config firewall vip6
Description: Configure virtual IP for IPv6.
edit <name>
set id {integer}
set uuid {uuid}
set comment {var-string}
set type [static-nat|server-load-balance]
set src-filter <range1>, <range2>, ...
set extip {user}
set mappedip {user}
set arp-reply [disable|enable]
set portforward [disable|enable]
set protocol [tcp|udp|...]
set extport {user}
set mappedport {user}
set color {integer}
set ldb-method [static|round-robin|...]
set server-type [http|https|...]
set http-redirect [enable|disable]
set persistence [none|http-cookie|...]
config realservers
Description: Select the real servers that this server load balancing VIP will distribute traffic to.
edit <id>
set ip {ipv6-address}
set port {integer}
set status [active|standby|...]
set weight {integer}
set holddown-interval {integer}
set healthcheck [disable|enable|...]
set http-host {string}
set max-connections {integer}
set monitor {string}
set client-ip {user}
next
end
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set http-multiplex [enable|disable]
set http-ip-header [enable|disable]
set http-ip-header-name {string}
set outlook-web-access [disable|enable]
set weblogic-server [disable|enable]
set websphere-server [disable|enable]
set ssl-mode [half|full]
set ssl-certificate {string}
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-server-algorithm [high|medium|...]
config ssl-server-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-pfs [require|deny|...]
set ssl-min-version [ssl-3.0|tls-1.0|...]
set ssl-max-version [ssl-3.0|tls-1.0|...]
set ssl-server-min-version [ssl-3.0|tls-1.0|...]
set ssl-server-max-version [ssl-3.0|tls-1.0|...]
set ssl-send-empty-frags [enable|disable]
set ssl-client-fallback [disable|enable]
set ssl-client-renegotiation [allow|deny|...]
set ssl-client-session-state-type [disable|time|...]
set ssl-client-session-state-timeout {integer}
set ssl-client-session-state-max {integer}
set ssl-client-rekey-count {integer}
set ssl-server-session-state-type [disable|time|...]
set ssl-server-session-state-timeout {integer}
set ssl-server-session-state-max {integer}
set ssl-http-location-conversion [enable|disable]
set ssl-http-match-host [enable|disable]
set ssl-hpkp [disable|enable|...]
set ssl-hpkp-primary {string}
set ssl-hpkp-backup {string}
set ssl-hpkp-age {integer}
set ssl-hpkp-report-uri {var-string}
set ssl-hpkp-include-subdomains [disable|enable]
set ssl-hsts [disable|enable]
set ssl-hsts-age {integer}
set ssl-hsts-include-subdomains [disable|enable]
set monitor <name1>, <name2>, ...
set max-embryonic-connections {integer}
next
end| Parameter Name | Description | Type | Size |
|---|---|---|---|
| id | Custom defined ID. | integer | Minimum value: 0 Maximum value: 65535 |
| uuid | Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | uuid | Not Specified |
| comment | Comment. | var-string | Maximum length: 255 |
| type | Configure a static NAT or server load balance VIP. static-nat: Static NAT. server-load-balance: Server load balance. |
option | - |
src-filter <range> |
Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces. Source-filter range. |
string | Maximum length: 79 |
| extip | IP address or address range on the external interface that you want to map to an address or address range on the destination network. | user | Not Specified |
| mappedip | Mapped IP address range in the format startIP-endIP. | user | Not Specified |
| arp-reply | Enable to respond to ARP requests for this virtual IP address. Enabled by default. disable: Disable ARP reply. enable: Enable ARP reply. |
option | - |
| portforward | Enable port forwarding. disable: Disable port forward. enable: Enable/disable port forwarding. |
option | - |
| protocol | Protocol to use when forwarding packets. tcp: TCP. udp: UDP. sctp: SCTP. |
option | - |
| extport | Incoming port number range that you want to map to a port number range on the destination network. | user | Not Specified |
| mappedport | Port number range on the destination network to which the external port number range is mapped. | user | Not Specified |
| color | Color of icon on the GUI. | integer | Minimum value: 0 Maximum value: 32 |
| ldb-method | Method used to distribute sessions to real servers. static: Distribute sessions based on source IP. round-robin: Distribute sessions based round robin order. weighted: Distribute sessions based on weight. least-session: Sends new sessions to the server with the lowest session count. least-rtt: Distribute new sessions to the server with lowest Round-Trip-Time. first-alive: Distribute sessions to the first server that is alive. http-host: Distribute sessions to servers based on host field in HTTP header. |
option | - |
| server-type | Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). http: HTTP https: HTTPS imaps: IMAPS pop3s: POP3S smtps: SMTPS ssl: SSL tcp: TCP udp: UDP ip: IP |
option | - |
| http-redirect | Enable/disable redirection of HTTP to HTTPS enable: Enable redirection of HTTP to HTTPS. disable: Disable redirection of HTTP to HTTPS. |
option | - |
| persistence | Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. none: None. http-cookie: HTTP cookie. ssl-session-id: SSL session ID. |
option | - |
| http-cookie-domain-from-host | Enable/disable use of HTTP cookie domain from host field in HTTP. disable: Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting). enable: Enable use of HTTP cookie domain from host field in HTTP. |
option | - |
| http-cookie-domain | Domain that HTTP cookie persistence should apply to. | string | Maximum length: 35 |
| http-cookie-path | Limit HTTP cookie persistence to the specified path. | string | Maximum length: 35 |
| http-cookie-generation | Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. | integer | Minimum value: 0 Maximum value: 4294967295 |
| http-cookie-age | Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. | integer | Minimum value: 0 Maximum value: 525600 |
| http-cookie-share | Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. disable: Only allow HTTP cookie to match this virtual server. same-ip: Allow HTTP cookie to match any virtual server with same IP. |
option | - |
| https-cookie-secure | Enable/disable verification that inserted HTTPS cookies are secure. disable: Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection. enable: Mark inserted cookie as secure, cookie can only be used for HTTPS a connection. |
option | - |
| http-multiplex | Enable/disable HTTP multiplexing. enable: Enable HTTP session multiplexing. disable: Disable HTTP session multiplexing. |
option | - |
| http-ip-header | For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. enable: Enable adding HTTP header. disable: Disable adding HTTP header. |
option | - |
| http-ip-header-name | For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. | string | Maximum length: 35 |
| outlook-web-access | Enable to add the Front-End-Https header for Microsoft Outlook Web Access. disable: Disable Outlook Web Access support. enable: Enable Outlook Web Access support. |
option | - |
| weblogic-server | Enable to add an HTTP header to indicate SSL offloading for a WebLogic server. disable: Do not add HTTP header indicating SSL offload for WebLogic server. enable: Add HTTP header indicating SSL offload for WebLogic server. |
option | - |
| websphere-server | Enable to add an HTTP header to indicate SSL offloading for a WebSphere server. disable: Do not add HTTP header indicating SSL offload for WebSphere server. enable: Add HTTP header indicating SSL offload for WebSphere server. |
option | - |
| ssl-mode | Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). half: Client to FortiGate SSL. full: Client to FortiGate and FortiGate to Server SSL. |
option | - |
| ssl-certificate | The name of the SSL certificate to use for SSL acceleration. | string | Maximum length: 35 |
| ssl-dh-bits | Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. 768: 768-bit Diffie-Hellman prime. 1024: 1024-bit Diffie-Hellman prime. 1536: 1536-bit Diffie-Hellman prime. 2048: 2048-bit Diffie-Hellman prime. 3072: 3072-bit Diffie-Hellman prime. 4096: 4096-bit Diffie-Hellman prime. |
option | - |
| ssl-algorithm | Permitted encryption algorithms for SSL sessions according to encryption strength. high: Use AES or 3DES. medium: Use AES, 3DES, or RC4. low: Use AES, 3DES, RC4, or DES. custom: Use config ssl-cipher-suites to select the cipher suites that are allowed. |
option | - |
| ssl-server-algorithm | Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. high: Use AES or 3DES. medium: Use AES, 3DES, or RC4. low: Use AES, 3DES, RC4, or DES. custom: Use config ssl-server-cipher-suites to select the cipher suites that are allowed. client: Use the same encryption algorithms for client and server sessions. |
option | - |
| ssl-pfs | Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. require: Allow only Diffie-Hellman cipher-suites, so PFS is applied. deny: Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied. allow: Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected. |
option | - |
| ssl-min-version | Lowest SSL/TLS version acceptable from a client. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. |
option | - |
| ssl-max-version | Highest SSL/TLS version acceptable from a client. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. |
option | - |
| ssl-server-min-version | Lowest SSL/TLS version acceptable from a server. Use the client setting by default. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. client: Use same value as client configuration. |
option | - |
| ssl-server-max-version | Highest SSL/TLS version acceptable from a server. Use the client setting by default. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. client: Use same value as client configuration. |
option | - |
| ssl-send-empty-frags | Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. enable: Send empty fragments. disable: Do not send empty fragments. |
option | - |
| ssl-client-fallback | Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). disable: Disable. enable: Enable. |
option | - |
| ssl-client-renegotiation | Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. allow: Allow a SSL client to renegotiate. deny: Abort any SSL connection that attempts to renegotiate. secure: Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication. |
option | - |
| ssl-client-session-state-type | How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. disable: Do not keep session states. time: Expire session states after this many minutes. count: Expire session states when this maximum is reached. both: Expire session states based on time or count, whichever occurs first. |
option | - |
| ssl-client-session-state-timeout | Number of minutes to keep client to FortiGate SSL session state. | integer | Minimum value: 1 Maximum value: 14400 |
| ssl-client-session-state-max | Maximum number of client to FortiGate SSL session states to keep. | integer | Minimum value: 1 Maximum value: 10000 |
| ssl-client-rekey-count | Maximum length of data in MB before triggering a client rekey (0 = disable). | integer | Minimum value: 200 Maximum value: 1048576 |
| ssl-server-session-state-type | How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. disable: Do not keep session states. time: Expire session states after this many minutes. count: Expire session states when this maximum is reached. both: Expire session states based on time or count, whichever occurs first. |
option | - |
| ssl-server-session-state-timeout | Number of minutes to keep FortiGate to Server SSL session state. | integer | Minimum value: 1 Maximum value: 14400 |
| ssl-server-session-state-max | Maximum number of FortiGate to Server SSL session states to keep. | integer | Minimum value: 1 Maximum value: 10000 |
| ssl-http-location-conversion | Enable to replace HTTP with HTTPS in the reply's Location HTTP header field. enable: Enable HTTP location conversion. disable: Disable HTTP location conversion. |
option | - |
| ssl-http-match-host | Enable/disable HTTP host matching for location conversion. enable: Match HTTP host in response header. disable: Do not match HTTP host. |
option | - |
| ssl-hpkp | Enable/disable including HPKP header in response. disable: Do not add a HPKP header to each HTTP response. enable: Add a HPKP header to each a HTTP response. report-only: Add a HPKP Report-Only header to each HTTP response. |
option | - |
| ssl-hpkp-primary | Certificate to generate primary HPKP pin from. | string | Maximum length: 79 |
| ssl-hpkp-backup | Certificate to generate backup HPKP pin from. | string | Maximum length: 79 |
| ssl-hpkp-age | Number of minutes the web browser should keep HPKP. | integer | Minimum value: 60 Maximum value: 157680000 |
| ssl-hpkp-report-uri | URL to report HPKP violations to. | var-string | Maximum length: 255 |
| ssl-hpkp-include-subdomains | Indicate that HPKP header applies to all subdomains. disable: HPKP header does not apply to subdomains. enable: HPKP header applies to subdomains. |
option | - |
| ssl-hsts | Enable/disable including HSTS header in response. disable: Do not add a HSTS header to each a HTTP response. enable: Add a HSTS header to each HTTP response. |
option | - |
| ssl-hsts-age | Number of seconds the client should honour the HSTS setting. | integer | Minimum value: 60 Maximum value: 157680000 |
| ssl-hsts-include-subdomains | Indicate that HSTS header applies to all subdomains. disable: HSTS header does not apply to subdomains. enable: HSTS header applies to subdomains. |
option | - |
monitor <name> |
Name of the health check monitor to use when polling to determine a virtual server's connectivity status. Health monitor name. |
string | Maximum length: 79 |
| max-embryonic-connections | Maximum number of incomplete connections. | integer | Minimum value: 0 Maximum value: 100000 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| ip | IPv6 address of the real server. | ipv6-address | Not Specified |
| port | Port for communicating with the real server. Required if port forwarding is enabled. | integer | Minimum value: 1 Maximum value: 65535 |
| status | Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. active: Server status active. standby: Server status standby. disable: Server status disable. |
option | - |
| weight | Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. | integer | Minimum value: 1 Maximum value: 255 |
| holddown-interval | Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active. | integer | Minimum value: 30 Maximum value: 65535 |
| healthcheck | Enable to check the responsiveness of the real server before forwarding traffic. disable: Disable per server health check. enable: Enable per server health check. vip: Use health check defined in VIP. |
option | - |
| http-host | HTTP server domain name in HTTP header. | string | Maximum length: 63 |
| max-connections | Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers. | integer | Minimum value: 0 Maximum value: 2147483647 |
| monitor | Name of the health check monitor to use when polling to determine a virtual server's connectivity status. | string | Maximum length: 79 |
| client-ip | Only clients in this IP range can connect to this real server. | user | Not Specified |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| cipher | |||
| versions | SSL/TLS versions that the cipher suite can be used with. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. |
option | - |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| cipher | |||
| versions | SSL/TLS versions that the cipher suite can be used with. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. |
option | - |
config firewall vip6
Description: Configure virtual IP for IPv6.
edit <name>
set id {integer}
set uuid {uuid}
set comment {var-string}
set type [static-nat|server-load-balance]
set src-filter <range1>, <range2>, ...
set extip {user}
set mappedip {user}
set arp-reply [disable|enable]
set portforward [disable|enable]
set protocol [tcp|udp|...]
set extport {user}
set mappedport {user}
set color {integer}
set ldb-method [static|round-robin|...]
set server-type [http|https|...]
set http-redirect [enable|disable]
set persistence [none|http-cookie|...]
config realservers
Description: Select the real servers that this server load balancing VIP will distribute traffic to.
edit <id>
set ip {ipv6-address}
set port {integer}
set status [active|standby|...]
set weight {integer}
set holddown-interval {integer}
set healthcheck [disable|enable|...]
set http-host {string}
set max-connections {integer}
set monitor {string}
set client-ip {user}
next
end
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set http-multiplex [enable|disable]
set http-ip-header [enable|disable]
set http-ip-header-name {string}
set outlook-web-access [disable|enable]
set weblogic-server [disable|enable]
set websphere-server [disable|enable]
set ssl-mode [half|full]
set ssl-certificate {string}
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-server-algorithm [high|medium|...]
config ssl-server-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-pfs [require|deny|...]
set ssl-min-version [ssl-3.0|tls-1.0|...]
set ssl-max-version [ssl-3.0|tls-1.0|...]
set ssl-server-min-version [ssl-3.0|tls-1.0|...]
set ssl-server-max-version [ssl-3.0|tls-1.0|...]
set ssl-send-empty-frags [enable|disable]
set ssl-client-fallback [disable|enable]
set ssl-client-renegotiation [allow|deny|...]
set ssl-client-session-state-type [disable|time|...]
set ssl-client-session-state-timeout {integer}
set ssl-client-session-state-max {integer}
set ssl-client-rekey-count {integer}
set ssl-server-session-state-type [disable|time|...]
set ssl-server-session-state-timeout {integer}
set ssl-server-session-state-max {integer}
set ssl-http-location-conversion [enable|disable]
set ssl-http-match-host [enable|disable]
set ssl-hpkp [disable|enable|...]
set ssl-hpkp-primary {string}
set ssl-hpkp-backup {string}
set ssl-hpkp-age {integer}
set ssl-hpkp-report-uri {var-string}
set ssl-hpkp-include-subdomains [disable|enable]
set ssl-hsts [disable|enable]
set ssl-hsts-age {integer}
set ssl-hsts-include-subdomains [disable|enable]
set monitor <name1>, <name2>, ...
set max-embryonic-connections {integer}
next
end| Parameter Name | Description | Type | Size |
|---|---|---|---|
| id | Custom defined ID. | integer | Minimum value: 0 Maximum value: 65535 |
| uuid | Universally Unique Identifier (UUID; automatically assigned but can be manually reset). | uuid | Not Specified |
| comment | Comment. | var-string | Maximum length: 255 |
| type | Configure a static NAT or server load balance VIP. static-nat: Static NAT. server-load-balance: Server load balance. |
option | - |
src-filter <range> |
Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces. Source-filter range. |
string | Maximum length: 79 |
| extip | IP address or address range on the external interface that you want to map to an address or address range on the destination network. | user | Not Specified |
| mappedip | Mapped IP address range in the format startIP-endIP. | user | Not Specified |
| arp-reply | Enable to respond to ARP requests for this virtual IP address. Enabled by default. disable: Disable ARP reply. enable: Enable ARP reply. |
option | - |
| portforward | Enable port forwarding. disable: Disable port forward. enable: Enable/disable port forwarding. |
option | - |
| protocol | Protocol to use when forwarding packets. tcp: TCP. udp: UDP. sctp: SCTP. |
option | - |
| extport | Incoming port number range that you want to map to a port number range on the destination network. | user | Not Specified |
| mappedport | Port number range on the destination network to which the external port number range is mapped. | user | Not Specified |
| color | Color of icon on the GUI. | integer | Minimum value: 0 Maximum value: 32 |
| ldb-method | Method used to distribute sessions to real servers. static: Distribute sessions based on source IP. round-robin: Distribute sessions based round robin order. weighted: Distribute sessions based on weight. least-session: Sends new sessions to the server with the lowest session count. least-rtt: Distribute new sessions to the server with lowest Round-Trip-Time. first-alive: Distribute sessions to the first server that is alive. http-host: Distribute sessions to servers based on host field in HTTP header. |
option | - |
| server-type | Protocol to be load balanced by the virtual server (also called the server load balance virtual IP). http: HTTP https: HTTPS imaps: IMAPS pop3s: POP3S smtps: SMTPS ssl: SSL tcp: TCP udp: UDP ip: IP |
option | - |
| http-redirect | Enable/disable redirection of HTTP to HTTPS enable: Enable redirection of HTTP to HTTPS. disable: Disable redirection of HTTP to HTTPS. |
option | - |
| persistence | Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. none: None. http-cookie: HTTP cookie. ssl-session-id: SSL session ID. |
option | - |
| http-cookie-domain-from-host | Enable/disable use of HTTP cookie domain from host field in HTTP. disable: Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting). enable: Enable use of HTTP cookie domain from host field in HTTP. |
option | - |
| http-cookie-domain | Domain that HTTP cookie persistence should apply to. | string | Maximum length: 35 |
| http-cookie-path | Limit HTTP cookie persistence to the specified path. | string | Maximum length: 35 |
| http-cookie-generation | Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. | integer | Minimum value: 0 Maximum value: 4294967295 |
| http-cookie-age | Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit. | integer | Minimum value: 0 Maximum value: 525600 |
| http-cookie-share | Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. disable: Only allow HTTP cookie to match this virtual server. same-ip: Allow HTTP cookie to match any virtual server with same IP. |
option | - |
| https-cookie-secure | Enable/disable verification that inserted HTTPS cookies are secure. disable: Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection. enable: Mark inserted cookie as secure, cookie can only be used for HTTPS a connection. |
option | - |
| http-multiplex | Enable/disable HTTP multiplexing. enable: Enable HTTP session multiplexing. disable: Disable HTTP session multiplexing. |
option | - |
| http-ip-header | For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header. enable: Enable adding HTTP header. disable: Disable adding HTTP header. |
option | - |
| http-ip-header-name | For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used. | string | Maximum length: 35 |
| outlook-web-access | Enable to add the Front-End-Https header for Microsoft Outlook Web Access. disable: Disable Outlook Web Access support. enable: Enable Outlook Web Access support. |
option | - |
| weblogic-server | Enable to add an HTTP header to indicate SSL offloading for a WebLogic server. disable: Do not add HTTP header indicating SSL offload for WebLogic server. enable: Add HTTP header indicating SSL offload for WebLogic server. |
option | - |
| websphere-server | Enable to add an HTTP header to indicate SSL offloading for a WebSphere server. disable: Do not add HTTP header indicating SSL offload for WebSphere server. enable: Add HTTP header indicating SSL offload for WebSphere server. |
option | - |
| ssl-mode | Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full). half: Client to FortiGate SSL. full: Client to FortiGate and FortiGate to Server SSL. |
option | - |
| ssl-certificate | The name of the SSL certificate to use for SSL acceleration. | string | Maximum length: 35 |
| ssl-dh-bits | Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. 768: 768-bit Diffie-Hellman prime. 1024: 1024-bit Diffie-Hellman prime. 1536: 1536-bit Diffie-Hellman prime. 2048: 2048-bit Diffie-Hellman prime. 3072: 3072-bit Diffie-Hellman prime. 4096: 4096-bit Diffie-Hellman prime. |
option | - |
| ssl-algorithm | Permitted encryption algorithms for SSL sessions according to encryption strength. high: Use AES or 3DES. medium: Use AES, 3DES, or RC4. low: Use AES, 3DES, RC4, or DES. custom: Use config ssl-cipher-suites to select the cipher suites that are allowed. |
option | - |
| ssl-server-algorithm | Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. high: Use AES or 3DES. medium: Use AES, 3DES, or RC4. low: Use AES, 3DES, RC4, or DES. custom: Use config ssl-server-cipher-suites to select the cipher suites that are allowed. client: Use the same encryption algorithms for client and server sessions. |
option | - |
| ssl-pfs | Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions. require: Allow only Diffie-Hellman cipher-suites, so PFS is applied. deny: Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied. allow: Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected. |
option | - |
| ssl-min-version | Lowest SSL/TLS version acceptable from a client. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. |
option | - |
| ssl-max-version | Highest SSL/TLS version acceptable from a client. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. |
option | - |
| ssl-server-min-version | Lowest SSL/TLS version acceptable from a server. Use the client setting by default. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. client: Use same value as client configuration. |
option | - |
| ssl-server-max-version | Highest SSL/TLS version acceptable from a server. Use the client setting by default. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. client: Use same value as client configuration. |
option | - |
| ssl-send-empty-frags | Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems. enable: Send empty fragments. disable: Do not send empty fragments. |
option | - |
| ssl-client-fallback | Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507). disable: Disable. enable: Enable. |
option | - |
| ssl-client-renegotiation | Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746. allow: Allow a SSL client to renegotiate. deny: Abort any SSL connection that attempts to renegotiate. secure: Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication. |
option | - |
| ssl-client-session-state-type | How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate. disable: Do not keep session states. time: Expire session states after this many minutes. count: Expire session states when this maximum is reached. both: Expire session states based on time or count, whichever occurs first. |
option | - |
| ssl-client-session-state-timeout | Number of minutes to keep client to FortiGate SSL session state. | integer | Minimum value: 1 Maximum value: 14400 |
| ssl-client-session-state-max | Maximum number of client to FortiGate SSL session states to keep. | integer | Minimum value: 1 Maximum value: 10000 |
| ssl-client-rekey-count | Maximum length of data in MB before triggering a client rekey (0 = disable). | integer | Minimum value: 200 Maximum value: 1048576 |
| ssl-server-session-state-type | How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate. disable: Do not keep session states. time: Expire session states after this many minutes. count: Expire session states when this maximum is reached. both: Expire session states based on time or count, whichever occurs first. |
option | - |
| ssl-server-session-state-timeout | Number of minutes to keep FortiGate to Server SSL session state. | integer | Minimum value: 1 Maximum value: 14400 |
| ssl-server-session-state-max | Maximum number of FortiGate to Server SSL session states to keep. | integer | Minimum value: 1 Maximum value: 10000 |
| ssl-http-location-conversion | Enable to replace HTTP with HTTPS in the reply's Location HTTP header field. enable: Enable HTTP location conversion. disable: Disable HTTP location conversion. |
option | - |
| ssl-http-match-host | Enable/disable HTTP host matching for location conversion. enable: Match HTTP host in response header. disable: Do not match HTTP host. |
option | - |
| ssl-hpkp | Enable/disable including HPKP header in response. disable: Do not add a HPKP header to each HTTP response. enable: Add a HPKP header to each a HTTP response. report-only: Add a HPKP Report-Only header to each HTTP response. |
option | - |
| ssl-hpkp-primary | Certificate to generate primary HPKP pin from. | string | Maximum length: 79 |
| ssl-hpkp-backup | Certificate to generate backup HPKP pin from. | string | Maximum length: 79 |
| ssl-hpkp-age | Number of minutes the web browser should keep HPKP. | integer | Minimum value: 60 Maximum value: 157680000 |
| ssl-hpkp-report-uri | URL to report HPKP violations to. | var-string | Maximum length: 255 |
| ssl-hpkp-include-subdomains | Indicate that HPKP header applies to all subdomains. disable: HPKP header does not apply to subdomains. enable: HPKP header applies to subdomains. |
option | - |
| ssl-hsts | Enable/disable including HSTS header in response. disable: Do not add a HSTS header to each a HTTP response. enable: Add a HSTS header to each HTTP response. |
option | - |
| ssl-hsts-age | Number of seconds the client should honour the HSTS setting. | integer | Minimum value: 60 Maximum value: 157680000 |
| ssl-hsts-include-subdomains | Indicate that HSTS header applies to all subdomains. disable: HSTS header does not apply to subdomains. enable: HSTS header applies to subdomains. |
option | - |
monitor <name> |
Name of the health check monitor to use when polling to determine a virtual server's connectivity status. Health monitor name. |
string | Maximum length: 79 |
| max-embryonic-connections | Maximum number of incomplete connections. | integer | Minimum value: 0 Maximum value: 100000 |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| ip | IPv6 address of the real server. | ipv6-address | Not Specified |
| port | Port for communicating with the real server. Required if port forwarding is enabled. | integer | Minimum value: 1 Maximum value: 65535 |
| status | Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. active: Server status active. standby: Server status standby. disable: Server status disable. |
option | - |
| weight | Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. | integer | Minimum value: 1 Maximum value: 255 |
| holddown-interval | Time in seconds that the health check monitor continues to monitor an unresponsive server that should be active. | integer | Minimum value: 30 Maximum value: 65535 |
| healthcheck | Enable to check the responsiveness of the real server before forwarding traffic. disable: Disable per server health check. enable: Enable per server health check. vip: Use health check defined in VIP. |
option | - |
| http-host | HTTP server domain name in HTTP header. | string | Maximum length: 63 |
| max-connections | Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers. | integer | Minimum value: 0 Maximum value: 2147483647 |
| monitor | Name of the health check monitor to use when polling to determine a virtual server's connectivity status. | string | Maximum length: 79 |
| client-ip | Only clients in this IP range can connect to this real server. | user | Not Specified |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| cipher | |||
| versions | SSL/TLS versions that the cipher suite can be used with. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. |
option | - |
| Parameter Name | Description | Type | Size |
|---|---|---|---|
| cipher | |||
| versions | SSL/TLS versions that the cipher suite can be used with. ssl-3.0: SSL 3.0. tls-1.0: TLS 1.0. tls-1.1: TLS 1.1. tls-1.2: TLS 1.2. tls-1.3: TLS 1.3. |
option | - |