Fortinet white logo
Fortinet white logo

CLI Reference

config firewall ssl-ssh-profile

config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile
    Description: Configure SSL/SSH protocol options.
    edit <name>
        set block-blacklisted-certificates [disable|enable]
        set caname {string}
        set comment {var-string}
        config ftps
            Description: Configure FTPS options.
            set ports {integer}
            set status [disable|deep-inspection]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        config https
            Description: Configure HTTPS options.
            set ports {integer}
            set status [disable|certificate-inspection|...]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        config imaps
            Description: Configure IMAPS options.
            set ports {integer}
            set status [disable|deep-inspection]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        set mapi-over-https [enable|disable]
        config pop3s
            Description: Configure POP3S options.
            set ports {integer}
            set status [disable|deep-inspection]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        set rpc-over-https [enable|disable]
        set server-cert {string}
        set server-cert-mode [re-sign|replace]
        config smtps
            Description: Configure SMTPS options.
            set ports {integer}
            set status [disable|deep-inspection]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        config ssh
            Description: Configure SSH options.
            set ports {integer}
            set status [disable|deep-inspection]
            set inspect-all [disable|deep-inspection]
            set unsupported-version [bypass|block]
            set ssh-tun-policy-check [disable|enable]
            set ssh-algorithm [compatible|high-encryption]
        end
        config ssl
            Description: Configure SSL options.
            set inspect-all [disable|certificate-inspection|...]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        set ssl-anomalies-log [disable|enable]
        config ssl-exempt
            Description: Servers to exempt from SSL inspection.
            edit <id>
                set type [fortiguard-category|address|...]
                set fortiguard-category {integer}
                set address {string}
                set address6 {string}
                set wildcard-fqdn {string}
                set regex {string}
            next
        end
        set ssl-exemptions-log [disable|enable]
        config ssl-server
            Description: SSL servers.
            edit <id>
                set ip {ipv4-address-any}
                set https-client-cert-request [bypass|inspect|...]
                set smtps-client-cert-request [bypass|inspect|...]
                set pop3s-client-cert-request [bypass|inspect|...]
                set imaps-client-cert-request [bypass|inspect|...]
                set ftps-client-cert-request [bypass|inspect|...]
                set ssl-other-client-cert-request [bypass|inspect|...]
            next
        end
        set untrusted-caname {string}
        set use-ssl-server [disable|enable]
        set whitelist [enable|disable]
    next
end

config firewall ssl-ssh-profile

Parameter

Description

Type

Size

block-blacklisted-certificates

Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist.

option

-

Option

Description

disable

Disable FortiGuard certificate blacklist.

enable

Enable FortiGuard certificate blacklist.

caname

CA certificate used by SSL Inspection.

string

Maximum length: 35

comment

Optional comments.

var-string

Maximum length: 255

mapi-over-https

Enable/disable inspection of MAPI over HTTPS.

option

-

Option

Description

enable

Enable inspection of MAPI over HTTPS.

disable

Disable inspection of MAPI over HTTPS.

name

Name.

string

Maximum length: 35

rpc-over-https

Enable/disable inspection of RPC over HTTPS.

option

-

Option

Description

enable

Enable inspection of RPC over HTTPS.

disable

Disable inspection of RPC over HTTPS.

server-cert

Certificate used by SSL Inspection to replace server certificate.

string

Maximum length: 35

server-cert-mode

Re-sign or replace the server's certificate.

option

-

Option

Description

re-sign

Multiple clients connecting to multiple servers.

replace

Protect an SSL server.

ssl-anomalies-log

Enable/disable logging SSL anomalies.

option

-

Option

Description

disable

Disable logging SSL anomalies.

enable

Enable logging SSL anomalies.

ssl-exemptions-log

Enable/disable logging SSL exemptions.

option

-

Option

Description

disable

Disable logging SSL exemptions.

enable

Enable logging SSL exemptions.

untrusted-caname

Untrusted CA certificate used by SSL Inspection.

string

Maximum length: 35

use-ssl-server

Enable/disable the use of SSL server table for SSL offloading.

option

-

Option

Description

disable

Don't use SSL server configuration.

enable

Use SSL server configuration.

whitelist

Enable/disable exempting servers by FortiGuard whitelist.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

config ftps

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config https

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config imaps

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config pop3s

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config smtps

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config ssh

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

inspect-all

Level of SSL inspection.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-version

Action based on SSH version being unsupported.

option

-

Option

Description

bypass

Bypass the session.

block

Block the session.

ssh-tun-policy-check

Enable/disable SSH tunnel policy check.

option

-

Option

Description

disable

Disable SSH tunnel policy check.

enable

Enable SSH tunnel policy check.

ssh-algorithm

Relative strength of encryption algorithms accepted during negotiation.

option

-

Option

Description

compatible

Allow a broader set of encryption algorithms for best compatibility.

high-encryption

Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

config ssl

Parameter

Description

Type

Size

inspect-all

Level of SSL inspection.

option

-

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config ssl-exempt

Parameter

Description

Type

Size

id

ID number.

integer

Minimum value: 0 Maximum value: 512

type

Type of address object (IPv4 or IPv6) or FortiGuard category.

option

-

Option

Description

fortiguard-category

FortiGuard category.

address

Firewall IPv4 address.

address6

Firewall IPv6 address.

wildcard-fqdn

Fully Qualified Domain Name with wildcard characters.

regex

Regular expression FQDN.

fortiguard-category

FortiGuard category ID.

integer

Minimum value: 0 Maximum value: 255

address

IPv4 address object.

string

Maximum length: 79

address6

IPv6 address object.

string

Maximum length: 79

wildcard-fqdn

Exempt servers by wildcard FQDN.

string

Maximum length: 79

regex

Exempt servers by regular expression.

string

Maximum length: 255

config ssl-server

Parameter

Description

Type

Size

id

SSL server ID.

integer

Minimum value: 0 Maximum value: 4294967295

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

https-client-cert-request

Action based on client certificate request during the HTTPS handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

smtps-client-cert-request

Action based on client certificate request during the SMTPS handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

pop3s-client-cert-request

Action based on client certificate request during the POP3S handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

imaps-client-cert-request

Action based on client certificate request during the IMAPS handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ftps-client-cert-request

Action based on client certificate request during the FTPS handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ssl-other-client-cert-request

Action based on client certificate request during an SSL protocol handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

config firewall ssl-ssh-profile

config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile
    Description: Configure SSL/SSH protocol options.
    edit <name>
        set block-blacklisted-certificates [disable|enable]
        set caname {string}
        set comment {var-string}
        config ftps
            Description: Configure FTPS options.
            set ports {integer}
            set status [disable|deep-inspection]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        config https
            Description: Configure HTTPS options.
            set ports {integer}
            set status [disable|certificate-inspection|...]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        config imaps
            Description: Configure IMAPS options.
            set ports {integer}
            set status [disable|deep-inspection]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        set mapi-over-https [enable|disable]
        config pop3s
            Description: Configure POP3S options.
            set ports {integer}
            set status [disable|deep-inspection]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        set rpc-over-https [enable|disable]
        set server-cert {string}
        set server-cert-mode [re-sign|replace]
        config smtps
            Description: Configure SMTPS options.
            set ports {integer}
            set status [disable|deep-inspection]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        config ssh
            Description: Configure SSH options.
            set ports {integer}
            set status [disable|deep-inspection]
            set inspect-all [disable|deep-inspection]
            set unsupported-version [bypass|block]
            set ssh-tun-policy-check [disable|enable]
            set ssh-algorithm [compatible|high-encryption]
        end
        config ssl
            Description: Configure SSL options.
            set inspect-all [disable|certificate-inspection|...]
            set client-cert-request [bypass|inspect|...]
            set unsupported-ssl [bypass|inspect|...]
            set invalid-server-cert [allow|block]
            set untrusted-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
        end
        set ssl-anomalies-log [disable|enable]
        config ssl-exempt
            Description: Servers to exempt from SSL inspection.
            edit <id>
                set type [fortiguard-category|address|...]
                set fortiguard-category {integer}
                set address {string}
                set address6 {string}
                set wildcard-fqdn {string}
                set regex {string}
            next
        end
        set ssl-exemptions-log [disable|enable]
        config ssl-server
            Description: SSL servers.
            edit <id>
                set ip {ipv4-address-any}
                set https-client-cert-request [bypass|inspect|...]
                set smtps-client-cert-request [bypass|inspect|...]
                set pop3s-client-cert-request [bypass|inspect|...]
                set imaps-client-cert-request [bypass|inspect|...]
                set ftps-client-cert-request [bypass|inspect|...]
                set ssl-other-client-cert-request [bypass|inspect|...]
            next
        end
        set untrusted-caname {string}
        set use-ssl-server [disable|enable]
        set whitelist [enable|disable]
    next
end

config firewall ssl-ssh-profile

Parameter

Description

Type

Size

block-blacklisted-certificates

Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist.

option

-

Option

Description

disable

Disable FortiGuard certificate blacklist.

enable

Enable FortiGuard certificate blacklist.

caname

CA certificate used by SSL Inspection.

string

Maximum length: 35

comment

Optional comments.

var-string

Maximum length: 255

mapi-over-https

Enable/disable inspection of MAPI over HTTPS.

option

-

Option

Description

enable

Enable inspection of MAPI over HTTPS.

disable

Disable inspection of MAPI over HTTPS.

name

Name.

string

Maximum length: 35

rpc-over-https

Enable/disable inspection of RPC over HTTPS.

option

-

Option

Description

enable

Enable inspection of RPC over HTTPS.

disable

Disable inspection of RPC over HTTPS.

server-cert

Certificate used by SSL Inspection to replace server certificate.

string

Maximum length: 35

server-cert-mode

Re-sign or replace the server's certificate.

option

-

Option

Description

re-sign

Multiple clients connecting to multiple servers.

replace

Protect an SSL server.

ssl-anomalies-log

Enable/disable logging SSL anomalies.

option

-

Option

Description

disable

Disable logging SSL anomalies.

enable

Enable logging SSL anomalies.

ssl-exemptions-log

Enable/disable logging SSL exemptions.

option

-

Option

Description

disable

Disable logging SSL exemptions.

enable

Enable logging SSL exemptions.

untrusted-caname

Untrusted CA certificate used by SSL Inspection.

string

Maximum length: 35

use-ssl-server

Enable/disable the use of SSL server table for SSL offloading.

option

-

Option

Description

disable

Don't use SSL server configuration.

enable

Use SSL server configuration.

whitelist

Enable/disable exempting servers by FortiGuard whitelist.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

config ftps

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config https

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config imaps

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config pop3s

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config smtps

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config ssh

Parameter

Description

Type

Size

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

inspect-all

Level of SSL inspection.

option

-

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-version

Action based on SSH version being unsupported.

option

-

Option

Description

bypass

Bypass the session.

block

Block the session.

ssh-tun-policy-check

Enable/disable SSH tunnel policy check.

option

-

Option

Description

disable

Disable SSH tunnel policy check.

enable

Enable SSH tunnel policy check.

ssh-algorithm

Relative strength of encryption algorithms accepted during negotiation.

option

-

Option

Description

compatible

Allow a broader set of encryption algorithms for best compatibility.

high-encryption

Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

config ssl

Parameter

Description

Type

Size

inspect-all

Level of SSL inspection.

option

-

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

client-cert-request

Action based on client certificate request.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl

Action based on the SSL encryption used being unsupported.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

invalid-server-cert

Allow or block the invalid SSL session server certificate.

option

-

Option

Description

allow

Allow the invalid server certificate.

block

Block the connection when an invalid server certificate is detected.

untrusted-server-cert

Allow, ignore, or block the untrusted SSL session server certificate.

option

-

Option

Description

allow

Allow the untrusted server certificate.

block

Block the connection when an untrusted server certificate is detected.

ignore

Always take the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config ssl-exempt

Parameter

Description

Type

Size

id

ID number.

integer

Minimum value: 0 Maximum value: 512

type

Type of address object (IPv4 or IPv6) or FortiGuard category.

option

-

Option

Description

fortiguard-category

FortiGuard category.

address

Firewall IPv4 address.

address6

Firewall IPv6 address.

wildcard-fqdn

Fully Qualified Domain Name with wildcard characters.

regex

Regular expression FQDN.

fortiguard-category

FortiGuard category ID.

integer

Minimum value: 0 Maximum value: 255

address

IPv4 address object.

string

Maximum length: 79

address6

IPv6 address object.

string

Maximum length: 79

wildcard-fqdn

Exempt servers by wildcard FQDN.

string

Maximum length: 79

regex

Exempt servers by regular expression.

string

Maximum length: 255

config ssl-server

Parameter

Description

Type

Size

id

SSL server ID.

integer

Minimum value: 0 Maximum value: 4294967295

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

https-client-cert-request

Action based on client certificate request during the HTTPS handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

smtps-client-cert-request

Action based on client certificate request during the SMTPS handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

pop3s-client-cert-request

Action based on client certificate request during the POP3S handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

imaps-client-cert-request

Action based on client certificate request during the IMAPS handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ftps-client-cert-request

Action based on client certificate request during the FTPS handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ssl-other-client-cert-request

Action based on client certificate request during an SSL protocol handshake.

option

-

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.