Fortinet black logo

CLI Reference

firewall ssl-server

Configure SSL servers.

  config firewall ssl-server
      Description: Configure SSL servers.
      edit <name>
          set ip {ipv4-address-any}
          set port {integer}
          set ssl-mode [half|full]
          set add-header-x-forwarded-proto [enable|disable]
          set mapped-port {integer}
          set ssl-cert {string}
          set ssl-dh-bits [768|1024|...]
          set ssl-algorithm [high|medium|...]
          set ssl-client-renegotiation [allow|deny|...]
          set ssl-min-version [tls-1.0|tls-1.1|...]
          set ssl-max-version [tls-1.0|tls-1.1|...]
          set ssl-send-empty-frags [enable|disable]
          set url-rewrite [enable|disable]
      next
  end

config firewall ssl-server

Parameter Name Description Type Size
ip IPv4 address of the SSL server. ipv4-address-any Not Specified
port Server service port (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
ssl-mode SSL/TLS mode for encryption and decryption of traffic.
half: Client to FortiGate SSL.
full: Client to FortiGate and FortiGate to Server SSL.
option -
add-header-x-forwarded-proto Enable/disable adding an X-Forwarded-Proto header to forwarded requests.
enable: Add X-Forwarded-Proto header.
disable: Do not add X-Forwarded-Proto header.
option -
mapped-port Mapped server service port (1 - 65535, default = 80). integer Minimum value: 1 Maximum value: 65535
ssl-cert Name of certificate for SSL connections to this server (default = "Fortinet_CA_SSL"). string Maximum length: 35
ssl-dh-bits Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).
768: 768-bit Diffie-Hellman prime.
1024: 1024-bit Diffie-Hellman prime.
1536: 1536-bit Diffie-Hellman prime.
2048: 2048-bit Diffie-Hellman prime.
option -
ssl-algorithm Relative strength of encryption algorithms accepted in negotiation.
high: High encryption. Allow only AES and ChaCha
medium: Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low: Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
option -
ssl-client-renegotiation Allow or block client renegotiation by server.
allow: Allow a SSL client to renegotiate.
deny: Abort any SSL connection that attempts to renegotiate.
secure: Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
option -
ssl-min-version Lowest SSL/TLS version to negotiate.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-max-version Highest SSL/TLS version to negotiate.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-send-empty-frags Enable/disable sending empty fragments to avoid attack on CBC IV.
enable: Send empty fragments.
disable: Do not send empty fragments.
option -
url-rewrite Enable/disable rewriting the URL.
enable: Enable setting.
disable: Disable setting.
option -

Configure SSL servers.

  config firewall ssl-server
      Description: Configure SSL servers.
      edit <name>
          set ip {ipv4-address-any}
          set port {integer}
          set ssl-mode [half|full]
          set add-header-x-forwarded-proto [enable|disable]
          set mapped-port {integer}
          set ssl-cert {string}
          set ssl-dh-bits [768|1024|...]
          set ssl-algorithm [high|medium|...]
          set ssl-client-renegotiation [allow|deny|...]
          set ssl-min-version [tls-1.0|tls-1.1|...]
          set ssl-max-version [tls-1.0|tls-1.1|...]
          set ssl-send-empty-frags [enable|disable]
          set url-rewrite [enable|disable]
      next
  end

config firewall ssl-server

Parameter Name Description Type Size
ip IPv4 address of the SSL server. ipv4-address-any Not Specified
port Server service port (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
ssl-mode SSL/TLS mode for encryption and decryption of traffic.
half: Client to FortiGate SSL.
full: Client to FortiGate and FortiGate to Server SSL.
option -
add-header-x-forwarded-proto Enable/disable adding an X-Forwarded-Proto header to forwarded requests.
enable: Add X-Forwarded-Proto header.
disable: Do not add X-Forwarded-Proto header.
option -
mapped-port Mapped server service port (1 - 65535, default = 80). integer Minimum value: 1 Maximum value: 65535
ssl-cert Name of certificate for SSL connections to this server (default = "Fortinet_CA_SSL"). string Maximum length: 35
ssl-dh-bits Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).
768: 768-bit Diffie-Hellman prime.
1024: 1024-bit Diffie-Hellman prime.
1536: 1536-bit Diffie-Hellman prime.
2048: 2048-bit Diffie-Hellman prime.
option -
ssl-algorithm Relative strength of encryption algorithms accepted in negotiation.
high: High encryption. Allow only AES and ChaCha
medium: Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low: Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
option -
ssl-client-renegotiation Allow or block client renegotiation by server.
allow: Allow a SSL client to renegotiate.
deny: Abort any SSL connection that attempts to renegotiate.
secure: Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
option -
ssl-min-version Lowest SSL/TLS version to negotiate.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-max-version Highest SSL/TLS version to negotiate.
tls-1.0: TLS 1.0.
tls-1.1: TLS 1.1.
tls-1.2: TLS 1.2.
tls-1.3: TLS 1.3.
option -
ssl-send-empty-frags Enable/disable sending empty fragments to avoid attack on CBC IV.
enable: Send empty fragments.
disable: Do not send empty fragments.
option -
url-rewrite Enable/disable rewriting the URL.
enable: Enable setting.
disable: Disable setting.
option -