config firewall vip6
Configure virtual IP for IPv6.
config firewall vip6 Description: Configure virtual IP for IPv6. edit <name> set arp-reply [disable|enable] set color {integer} set comment {var-string} set extip {user} set extport {user} set http-cookie-age {integer} set http-cookie-domain {string} set http-cookie-domain-from-host [disable|enable] set http-cookie-generation {integer} set http-cookie-path {string} set http-cookie-share [disable|same-ip] set http-ip-header [enable|disable] set http-ip-header-name {string} set http-multiplex [enable|disable] set http-redirect [enable|disable] set https-cookie-secure [disable|enable] set id {integer} set ldb-method [static|round-robin|...] set mappedip {user} set mappedport {user} set max-embryonic-connections {integer} set monitor <name1>, <name2>, ... set outlook-web-access [disable|enable] set persistence [none|http-cookie|...] set portforward [disable|enable] set protocol [tcp|udp|...] config realservers Description: Select the real servers that this server load balancing VIP will distribute traffic to. edit <id> set ip {ipv6-address} set port {integer} set status [active|standby|...] set weight {integer} set holddown-interval {integer} set healthcheck [disable|enable|...] set http-host {string} set max-connections {integer} set monitor {string} set client-ip {user} next end set server-type [http|https|...] set src-filter <range1>, <range2>, ... set ssl-algorithm [high|medium|...] set ssl-certificate {string} config ssl-cipher-suites Description: SSL/TLS cipher suites acceptable from a client, ordered by priority. edit <priority> set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...] set versions {option1}, {option2}, ... next end set ssl-client-fallback [disable|enable] set ssl-client-rekey-count {integer} set ssl-client-renegotiation [allow|deny|...] set ssl-client-session-state-max {integer} set ssl-client-session-state-timeout {integer} set ssl-client-session-state-type [disable|time|...] set ssl-dh-bits [768|1024|...] set ssl-hpkp [disable|enable|...] set ssl-hpkp-age {integer} set ssl-hpkp-backup {string} set ssl-hpkp-include-subdomains [disable|enable] set ssl-hpkp-primary {string} set ssl-hpkp-report-uri {var-string} set ssl-hsts [disable|enable] set ssl-hsts-age {integer} set ssl-hsts-include-subdomains [disable|enable] set ssl-http-location-conversion [enable|disable] set ssl-http-match-host [enable|disable] set ssl-max-version [ssl-3.0|tls-1.0|...] set ssl-min-version [ssl-3.0|tls-1.0|...] set ssl-mode [half|full] set ssl-pfs [require|deny|...] set ssl-send-empty-frags [enable|disable] set ssl-server-algorithm [high|medium|...] config ssl-server-cipher-suites Description: SSL/TLS cipher suites to offer to a server, ordered by priority. edit <priority> set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...] set versions {option1}, {option2}, ... next end set ssl-server-max-version [ssl-3.0|tls-1.0|...] set ssl-server-min-version [ssl-3.0|tls-1.0|...] set ssl-server-session-state-max {integer} set ssl-server-session-state-timeout {integer} set ssl-server-session-state-type [disable|time|...] set type [static-nat|server-load-balance] set uuid {uuid} set weblogic-server [disable|enable] set websphere-server [disable|enable] next end
config firewall vip6
Parameter |
Description |
Type |
Size |
|||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
arp-reply |
Enable to respond to ARP requests for this virtual IP address. Enabled by default. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
color |
Color of icon on the GUI. |
integer |
Minimum value: 0 Maximum value: 32 |
|||||||||||||||||||||
comment |
Comment. |
var-string |
Maximum length: 255 |
|||||||||||||||||||||
extip |
IP address or address range on the external interface that you want to map to an address or address range on the destination network. |
user |
Not Specified |
|||||||||||||||||||||
extport |
Incoming port number range that you want to map to a port number range on the destination network. |
user |
Not Specified |
|||||||||||||||||||||
http-cookie-age |
Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. |
integer |
Minimum value: 0 Maximum value: 525600 |
|||||||||||||||||||||
http-cookie-domain |
Domain that HTTP cookie persistence should apply to. |
string |
Maximum length: 35 |
|||||||||||||||||||||
http-cookie-domain-from-host |
Enable/disable use of HTTP cookie domain from host field in HTTP. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
http-cookie-generation |
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||||||||
http-cookie-path |
Limit HTTP cookie persistence to the specified path. |
string |
Maximum length: 35 |
|||||||||||||||||||||
http-cookie-share |
Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
http-ip-header |
For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
http-ip-header-name |
For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. |
string |
Maximum length: 35 |
|||||||||||||||||||||
http-multiplex |
Enable/disable HTTP multiplexing. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
http-redirect |
Enable/disable redirection of HTTP to HTTPS |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
https-cookie-secure * |
Enable/disable verification that inserted HTTPS cookies are secure. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
id |
Custom defined ID. |
integer |
Minimum value: 0 Maximum value: 65535 |
|||||||||||||||||||||
ldb-method |
Method used to distribute sessions to real servers. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
mappedip |
Mapped IP address range in the format startIP-endIP. |
user |
Not Specified |
|||||||||||||||||||||
mappedport |
Port number range on the destination network to which the external port number range is mapped. |
user |
Not Specified |
|||||||||||||||||||||
max-embryonic-connections |
Maximum number of incomplete connections. |
integer |
Minimum value: 0 Maximum value: 100000 |
|||||||||||||||||||||
monitor |
Name of the health check monitor to use when polling to determine a virtual server's connectivity status. Health monitor name. |
string |
Maximum length: 79 |
|||||||||||||||||||||
name |
Virtual ip6 name. |
string |
Maximum length: 79 |
|||||||||||||||||||||
outlook-web-access |
Enable to add the Front-End-Https header for Microsoft Outlook Web Access. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
persistence |
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
portforward |
Enable port forwarding. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
protocol |
Protocol to use when forwarding packets. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
server-type |
Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
src-filter |
Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces. Source-filter range. |
string |
Maximum length: 79 |
|||||||||||||||||||||
ssl-algorithm * |
Permitted encryption algorithms for SSL sessions according to encryption strength. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-certificate * |
The name of the SSL certificate to use for SSL acceleration. |
string |
Maximum length: 35 |
|||||||||||||||||||||
ssl-client-fallback * |
Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-client-rekey-count * |
Maximum length of data in MB before triggering a client rekey (0 = disable). |
integer |
Minimum value: 200 Maximum value: 1048576 |
|||||||||||||||||||||
ssl-client-renegotiation * |
Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-client-session-state-max * |
Maximum number of client to FortiGate SSL session states to keep. |
integer |
Minimum value: 1 Maximum value: 10000 |
|||||||||||||||||||||
ssl-client-session-state-timeout * |
Number of minutes to keep client to FortiGate SSL session state. |
integer |
Minimum value: 1 Maximum value: 14400 |
|||||||||||||||||||||
ssl-client-session-state-type * |
How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-dh-bits * |
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-hpkp * |
Enable/disable including HPKP header in response. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-hpkp-age * |
Number of minutes the web browser should keep HPKP. |
integer |
Minimum value: 60 Maximum value: 157680000 |
|||||||||||||||||||||
ssl-hpkp-backup * |
Certificate to generate backup HPKP pin from. |
string |
Maximum length: 79 |
|||||||||||||||||||||
ssl-hpkp-include-subdomains * |
Indicate that HPKP header applies to all subdomains. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-hpkp-primary * |
Certificate to generate primary HPKP pin from. |
string |
Maximum length: 79 |
|||||||||||||||||||||
ssl-hpkp-report-uri * |
URL to report HPKP violations to. |
var-string |
Maximum length: 255 |
|||||||||||||||||||||
ssl-hsts * |
Enable/disable including HSTS header in response. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-hsts-age * |
Number of seconds the client should honour the HSTS setting. |
integer |
Minimum value: 60 Maximum value: 157680000 |
|||||||||||||||||||||
ssl-hsts-include-subdomains * |
Indicate that HSTS header applies to all subdomains. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-http-location-conversion * |
Enable to replace HTTP with HTTPS in the reply's Location HTTP header field. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-http-match-host * |
Enable/disable HTTP host matching for location conversion. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-max-version * |
Highest SSL/TLS version acceptable from a client. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-min-version * |
Lowest SSL/TLS version acceptable from a client. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-mode * |
Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-pfs * |
Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-send-empty-frags * |
Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-server-algorithm * |
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-server-max-version * |
Highest SSL/TLS version acceptable from a server. Use the client setting by default. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-server-min-version * |
Lowest SSL/TLS version acceptable from a server. Use the client setting by default. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
ssl-server-session-state-max * |
Maximum number of FortiGate to Server SSL session states to keep. |
integer |
Minimum value: 1 Maximum value: 10000 |
|||||||||||||||||||||
ssl-server-session-state-timeout * |
Number of minutes to keep FortiGate to Server SSL session state. |
integer |
Minimum value: 1 Maximum value: 14400 |
|||||||||||||||||||||
ssl-server-session-state-type * |
How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
type |
Configure a static NAT or server load balance VIP. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
uuid |
Universally Unique Identifier (UUID; automatically assigned but can be manually reset). |
uuid |
Not Specified |
|||||||||||||||||||||
weblogic-server |
Enable to add an HTTP header to indicate SSL offloading for a WebLogic server. |
option |
- |
|||||||||||||||||||||
|
|
|||||||||||||||||||||||
websphere-server |
Enable to add an HTTP header to indicate SSL offloading for a WebSphere server. |
option |
- |
|||||||||||||||||||||
|
|
* This parameter may not exist in some models.
config realservers
Parameter |
Description |
Type |
Size |
|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
id |
Real server ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||
ip |
IPv6 address of the real server. |
ipv6-address |
Not Specified |
|||||||||
port |
Port for communicating with the real server. Required if port forwarding is enabled. |
integer |
Minimum value: 1 Maximum value: 65535 |
|||||||||
status |
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. |
option |
- |
|||||||||
|
|
|||||||||||
weight |
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
integer |
Minimum value: 1 Maximum value: 255 |
|||||||||
holddown-interval |
Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active. |
integer |
Minimum value: 30 Maximum value: 65535 |
|||||||||
healthcheck |
Enable to check the responsiveness of the real server before forwarding traffic. |
option |
- |
|||||||||
|
|
|||||||||||
http-host |
HTTP server domain name in HTTP header. |
string |
Maximum length: 63 |
|||||||||
max-connections |
Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers. |
integer |
Minimum value: 0 Maximum value: 2147483647 |
|||||||||
monitor |
Name of the health check monitor to use when polling to determine a virtual server's connectivity status. |
string |
Maximum length: 79 |
|||||||||
client-ip |
Only clients in this IP range can connect to this real server. |
user |
Not Specified |
config ssl-cipher-suites
Parameter |
Description |
Type |
Size |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
priority |
SSL/TLS cipher suites priority. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
cipher |
Cipher suite name. |
option |
- |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
versions |
SSL/TLS versions that the cipher suite can be used with. |
option |
- |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
config ssl-server-cipher-suites
Parameter |
Description |
Type |
Size |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
priority |
SSL/TLS cipher suites priority. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
cipher |
Cipher suite name. |
option |
- |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
versions |
SSL/TLS versions that the cipher suite can be used with. |
option |
- |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|