Fortinet black logo

New Features

TLS 1.3 proxy support  6.2.1

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:971974
Download PDF

TLS 1.3 proxy support 6.2.1

TLS 1.3 is now supported in proxy mode.

To add TLS 1.3 to a SSL server profile using the CLI:
config firewall ssl-server
    edit "1"
        set ip 172.16.200.99
        set port 443
        set ssl-mode half
        set add-header-x-forwarded-proto enable
        set url-rewrite disable
        set mapped-port 80
        set ssl-cert "Fortinet_CA_SSL"
        set ssl-dh-bits 2048
        set ssl-algorithm high
        set ssl-client-renegotiation allow
        set ssl-min-version tls-1.3      <<<<<< add tls 1.3 
        set ssl-max-version tls-1.3      <<<<<< add tls 1.3
        set ssl-send-empty-frags enable
    next
end
To add TLS 1.3 to a virtual server profile using the CLI:
config firewall vip
    edit "1"
        set id 0
        set uuid ba50ae56-8c64-51e9-956c-860a475e69c5
        set comment ''
        set type server-load-balance
        set extip 0.0.0.0
        set extintf ''
        set arp-reply enable
        set server-type https
        set nat-source-vip disable
        set gratuitous-arp-interval 0
        set http-ip-header disable
        set ssl-client-rekey-count 0
        set ssl-hpkp disable
        set ssl-hsts disable
        set color 0
        set ldb-method static
        set persistence none
        set extport 443
        set http-multiplex disable
        set outlook-web-access disable
        set weblogic-server disable
        set websphere-server disable
        set ssl-mode half
        set ssl-certificate ''
        set ssl-dh-bits 2048
        set ssl-algorithm high
        set ssl-pfs require
        set ssl-min-version tls-1.3      <<<<<< add tls 1.3
        set ssl-max-version tls-1.3      <<<<<< add tls 1.3
        set ssl-send-empty-frags enable
        set ssl-client-fallback enable
        set ssl-client-renegotiation secure
        set ssl-client-session-state-type both
        set ssl-client-session-state-timeout 30
        set ssl-client-session-state-max 1000
        set ssl-http-location-conversion disable
        set max-embryonic-connections 1000
    next
end

TLS 1.3 proxy support 6.2.1

TLS 1.3 is now supported in proxy mode.

To add TLS 1.3 to a SSL server profile using the CLI:
config firewall ssl-server
    edit "1"
        set ip 172.16.200.99
        set port 443
        set ssl-mode half
        set add-header-x-forwarded-proto enable
        set url-rewrite disable
        set mapped-port 80
        set ssl-cert "Fortinet_CA_SSL"
        set ssl-dh-bits 2048
        set ssl-algorithm high
        set ssl-client-renegotiation allow
        set ssl-min-version tls-1.3      <<<<<< add tls 1.3 
        set ssl-max-version tls-1.3      <<<<<< add tls 1.3
        set ssl-send-empty-frags enable
    next
end
To add TLS 1.3 to a virtual server profile using the CLI:
config firewall vip
    edit "1"
        set id 0
        set uuid ba50ae56-8c64-51e9-956c-860a475e69c5
        set comment ''
        set type server-load-balance
        set extip 0.0.0.0
        set extintf ''
        set arp-reply enable
        set server-type https
        set nat-source-vip disable
        set gratuitous-arp-interval 0
        set http-ip-header disable
        set ssl-client-rekey-count 0
        set ssl-hpkp disable
        set ssl-hsts disable
        set color 0
        set ldb-method static
        set persistence none
        set extport 443
        set http-multiplex disable
        set outlook-web-access disable
        set weblogic-server disable
        set websphere-server disable
        set ssl-mode half
        set ssl-certificate ''
        set ssl-dh-bits 2048
        set ssl-algorithm high
        set ssl-pfs require
        set ssl-min-version tls-1.3      <<<<<< add tls 1.3
        set ssl-max-version tls-1.3      <<<<<< add tls 1.3
        set ssl-send-empty-frags enable
        set ssl-client-fallback enable
        set ssl-client-renegotiation secure
        set ssl-client-session-state-type both
        set ssl-client-session-state-timeout 30
        set ssl-client-session-state-max 1000
        set ssl-http-location-conversion disable
        set max-embryonic-connections 1000
    next
end