Fortinet black logo

CLI Reference

firewall ssl setting

SSL proxy settings.

  config firewall ssl setting
      Description: SSL proxy settings.
      set proxy-connect-timeout {integer}
      set ssl-dh-bits [768|1024|...]
      set ssl-send-empty-frags [enable|disable]
      set no-matching-cipher-action [bypass|drop]
      set cert-cache-capacity {integer}
      set cert-cache-timeout {integer}
      set session-cache-capacity {integer}
      set session-cache-timeout {integer}
      set kxp-queue-threshold {integer}
      set ssl-queue-threshold {integer}
      set abbreviate-handshake [enable|disable]
  end

config firewall ssl setting

Parameter Name Description Type Size
proxy-connect-timeout Time limit to make an internal connection to the appropriate proxy process (1 - 60 sec, default = 30). integer Minimum value: 1 Maximum value: 60
ssl-dh-bits Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).
768: 768-bit Diffie-Hellman prime.
1024: 1024-bit Diffie-Hellman prime.
1536: 1536-bit Diffie-Hellman prime.
2048: 2048-bit Diffie-Hellman prime.
option -
ssl-send-empty-frags Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).
enable: Send empty fragments.
disable: Do not send empty fragments.
option -
no-matching-cipher-action Bypass or drop the connection when no matching cipher is found.
bypass: Bypass connection.
drop: Drop connection.
option -
cert-cache-capacity Maximum capacity of the host certificate cache (0 - 500, default = 200). integer Minimum value: 0 Maximum value: 500
cert-cache-timeout Time limit to keep certificate cache (1 - 120 min, default = 10). integer Minimum value: 1 Maximum value: 120
session-cache-capacity Capacity of the SSL session cache (--Obsolete--) (1 - 1000, default = 500). integer Minimum value: 0 Maximum value: 1000
session-cache-timeout Time limit to keep SSL session state (1 - 60 min, default = 20). integer Minimum value: 1 Maximum value: 60
kxp-queue-threshold Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU (0 - 512, default = 16). integer Minimum value: 0 Maximum value: 512
ssl-queue-threshold Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU (0 - 512, default = 32). integer Minimum value: 0 Maximum value: 512
abbreviate-handshake Enable/disable use of SSL abbreviated handshake.
enable: Enable use of SSL abbreviated handshake.
disable: Disable use of SSL abbreviated handshake.
option -

SSL proxy settings.

  config firewall ssl setting
      Description: SSL proxy settings.
      set proxy-connect-timeout {integer}
      set ssl-dh-bits [768|1024|...]
      set ssl-send-empty-frags [enable|disable]
      set no-matching-cipher-action [bypass|drop]
      set cert-cache-capacity {integer}
      set cert-cache-timeout {integer}
      set session-cache-capacity {integer}
      set session-cache-timeout {integer}
      set kxp-queue-threshold {integer}
      set ssl-queue-threshold {integer}
      set abbreviate-handshake [enable|disable]
  end

config firewall ssl setting

Parameter Name Description Type Size
proxy-connect-timeout Time limit to make an internal connection to the appropriate proxy process (1 - 60 sec, default = 30). integer Minimum value: 1 Maximum value: 60
ssl-dh-bits Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).
768: 768-bit Diffie-Hellman prime.
1024: 1024-bit Diffie-Hellman prime.
1536: 1536-bit Diffie-Hellman prime.
2048: 2048-bit Diffie-Hellman prime.
option -
ssl-send-empty-frags Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).
enable: Send empty fragments.
disable: Do not send empty fragments.
option -
no-matching-cipher-action Bypass or drop the connection when no matching cipher is found.
bypass: Bypass connection.
drop: Drop connection.
option -
cert-cache-capacity Maximum capacity of the host certificate cache (0 - 500, default = 200). integer Minimum value: 0 Maximum value: 500
cert-cache-timeout Time limit to keep certificate cache (1 - 120 min, default = 10). integer Minimum value: 1 Maximum value: 120
session-cache-capacity Capacity of the SSL session cache (--Obsolete--) (1 - 1000, default = 500). integer Minimum value: 0 Maximum value: 1000
session-cache-timeout Time limit to keep SSL session state (1 - 60 min, default = 20). integer Minimum value: 1 Maximum value: 60
kxp-queue-threshold Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU (0 - 512, default = 16). integer Minimum value: 0 Maximum value: 512
ssl-queue-threshold Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU (0 - 512, default = 32). integer Minimum value: 0 Maximum value: 512
abbreviate-handshake Enable/disable use of SSL abbreviated handshake.
enable: Enable use of SSL abbreviated handshake.
disable: Disable use of SSL abbreviated handshake.
option -