Enable adding HTTP header.
disable: Disable adding HTTP header.
option -
http-ip-header-name For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. string Maximum length: 35
outlook-web-access Enable to add the Front-End-Https header for Microsoft Outlook Web Access.
disable: Disable Outlook Web Access support.
enable: Enable Outlook Web Access support.
option -
weblogic-server Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.
disable: Do not add HTTP header indicating SSL offload for WebLogic server.
enable: Add HTTP header indicating SSL offload for WebLogic server.
option -
websphere-server Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.
disable: Do not add HTTP header indicating SSL offload for WebSphere server.
enable: Add HTTP header indicating SSL offload for WebSphere server.
option -
ssl-mode Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
half: Client to FortiGate SSL.
full: Client to FortiGate and FortiGate to Server SSL.
option -
ssl-certificate The name of the SSL certificate to use for SSL acceleration. string Maximum length: 35
ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
768: 768-bit Diffie-Hellman prime.
1024: 1024-bit Diffie-Hellman prime.
1536: 1536-bit Diffie-Hellman prime.
2048: 2048-bit Diffie-Hellman prime.
3072: 3072-bit Diffie-Hellman prime.
4096: 4096-bit Diffie-Hellman prime.
option -
ssl-algorithm Permitted encryption algorithms for SSL sessions according to encryption strength.
high: Use AES or 3DES.
medium: Use AES, 3DES, or RC4.
low: Use AES, 3DES, RC4, or DES.
custom: Use config ssl-cipher-suites to select the cipher suites that are allowed.
option -
ssl-server-algorithm Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
high: Use AES or 3DES.
medium: Use AES, 3DES, or RC4.
low: Use AES, 3DES, RC4, or DES.
custom: Use config ssl-server-cipher-suites to select the cipher suites that are allowed.
client: Use the same encryption algorithms for client and server sessions.
option -
ssl-pfs Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
require: Allow only Diffie-Hellman cipher-suites, so PFS is applied.
deny: Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
allow: Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
option -
ssl-min-version Lowest SSL/TLS version acceptable from a client.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-max-version Highest SSL/TLS version acceptable from a client.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-server-min-version Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
client: Use same value as client configuration.
option -
ssl-server-max-version Highest SSL/TLS version acceptable from a server. Use the client setting by default.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
client: Use same value as client configuration.
option -
ssl-send-empty-frags Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
enable: Send empty fragments.
disable: Do not send empty fragments.
option -
ssl-client-fallback Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
disable: Disable.
enable: Enable.
option -
ssl-client-renegotiation Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.
allow: Allow a SSL client to renegotiate.
deny: Abort any SSL connection that attempts to renegotiate.
secure: Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
option -
ssl-client-session-state-type How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
disable: Do not keep session states.
time: Expire session states after this many minutes.
count: Expire session states when this maximum is reached.
both: Expire session states based on time or count, whichever occurs first.
option -
ssl-client-session-state-timeout Number of minutes to keep client to FortiGate SSL session state. integer Minimum value: 1 Maximum value: 14400
ssl-client-session-state-max Maximum number of client to FortiGate SSL session states to keep. integer Minimum value: 1 Maximum value: 10000
ssl-client-rekey-count Maximum length of data in MB before triggering a client rekey (0 = disable). integer Minimum value: 200 Maximum value: 1048576
ssl-server-session-state-type How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
disable: Do not keep session states.
time: Expire session states after this many minutes.
count: Expire session states when this maximum is reached.
both: Expire session states based on time or count, whichever occurs first.
option -
ssl-server-session-state-timeout Number of minutes to keep FortiGate to Server SSL session state. integer Minimum value: 1 Maximum value: 14400
ssl-server-session-state-max Maximum number of FortiGate to Server SSL session states to keep. integer Minimum value: 1 Maximum value: 10000
ssl-http-location-conversion Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
enable: Enable HTTP location conversion.
disable: Disable HTTP location conversion.
option -
ssl-http-match-host Enable/disable HTTP host matching for location conversion.
enable: Match HTTP host in response header.
disable: Do not match HTTP host.
option -
ssl-hpkp Enable/disable including HPKP header in response.
disable: Do not add a HPKP header to each HTTP response.
enable: Add a HPKP header to each a HTTP response.
report-only: Add a HPKP Report-Only header to each HTTP response.
option -
ssl-hpkp-primary Certificate to generate primary HPKP pin from. string Maximum length: 79
ssl-hpkp-backup Certificate to generate backup HPKP pin from. string Maximum length: 79
ssl-hpkp-age Number of minutes the web browser should keep HPKP. integer Minimum value: 60 Maximum value: 157680000
ssl-hpkp-report-uri URL to report HPKP violations to. var-string Maximum length: 255
ssl-hpkp-include-subdomains Indicate that HPKP header applies to all subdomains.
disable: HPKP header does not apply to subdomains.
enable: HPKP header applies to subdomains.
option -
ssl-hsts Enable/disable including HSTS header in response.
disable: Do not add a HSTS header to each a HTTP response.
enable: Add a HSTS header to each HTTP response.
option -
ssl-hsts-age Number of seconds the client should honour the HSTS setting. integer Minimum value: 60 Maximum value: 157680000
ssl-hsts-include-subdomains Indicate that HSTS header applies to all subdomains.
disable: HSTS header does not apply to subdomains.
enable: HSTS header applies to subdomains.
option -
monitor <name> Name of the health check monitor to use when polling to determine a virtual server's connectivity status.
Health monitor name.
string Maximum length: 79
max-embryonic-connections Maximum number of incomplete connections. integer Minimum value: 0 Maximum value: 100000

config realservers

Parameter Name Description Type Size
ip IPv6 address of the real server. ipv6-address Not Specified
port Port for communicating with the real server. Required if port forwarding is enabled. integer Minimum value: 1 Maximum value: 65535
status Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
active: Server status active.
standby: Server status standby.
disable: Server status disable.
option -
weight Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. integer Minimum value: 1 Maximum value: 255
holddown-interval Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active. integer Minimum value: 30 Maximum value: 65535
healthcheck Enable to check the responsiveness of the real server before forwarding traffic.
disable: Disable per server health check.
enable: Enable per server health check.
vip: Use health check defined in VIP.
option -
http-host HTTP server domain name in HTTP header. string Maximum length: 63
max-connections Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers. integer Minimum value: 0 Maximum value: 2147483647
monitor Name of the health check monitor to use when polling to determine a virtual server's connectivity status. string Maximum length: 79
client-ip Only clients in this IP range can connect to this real server. user Not Specified

config ssl-cipher-suites

Parameter Name Description Type Size
cipher
versions SSL/TLS versions that the cipher suite can be used with.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -

config ssl-server-cipher-suites

Parameter Name Description Type Size
cipher
versions SSL/TLS versions that the cipher suite can be used with.
option -

Configure virtual IP for IPv6.

  config firewall vip6
      Description: Configure virtual IP for IPv6.
      edit <name>
          set id {integer}
          set uuid {uuid}
          set comment {var-string}
          set type [static-nat|server-load-balance]
          set src-filter <range1>, <range2>, ...
          set extip {user}
          set mappedip {user}
          set arp-reply [disable|enable]
          set portforward [disable|enable]
          set protocol [tcp|udp|...]
          set extport {user}
          set mappedport {user}
          set color {integer}
          set ldb-method [static|round-robin|...]
          set server-type [http|https|...]
          set http-redirect [enable|disable]
          set persistence [none|http-cookie|...]
          config realservers
              Description: Select the real servers that this server load balancing VIP will distribute traffic to.
              edit <id>
                  set ip {ipv6-address}
                  set port {integer}
                  set status [active|standby|...]
                  set weight {integer}
                  set holddown-interval {integer}
                  set healthcheck [disable|enable|...]
                  set http-host {string}
                  set max-connections {integer}
                  set monitor {string}
                  set client-ip {user}
              next
          end
          set http-cookie-domain-from-host [disable|enable]
          set http-cookie-domain {string}
          set http-cookie-path {string}
          set http-cookie-generation {integer}
          set http-cookie-age {integer}
          set http-cookie-share [disable|same-ip]
          set https-cookie-secure [disable|enable]
          set http-multiplex [enable|disable]
          set http-ip-header [enable|disable]
          set http-ip-header-name {string}
          set outlook-web-access [disable|enable]
          set weblogic-server [disable|enable]
          set websphere-server [disable|enable]
          set ssl-mode [half|full]
          set ssl-certificate {string}
          set ssl-dh-bits [768|1024|...]
          set ssl-algorithm [high|medium|...]
          config ssl-cipher-suites
              Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
              edit <priority>
                  set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                  set versions {option1}, {option2}, ...
              next
          end
          set ssl-server-algorithm [high|medium|...]
          config ssl-server-cipher-suites
              Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
              edit <priority>
                  set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                  set versions {option1}, {option2}, ...
              next
          end
          set ssl-pfs [require|deny|...]
          set ssl-min-version [ssl-3.0|tls-1.0|...]
          set ssl-max-version [ssl-3.0|tls-1.0|...]
          set ssl-server-min-version [ssl-3.0|tls-1.0|...]
          set ssl-server-max-version [ssl-3.0|tls-1.0|...]
          set ssl-send-empty-frags [enable|disable]
          set ssl-client-fallback [disable|enable]
          set ssl-client-renegotiation [allow|deny|...]
          set ssl-client-session-state-type [disable|time|...]
          set ssl-client-session-state-timeout {integer}
          set ssl-client-session-state-max {integer}
          set ssl-client-rekey-count {integer}
          set ssl-server-session-state-type [disable|time|...]
          set ssl-server-session-state-timeout {integer}
          set ssl-server-session-state-max {integer}
          set ssl-http-location-conversion [enable|disable]
          set ssl-http-match-host [enable|disable]
          set ssl-hpkp [disable|enable|...]
          set ssl-hpkp-primary {string}
          set ssl-hpkp-backup {string}
          set ssl-hpkp-age {integer}
          set ssl-hpkp-report-uri {var-string}
          set ssl-hpkp-include-subdomains [disable|enable]
          set ssl-hsts [disable|enable]
          set ssl-hsts-age {integer}
          set ssl-hsts-include-subdomains [disable|enable]
          set monitor <name1>, <name2>, ...
          set max-embryonic-connections {integer}
      next
  end

config firewall vip6

Parameter Name Description Type Size
id Custom defined ID. integer Minimum value: 0 Maximum value: 65535
uuid Universally Unique Identifier (UUID; automatically assigned but can be manually reset). uuid Not Specified
comment Comment. var-string Maximum length: 255
type Configure a static NAT or server load balance VIP.
static-nat: Static NAT.
server-load-balance: Server load balance.
option -
src-filter <range> Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces.
Source-filter range.
string Maximum length: 79
extip IP address or address range on the external interface that you want to map to an address or address range on the destination network. user Not Specified
mappedip Mapped IP address range in the format startIP-endIP. user Not Specified
arp-reply Enable to respond to ARP requests for this virtual IP address. Enabled by default.
disable: Disable ARP reply.
enable: Enable ARP reply.
option -
portforward Enable port forwarding.
disable: Disable port forward.
enable: Enable/disable port forwarding.
option -
protocol Protocol to use when forwarding packets.
tcp: TCP.
udp: UDP.
sctp: SCTP.
option -
extport Incoming port number range that you want to map to a port number range on the destination network. user Not Specified
mappedport Port number range on the destination network to which the external port number range is mapped. user Not Specified
color Color of icon on the GUI. integer Minimum value: 0 Maximum value: 32
ldb-method Method used to distribute sessions to real servers.
static: Distribute sessions based on source IP.
round-robin: Distribute sessions based round robin order.
weighted: Distribute sessions based on weight.
least-session: Sends new sessions to the server with the lowest session count.
least-rtt: Distribute new sessions to the server with lowest Round-Trip-Time.
first-alive: Distribute sessions to the first server that is alive.
http-host: Distribute sessions to servers based on host field in HTTP header.
option -
server-type Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).
http: HTTP
https: HTTPS
imaps: IMAPS
pop3s: POP3S
smtps: SMTPS
ssl: SSL
tcp: TCP
udp: UDP
ip: IP
option -
http-redirect Enable/disable redirection of HTTP to HTTPS
enable: Enable redirection of HTTP to HTTPS.
disable: Disable redirection of HTTP to HTTPS.
option -
persistence Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.
none: None.
http-cookie: HTTP cookie.
ssl-session-id: SSL session ID.
option -
http-cookie-domain-from-host Enable/disable use of HTTP cookie domain from host field in HTTP.
disable: Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).
enable: Enable use of HTTP cookie domain from host field in HTTP.
option -
http-cookie-domain Domain that HTTP cookie persistence should apply to. string Maximum length: 35
http-cookie-path Limit HTTP cookie persistence to the specified path. string Maximum length: 35
http-cookie-generation Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. integer Minimum value: 0 Maximum value: 4294967295
http-cookie-age Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. integer Minimum value: 0 Maximum value: 525600
http-cookie-share Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.
disable: Only allow HTTP cookie to match this virtual server.
same-ip: Allow HTTP cookie to match any virtual server with same IP.
option -
https-cookie-secure Enable/disable verification that inserted HTTPS cookies are secure.
disable: Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.
enable: Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.
option -
http-multiplex Enable/disable HTTP multiplexing.
enable: Enable HTTP session multiplexing.
disable: Disable HTTP session multiplexing.
option -
http-ip-header For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.
enable: Enable adding HTTP header.
disable: Disable adding HTTP header.
option -
http-ip-header-name For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. string Maximum length: 35
outlook-web-access Enable to add the Front-End-Https header for Microsoft Outlook Web Access.
disable: Disable Outlook Web Access support.
enable: Enable Outlook Web Access support.
option -
weblogic-server Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.
disable: Do not add HTTP header indicating SSL offload for WebLogic server.
enable: Add HTTP header indicating SSL offload for WebLogic server.
option -
websphere-server Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.
disable: Do not add HTTP header indicating SSL offload for WebSphere server.
enable: Add HTTP header indicating SSL offload for WebSphere server.
option -
ssl-mode Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
half: Client to FortiGate SSL.
full: Client to FortiGate and FortiGate to Server SSL.
option -
ssl-certificate The name of the SSL certificate to use for SSL acceleration. string Maximum length: 35
ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
768: 768-bit Diffie-Hellman prime.
1024: 1024-bit Diffie-Hellman prime.
1536: 1536-bit Diffie-Hellman prime.
2048: 2048-bit Diffie-Hellman prime.
3072: 3072-bit Diffie-Hellman prime.
4096: 4096-bit Diffie-Hellman prime.
option -
ssl-algorithm Permitted encryption algorithms for SSL sessions according to encryption strength.
high: Use AES or 3DES.
medium: Use AES, 3DES, or RC4.
low: Use AES, 3DES, RC4, or DES.
custom: Use config ssl-cipher-suites to select the cipher suites that are allowed.
option -
ssl-server-algorithm Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.
high: Use AES or 3DES.
medium: Use AES, 3DES, or RC4.
low: Use AES, 3DES, RC4, or DES.
custom: Use config ssl-server-cipher-suites to select the cipher suites that are allowed.
client: Use the same encryption algorithms for client and server sessions.
option -
ssl-pfs Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
require: Allow only Diffie-Hellman cipher-suites, so PFS is applied.
deny: Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
allow: Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
option -
ssl-min-version Lowest SSL/TLS version acceptable from a client.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-max-version Highest SSL/TLS version acceptable from a client.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-server-min-version Lowest SSL/TLS version acceptable from a server. Use the client setting by default.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
client: Use same value as client configuration.
option -
ssl-server-max-version Highest SSL/TLS version acceptable from a server. Use the client setting by default.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
client: Use same value as client configuration.
option -
ssl-send-empty-frags Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
enable: Send empty fragments.
disable: Do not send empty fragments.
option -
ssl-client-fallback Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
disable: Disable.
enable: Enable.
option -
ssl-client-renegotiation Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.
allow: Allow a SSL client to renegotiate.
deny: Abort any SSL connection that attempts to renegotiate.
secure: Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
option -
ssl-client-session-state-type How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
disable: Do not keep session states.
time: Expire session states after this many minutes.
count: Expire session states when this maximum is reached.
both: Expire session states based on time or count, whichever occurs first.
option -
ssl-client-session-state-timeout Number of minutes to keep client to FortiGate SSL session state. integer Minimum value: 1 Maximum value: 14400
ssl-client-session-state-max Maximum number of client to FortiGate SSL session states to keep. integer Minimum value: 1 Maximum value: 10000
ssl-client-rekey-count Maximum length of data in MB before triggering a client rekey (0 = disable). integer Minimum value: 200 Maximum value: 1048576
ssl-server-session-state-type How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.
disable: Do not keep session states.
time: Expire session states after this many minutes.
count: Expire session states when this maximum is reached.
both: Expire session states based on time or count, whichever occurs first.
option -
ssl-server-session-state-timeout Number of minutes to keep FortiGate to Server SSL session state. integer Minimum value: 1 Maximum value: 14400
ssl-server-session-state-max Maximum number of FortiGate to Server SSL session states to keep. integer Minimum value: 1 Maximum value: 10000
ssl-http-location-conversion Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
enable: Enable HTTP location conversion.
disable: Disable HTTP location conversion.
option -
ssl-http-match-host Enable/disable HTTP host matching for location conversion.
enable: Match HTTP host in response header.
disable: Do not match HTTP host.
option -
ssl-hpkp Enable/disable including HPKP header in response.
disable: Do not add a HPKP header to each HTTP response.
enable: Add a HPKP header to each a HTTP response.
report-only: Add a HPKP Report-Only header to each HTTP response.
option -
ssl-hpkp-primary Certificate to generate primary HPKP pin from. string Maximum length: 79
ssl-hpkp-backup Certificate to generate backup HPKP pin from. string Maximum length: 79
ssl-hpkp-age Number of minutes the web browser should keep HPKP. integer Minimum value: 60 Maximum value: 157680000
ssl-hpkp-report-uri URL to report HPKP violations to. var-string Maximum length: 255
ssl-hpkp-include-subdomains Indicate that HPKP header applies to all subdomains.
disable: HPKP header does not apply to subdomains.
enable: HPKP header applies to subdomains.
option -
ssl-hsts Enable/disable including HSTS header in response.
disable: Do not add a HSTS header to each a HTTP response.
enable: Add a HSTS header to each HTTP response.
option -
ssl-hsts-age Number of seconds the client should honour the HSTS setting. integer Minimum value: 60 Maximum value: 157680000
ssl-hsts-include-subdomains Indicate that HSTS header applies to all subdomains.
disable: HSTS header does not apply to subdomains.
enable: HSTS header applies to subdomains.
option -
monitor <name> Name of the health check monitor to use when polling to determine a virtual server's connectivity status.
Health monitor name.
string Maximum length: 79
max-embryonic-connections Maximum number of incomplete connections. integer Minimum value: 0 Maximum value: 100000

config realservers

Parameter Name Description Type Size
ip IPv6 address of the real server. ipv6-address Not Specified
port Port for communicating with the real server. Required if port forwarding is enabled. integer Minimum value: 1 Maximum value: 65535
status Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.
active: Server status active.
standby: Server status standby.
disable: Server status disable.
option -
weight Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. integer Minimum value: 1 Maximum value: 255
holddown-interval Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active. integer Minimum value: 30 Maximum value: 65535
healthcheck Enable to check the responsiveness of the real server before forwarding traffic.
disable: Disable per server health check.
enable: Enable per server health check.
vip: Use health check defined in VIP.
option -
http-host HTTP server domain name in HTTP header. string Maximum length: 63
max-connections Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers. integer Minimum value: 0 Maximum value: 2147483647
monitor Name of the health check monitor to use when polling to determine a virtual server's connectivity status. string Maximum length: 79
client-ip Only clients in this IP range can connect to this real server. user Not Specified

config ssl-cipher-suites

Parameter Name Description Type Size
cipher
versions SSL/TLS versions that the cipher suite can be used with.
ssl-3.0: SSL 3.0.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -

config ssl-server-cipher-suites

Parameter Name Description Type Size
cipher
versions SSL/TLS versions that the cipher suite can be used with.
option -