Fortinet black logo

CLI Reference

config firewall ssl-server

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server
    Description: Configure SSL servers.
    edit <name>
        set add-header-x-forwarded-proto [enable|disable]
        set ip {ipv4-address-any}
        set mapped-port {integer}
        set port {integer}
        set ssl-algorithm [high|medium|...]
        set ssl-cert {string}
        set ssl-client-renegotiation [allow|deny|...]
        set ssl-dh-bits [768|1024|...]
        set ssl-max-version [tls-1.0|tls-1.1|...]
        set ssl-min-version [tls-1.0|tls-1.1|...]
        set ssl-mode [half|full]
        set ssl-send-empty-frags [enable|disable]
        set url-rewrite [enable|disable]
    next
end

config firewall ssl-server

Parameter

Description

Type

Size

add-header-x-forwarded-proto

Enable/disable adding an X-Forwarded-Proto header to forwarded requests.

option

-

Option

Description

enable

Add X-Forwarded-Proto header.

disable

Do not add X-Forwarded-Proto header.

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

mapped-port

Mapped server service port.

integer

Minimum value: 1 Maximum value: 65535

name

Server name.

string

Maximum length: 35

port

Server service port.

integer

Minimum value: 1 Maximum value: 65535

ssl-algorithm

Relative strength of encryption algorithms accepted in negotiation.

option

-

Option

Description

high

High encryption. Allow only AES and ChaCha

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-cert

Name of certificate for SSL connections to this server.

string

Maximum length: 35

ssl-client-renegotiation

Allow or block client renegotiation by server.

option

-

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

-

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-max-version

Highest SSL/TLS version to negotiate.

option

-

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

ssl-min-version

Lowest SSL/TLS version to negotiate.

option

-

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

ssl-mode

SSL/TLS mode for encryption and decryption of traffic.

option

-

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV.

option

-

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

url-rewrite

Enable/disable rewriting the URL.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server
    Description: Configure SSL servers.
    edit <name>
        set add-header-x-forwarded-proto [enable|disable]
        set ip {ipv4-address-any}
        set mapped-port {integer}
        set port {integer}
        set ssl-algorithm [high|medium|...]
        set ssl-cert {string}
        set ssl-client-renegotiation [allow|deny|...]
        set ssl-dh-bits [768|1024|...]
        set ssl-max-version [tls-1.0|tls-1.1|...]
        set ssl-min-version [tls-1.0|tls-1.1|...]
        set ssl-mode [half|full]
        set ssl-send-empty-frags [enable|disable]
        set url-rewrite [enable|disable]
    next
end

config firewall ssl-server

Parameter

Description

Type

Size

add-header-x-forwarded-proto

Enable/disable adding an X-Forwarded-Proto header to forwarded requests.

option

-

Option

Description

enable

Add X-Forwarded-Proto header.

disable

Do not add X-Forwarded-Proto header.

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

mapped-port

Mapped server service port.

integer

Minimum value: 1 Maximum value: 65535

name

Server name.

string

Maximum length: 35

port

Server service port.

integer

Minimum value: 1 Maximum value: 65535

ssl-algorithm

Relative strength of encryption algorithms accepted in negotiation.

option

-

Option

Description

high

High encryption. Allow only AES and ChaCha

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-cert

Name of certificate for SSL connections to this server.

string

Maximum length: 35

ssl-client-renegotiation

Allow or block client renegotiation by server.

option

-

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

-

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-max-version

Highest SSL/TLS version to negotiate.

option

-

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

ssl-min-version

Lowest SSL/TLS version to negotiate.

option

-

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

ssl-mode

SSL/TLS mode for encryption and decryption of traffic.

option

-

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV.

option

-

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

url-rewrite

Enable/disable rewriting the URL.

option

-

Option

Description

enable

Enable setting.

disable

Disable setting.