Fortinet black logo

CLI Reference

firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

  config firewall ssl-ssh-profile
      Description: Configure SSL/SSH protocol options.
      edit <name>
          set comment {var-string}
          config ssl
              Description: Configure SSL options.
              set inspect-all [disable|certificate-inspection|...]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config https
              Description: Configure HTTPS options.
              set ports {integer}
              set status [disable|certificate-inspection|...]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ftps
              Description: Configure FTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config imaps
              Description: Configure IMAPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config pop3s
              Description: Configure POP3S options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config smtps
              Description: Configure SMTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ssh
              Description: Configure SSH options.
              set ports {integer}
              set status [disable|deep-inspection]
              set inspect-all [disable|deep-inspection]
              set unsupported-version [bypass|block]
              set ssh-tun-policy-check [disable|enable]
              set ssh-algorithm [compatible|high-encryption]
          end
          set whitelist [enable|disable]
          set block-blacklisted-certificates [disable|enable]
          config ssl-exempt
              Description: Servers to exempt from SSL inspection.
              edit <id>
                  set type [fortiguard-category|address|...]
                  set fortiguard-category {integer}
                  set address {string}
                  set address6 {string}
                  set wildcard-fqdn {string}
                  set regex {string}
              next
          end
          set server-cert-mode [re-sign|replace]
          set use-ssl-server [disable|enable]
          set caname {string}
          set untrusted-caname {string}
          set server-cert {string}
          config ssl-server
              Description: SSL servers.
              edit <id>
                  set ip {ipv4-address-any}
                  set https-client-cert-request [bypass|inspect|...]
                  set smtps-client-cert-request [bypass|inspect|...]
                  set pop3s-client-cert-request [bypass|inspect|...]
                  set imaps-client-cert-request [bypass|inspect|...]
                  set ftps-client-cert-request [bypass|inspect|...]
                  set ssl-other-client-cert-request [bypass|inspect|...]
              next
          end
          set ssl-anomalies-log [disable|enable]
          set ssl-exemptions-log [disable|enable]
          set rpc-over-https [enable|disable]
          set mapi-over-https [enable|disable]
      next
  end

config firewall ssl-ssh-profile

Parameter Name Description Type Size
comment Optional comments. var-string Maximum length: 255
whitelist Enable/disable exempting servers by FortiGuard whitelist.
enable: Enable setting.
disable: Disable setting.
option -
block-blacklisted-certificates Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist.
disable: Disable FortiGuard certificate blacklist.
enable: Enable FortiGuard certificate blacklist.
option -
server-cert-mode Re-sign or replace the server's certificate.
re-sign: Multiple clients connecting to multiple servers.
replace: Protect an SSL server.
option -
use-ssl-server Enable/disable the use of SSL server table for SSL offloading.
disable: Don't use SSL server configuration.
enable: Use SSL server configuration.
option -
caname CA certificate used by SSL Inspection. string Maximum length: 35
untrusted-caname Untrusted CA certificate used by SSL Inspection. string Maximum length: 35
server-cert Certificate used by SSL Inspection to replace server certificate. string Maximum length: 35
ssl-anomalies-log Enable/disable logging SSL anomalies.
disable: Disable logging SSL anomalies.
enable: Enable logging SSL anomalies.
option -
ssl-exemptions-log Enable/disable logging SSL exemptions.
disable: Disable logging SSL exemptions.
enable: Enable logging SSL exemptions.
option -
rpc-over-https Enable/disable inspection of RPC over HTTPS.
enable: Enable inspection of RPC over HTTPS.
disable: Disable inspection of RPC over HTTPS.
option -
mapi-over-https Enable/disable inspection of MAPI over HTTPS.
enable: Enable inspection of MAPI over HTTPS.
disable: Disable inspection of MAPI over HTTPS.
option -

config ssl

Parameter Name Description Type Size
inspect-all Level of SSL inspection.
disable: Disable.
certificate-inspection: Inspect SSL handshake only.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config https

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
certificate-inspection: Inspect SSL handshake only.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config ftps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config imaps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config pop3s

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config smtps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config ssh

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
inspect-all Level of SSL inspection.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
unsupported-version Action based on SSH version being unsupported.
bypass: Bypass the session.
block: Block the session.
option -
ssh-tun-policy-check Enable/disable SSH tunnel policy check.
disable: Disable SSH tunnel policy check.
enable: Enable SSH tunnel policy check.
option -
ssh-algorithm Relative strength of encryption algorithms accepted during negotiation.
compatible: Allow a broader set of encryption algorithms for best compatibility.
high-encryption: Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.
option -

config ssl-exempt

Parameter Name Description Type Size
type Type of address object (IPv4 or IPv6) or FortiGuard category.
fortiguard-category: FortiGuard category.
address: Firewall IPv4 address.
address6: Firewall IPv6 address.
wildcard-fqdn: Fully Qualified Domain Name with wildcard characters.
regex: Regular expression FQDN.
option -
fortiguard-category FortiGuard category ID. integer Minimum value: 0 Maximum value: 255
address IPv4 address object. string Maximum length: 79
address6 IPv6 address object. string Maximum length: 79
wildcard-fqdn Exempt servers by wildcard FQDN. string Maximum length: 79
regex Exempt servers by regular expression. string Maximum length: 255

config ssl-server

Parameter Name Description Type Size
ip IPv4 address of the SSL server. ipv4-address-any Not Specified
https-client-cert-request Action based on client certificate request during the HTTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
smtps-client-cert-request Action based on client certificate request during the SMTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
pop3s-client-cert-request Action based on client certificate request during the POP3S handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
imaps-client-cert-request Action based on client certificate request during the IMAPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
ftps-client-cert-request Action based on client certificate request during the FTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
ssl-other-client-cert-request Action based on client certificate request during an SSL protocol handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -

Configure SSL/SSH protocol options.

  config firewall ssl-ssh-profile
      Description: Configure SSL/SSH protocol options.
      edit <name>
          set comment {var-string}
          config ssl
              Description: Configure SSL options.
              set inspect-all [disable|certificate-inspection|...]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config https
              Description: Configure HTTPS options.
              set ports {integer}
              set status [disable|certificate-inspection|...]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ftps
              Description: Configure FTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config imaps
              Description: Configure IMAPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config pop3s
              Description: Configure POP3S options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config smtps
              Description: Configure SMTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-cert-request [bypass|inspect|...]
              set unsupported-ssl [bypass|inspect|...]
              set invalid-server-cert [allow|block]
              set untrusted-server-cert [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ssh
              Description: Configure SSH options.
              set ports {integer}
              set status [disable|deep-inspection]
              set inspect-all [disable|deep-inspection]
              set unsupported-version [bypass|block]
              set ssh-tun-policy-check [disable|enable]
              set ssh-algorithm [compatible|high-encryption]
          end
          set whitelist [enable|disable]
          set block-blacklisted-certificates [disable|enable]
          config ssl-exempt
              Description: Servers to exempt from SSL inspection.
              edit <id>
                  set type [fortiguard-category|address|...]
                  set fortiguard-category {integer}
                  set address {string}
                  set address6 {string}
                  set wildcard-fqdn {string}
                  set regex {string}
              next
          end
          set server-cert-mode [re-sign|replace]
          set use-ssl-server [disable|enable]
          set caname {string}
          set untrusted-caname {string}
          set server-cert {string}
          config ssl-server
              Description: SSL servers.
              edit <id>
                  set ip {ipv4-address-any}
                  set https-client-cert-request [bypass|inspect|...]
                  set smtps-client-cert-request [bypass|inspect|...]
                  set pop3s-client-cert-request [bypass|inspect|...]
                  set imaps-client-cert-request [bypass|inspect|...]
                  set ftps-client-cert-request [bypass|inspect|...]
                  set ssl-other-client-cert-request [bypass|inspect|...]
              next
          end
          set ssl-anomalies-log [disable|enable]
          set ssl-exemptions-log [disable|enable]
          set rpc-over-https [enable|disable]
          set mapi-over-https [enable|disable]
      next
  end

config firewall ssl-ssh-profile

Parameter Name Description Type Size
comment Optional comments. var-string Maximum length: 255
whitelist Enable/disable exempting servers by FortiGuard whitelist.
enable: Enable setting.
disable: Disable setting.
option -
block-blacklisted-certificates Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist.
disable: Disable FortiGuard certificate blacklist.
enable: Enable FortiGuard certificate blacklist.
option -
server-cert-mode Re-sign or replace the server's certificate.
re-sign: Multiple clients connecting to multiple servers.
replace: Protect an SSL server.
option -
use-ssl-server Enable/disable the use of SSL server table for SSL offloading.
disable: Don't use SSL server configuration.
enable: Use SSL server configuration.
option -
caname CA certificate used by SSL Inspection. string Maximum length: 35
untrusted-caname Untrusted CA certificate used by SSL Inspection. string Maximum length: 35
server-cert Certificate used by SSL Inspection to replace server certificate. string Maximum length: 35
ssl-anomalies-log Enable/disable logging SSL anomalies.
disable: Disable logging SSL anomalies.
enable: Enable logging SSL anomalies.
option -
ssl-exemptions-log Enable/disable logging SSL exemptions.
disable: Disable logging SSL exemptions.
enable: Enable logging SSL exemptions.
option -
rpc-over-https Enable/disable inspection of RPC over HTTPS.
enable: Enable inspection of RPC over HTTPS.
disable: Disable inspection of RPC over HTTPS.
option -
mapi-over-https Enable/disable inspection of MAPI over HTTPS.
enable: Enable inspection of MAPI over HTTPS.
disable: Disable inspection of MAPI over HTTPS.
option -

config ssl

Parameter Name Description Type Size
inspect-all Level of SSL inspection.
disable: Disable.
certificate-inspection: Inspect SSL handshake only.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config https

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
certificate-inspection: Inspect SSL handshake only.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config ftps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config imaps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config pop3s

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config smtps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
client-cert-request Action based on client certificate request.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl Action based on the SSL encryption used being unsupported.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
invalid-server-cert Allow or block the invalid SSL session server certificate.
allow: Allow the invalid server certificate.
block: Block the connection when an invalid server certificate is detected.
option -
untrusted-server-cert Allow, ignore, or block the untrusted SSL session server certificate.
allow: Allow the untrusted server certificate.
block: Block the connection when an untrusted server certificate is detected.
ignore: Always take the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config ssh

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
inspect-all Level of SSL inspection.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
unsupported-version Action based on SSH version being unsupported.
bypass: Bypass the session.
block: Block the session.
option -
ssh-tun-policy-check Enable/disable SSH tunnel policy check.
disable: Disable SSH tunnel policy check.
enable: Enable SSH tunnel policy check.
option -
ssh-algorithm Relative strength of encryption algorithms accepted during negotiation.
compatible: Allow a broader set of encryption algorithms for best compatibility.
high-encryption: Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.
option -

config ssl-exempt

Parameter Name Description Type Size
type Type of address object (IPv4 or IPv6) or FortiGuard category.
fortiguard-category: FortiGuard category.
address: Firewall IPv4 address.
address6: Firewall IPv6 address.
wildcard-fqdn: Fully Qualified Domain Name with wildcard characters.
regex: Regular expression FQDN.
option -
fortiguard-category FortiGuard category ID. integer Minimum value: 0 Maximum value: 255
address IPv4 address object. string Maximum length: 79
address6 IPv6 address object. string Maximum length: 79
wildcard-fqdn Exempt servers by wildcard FQDN. string Maximum length: 79
regex Exempt servers by regular expression. string Maximum length: 255

config ssl-server

Parameter Name Description Type Size
ip IPv4 address of the SSL server. ipv4-address-any Not Specified
https-client-cert-request Action based on client certificate request during the HTTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
smtps-client-cert-request Action based on client certificate request during the SMTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
pop3s-client-cert-request Action based on client certificate request during the POP3S handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
imaps-client-cert-request Action based on client certificate request during the IMAPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
ftps-client-cert-request Action based on client certificate request during the FTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
ssl-other-client-cert-request Action based on client certificate request during an SSL protocol handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -