config firewall ssl-ssh-profile
Configure SSL/SSH protocol options.
config firewall ssl-ssh-profile Description: Configure SSL/SSH protocol options. edit <name> set block-blacklisted-certificates [disable|enable] set caname {string} set comment {var-string} config ftps Description: Configure FTPS options. set ports {integer} set status [disable|deep-inspection] set client-cert-request [bypass|inspect|...] set unsupported-ssl [bypass|inspect|...] set invalid-server-cert [allow|block] set untrusted-server-cert [allow|block|...] set sni-server-cert-check [enable|strict|...] end config https Description: Configure HTTPS options. set ports {integer} set status [disable|certificate-inspection|...] set client-cert-request [bypass|inspect|...] set unsupported-ssl [bypass|inspect|...] set invalid-server-cert [allow|block] set untrusted-server-cert [allow|block|...] set sni-server-cert-check [enable|strict|...] end config imaps Description: Configure IMAPS options. set ports {integer} set status [disable|deep-inspection] set client-cert-request [bypass|inspect|...] set unsupported-ssl [bypass|inspect|...] set invalid-server-cert [allow|block] set untrusted-server-cert [allow|block|...] set sni-server-cert-check [enable|strict|...] end set mapi-over-https [enable|disable] config pop3s Description: Configure POP3S options. set ports {integer} set status [disable|deep-inspection] set client-cert-request [bypass|inspect|...] set unsupported-ssl [bypass|inspect|...] set invalid-server-cert [allow|block] set untrusted-server-cert [allow|block|...] set sni-server-cert-check [enable|strict|...] end set rpc-over-https [enable|disable] set server-cert {string} set server-cert-mode [re-sign|replace] config smtps Description: Configure SMTPS options. set ports {integer} set status [disable|deep-inspection] set client-cert-request [bypass|inspect|...] set unsupported-ssl [bypass|inspect|...] set invalid-server-cert [allow|block] set untrusted-server-cert [allow|block|...] set sni-server-cert-check [enable|strict|...] end config ssh Description: Configure SSH options. set ports {integer} set status [disable|deep-inspection] set inspect-all [disable|deep-inspection] set unsupported-version [bypass|block] set ssh-tun-policy-check [disable|enable] set ssh-algorithm [compatible|high-encryption] end config ssl Description: Configure SSL options. set inspect-all [disable|certificate-inspection|...] set client-cert-request [bypass|inspect|...] set unsupported-ssl [bypass|inspect|...] set invalid-server-cert [allow|block] set untrusted-server-cert [allow|block|...] set sni-server-cert-check [enable|strict|...] end set ssl-anomalies-log [disable|enable] config ssl-exempt Description: Servers to exempt from SSL inspection. edit <id> set type [fortiguard-category|address|...] set fortiguard-category {integer} set address {string} set address6 {string} set wildcard-fqdn {string} set regex {string} next end set ssl-exemptions-log [disable|enable] config ssl-server Description: SSL servers. edit <id> set ip {ipv4-address-any} set https-client-cert-request [bypass|inspect|...] set smtps-client-cert-request [bypass|inspect|...] set pop3s-client-cert-request [bypass|inspect|...] set imaps-client-cert-request [bypass|inspect|...] set ftps-client-cert-request [bypass|inspect|...] set ssl-other-client-cert-request [bypass|inspect|...] next end set untrusted-caname {string} set use-ssl-server [disable|enable] set whitelist [enable|disable] next end
config firewall ssl-ssh-profile
Parameter |
Description |
Type |
Size |
|||||||
---|---|---|---|---|---|---|---|---|---|---|
block-blacklisted-certificates |
Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. |
option |
- |
|||||||
|
|
|||||||||
caname |
CA certificate used by SSL Inspection. |
string |
Maximum length: 35 |
|||||||
comment |
Optional comments. |
var-string |
Maximum length: 255 |
|||||||
mapi-over-https |
Enable/disable inspection of MAPI over HTTPS. |
option |
- |
|||||||
|
|
|||||||||
name |
Name. |
string |
Maximum length: 35 |
|||||||
rpc-over-https |
Enable/disable inspection of RPC over HTTPS. |
option |
- |
|||||||
|
|
|||||||||
server-cert |
Certificate used by SSL Inspection to replace server certificate. |
string |
Maximum length: 35 |
|||||||
server-cert-mode |
Re-sign or replace the server's certificate. |
option |
- |
|||||||
|
|
|||||||||
ssl-anomalies-log |
Enable/disable logging SSL anomalies. |
option |
- |
|||||||
|
|
|||||||||
ssl-exemptions-log |
Enable/disable logging SSL exemptions. |
option |
- |
|||||||
|
|
|||||||||
untrusted-caname |
Untrusted CA certificate used by SSL Inspection. |
string |
Maximum length: 35 |
|||||||
use-ssl-server |
Enable/disable the use of SSL server table for SSL offloading. |
option |
- |
|||||||
|
|
|||||||||
whitelist |
Enable/disable exempting servers by FortiGuard whitelist. |
option |
- |
|||||||
|
|
config ftps
Parameter |
Description |
Type |
Size |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|||||||||
status |
Configure protocol inspection status. |
option |
- |
|||||||||
|
|
|||||||||||
client-cert-request |
Action based on client certificate request. |
option |
- |
|||||||||
|
|
|||||||||||
unsupported-ssl |
Action based on the SSL encryption used being unsupported. |
option |
- |
|||||||||
|
|
|||||||||||
invalid-server-cert |
Allow or block the invalid SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
untrusted-server-cert |
Allow, ignore, or block the untrusted SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
|||||||||
|
|
config https
Parameter |
Description |
Type |
Size |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|||||||||
status |
Configure protocol inspection status. |
option |
- |
|||||||||
|
|
|||||||||||
client-cert-request |
Action based on client certificate request. |
option |
- |
|||||||||
|
|
|||||||||||
unsupported-ssl |
Action based on the SSL encryption used being unsupported. |
option |
- |
|||||||||
|
|
|||||||||||
invalid-server-cert |
Allow or block the invalid SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
untrusted-server-cert |
Allow, ignore, or block the untrusted SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
|||||||||
|
|
config imaps
Parameter |
Description |
Type |
Size |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|||||||||
status |
Configure protocol inspection status. |
option |
- |
|||||||||
|
|
|||||||||||
client-cert-request |
Action based on client certificate request. |
option |
- |
|||||||||
|
|
|||||||||||
unsupported-ssl |
Action based on the SSL encryption used being unsupported. |
option |
- |
|||||||||
|
|
|||||||||||
invalid-server-cert |
Allow or block the invalid SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
untrusted-server-cert |
Allow, ignore, or block the untrusted SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
|||||||||
|
|
config pop3s
Parameter |
Description |
Type |
Size |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|||||||||
status |
Configure protocol inspection status. |
option |
- |
|||||||||
|
|
|||||||||||
client-cert-request |
Action based on client certificate request. |
option |
- |
|||||||||
|
|
|||||||||||
unsupported-ssl |
Action based on the SSL encryption used being unsupported. |
option |
- |
|||||||||
|
|
|||||||||||
invalid-server-cert |
Allow or block the invalid SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
untrusted-server-cert |
Allow, ignore, or block the untrusted SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
|||||||||
|
|
config smtps
Parameter |
Description |
Type |
Size |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|||||||||
status |
Configure protocol inspection status. |
option |
- |
|||||||||
|
|
|||||||||||
client-cert-request |
Action based on client certificate request. |
option |
- |
|||||||||
|
|
|||||||||||
unsupported-ssl |
Action based on the SSL encryption used being unsupported. |
option |
- |
|||||||||
|
|
|||||||||||
invalid-server-cert |
Allow or block the invalid SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
untrusted-server-cert |
Allow, ignore, or block the untrusted SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
|||||||||
|
|
config ssh
Parameter |
Description |
Type |
Size |
|||||||
---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|||||||
status |
Configure protocol inspection status. |
option |
- |
|||||||
|
|
|||||||||
inspect-all |
Level of SSL inspection. |
option |
- |
|||||||
|
|
|||||||||
unsupported-version |
Action based on SSH version being unsupported. |
option |
- |
|||||||
|
|
|||||||||
ssh-tun-policy-check |
Enable/disable SSH tunnel policy check. |
option |
- |
|||||||
|
|
|||||||||
ssh-algorithm |
Relative strength of encryption algorithms accepted during negotiation. |
option |
- |
|||||||
|
|
config ssl
Parameter |
Description |
Type |
Size |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
inspect-all |
Level of SSL inspection. |
option |
- |
|||||||||
|
|
|||||||||||
client-cert-request |
Action based on client certificate request. |
option |
- |
|||||||||
|
|
|||||||||||
unsupported-ssl |
Action based on the SSL encryption used being unsupported. |
option |
- |
|||||||||
|
|
|||||||||||
invalid-server-cert |
Allow or block the invalid SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
untrusted-server-cert |
Allow, ignore, or block the untrusted SSL session server certificate. |
option |
- |
|||||||||
|
|
|||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
|||||||||
|
|
config ssl-exempt
Parameter |
Description |
Type |
Size |
|||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
id |
ID number. |
integer |
Minimum value: 0 Maximum value: 512 |
|||||||||||||
type |
Type of address object (IPv4 or IPv6) or FortiGuard category. |
option |
- |
|||||||||||||
|
|
|||||||||||||||
fortiguard-category |
FortiGuard category ID. |
integer |
Minimum value: 0 Maximum value: 255 |
|||||||||||||
address |
IPv4 address object. |
string |
Maximum length: 79 |
|||||||||||||
address6 |
IPv6 address object. |
string |
Maximum length: 79 |
|||||||||||||
wildcard-fqdn |
Exempt servers by wildcard FQDN. |
string |
Maximum length: 79 |
|||||||||||||
regex |
Exempt servers by regular expression. |
string |
Maximum length: 255 |
config ssl-server
Parameter |
Description |
Type |
Size |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
id |
SSL server ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||
ip |
IPv4 address of the SSL server. |
ipv4-address-any |
Not Specified |
|||||||||
https-client-cert-request |
Action based on client certificate request during the HTTPS handshake. |
option |
- |
|||||||||
|
|
|||||||||||
smtps-client-cert-request |
Action based on client certificate request during the SMTPS handshake. |
option |
- |
|||||||||
|
|
|||||||||||
pop3s-client-cert-request |
Action based on client certificate request during the POP3S handshake. |
option |
- |
|||||||||
|
|
|||||||||||
imaps-client-cert-request |
Action based on client certificate request during the IMAPS handshake. |
option |
- |
|||||||||
|
|
|||||||||||
ftps-client-cert-request |
Action based on client certificate request during the FTPS handshake. |
option |
- |
|||||||||
|
|
|||||||||||
ssl-other-client-cert-request |
Action based on client certificate request during an SSL protocol handshake. |
option |
- |
|||||||||
|
|