Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server

Description: Configure SSL servers.

edit <name>

set ip {ipv4-address-any}

set port {integer}

set ssl-mode [half|full]

set add-header-x-forwarded-proto [enable|disable]

set mapped-port {integer}

set ssl-cert {string}

set ssl-dh-bits [768|1024|...]

set ssl-algorithm [high|medium|...]

set ssl-client-renegotiation [allow|deny|...]

set ssl-min-version [tls-1.0|tls-1.1|...]

set ssl-max-version [tls-1.0|tls-1.1|...]

set ssl-send-empty-frags [enable|disable]

set url-rewrite [enable|disable]

next

end

config firewall ssl-server

Parameter name

Description

Type

Size

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

port

Server service port (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

ssl-mode

SSL/TLS mode for encryption and decryption of traffic.

option

-

 

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

add-header-x-forwarded-proto

Enable/disable adding an X-Forwarded-Proto header to forwarded requests.

option

-

 

Option

Description

enable

Add X-Forwarded-Proto header.

disable

Do not add X-Forwarded-Proto header.

mapped-port

Mapped server service port (1 - 65535, default = 80).

integer

Minimum value: 1 Maximum value: 65535

ssl-cert

Name of certificate for SSL connections to this server (default = "Fortinet_CA_SSL").

string

Maximum length: 35

ssl-dh-bits

Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).

option

-

 

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-algorithm

Relative strength of encryption algorithms accepted in negotiation.

option

-

 

Option

Description

high

High encryption. Allow only AES and ChaCha

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-client-renegotiation

Allow or block client renegotiation by server.

option

-

 

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-min-version

Lowest SSL/TLS version to negotiate.

option

-

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

ssl-max-version

Highest SSL/TLS version to negotiate.

option

-

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV.

option

-

 

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

url-rewrite

Enable/disable rewriting the URL.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server

Description: Configure SSL servers.

edit <name>

set ip {ipv4-address-any}

set port {integer}

set ssl-mode [half|full]

set add-header-x-forwarded-proto [enable|disable]

set mapped-port {integer}

set ssl-cert {string}

set ssl-dh-bits [768|1024|...]

set ssl-algorithm [high|medium|...]

set ssl-client-renegotiation [allow|deny|...]

set ssl-min-version [tls-1.0|tls-1.1|...]

set ssl-max-version [tls-1.0|tls-1.1|...]

set ssl-send-empty-frags [enable|disable]

set url-rewrite [enable|disable]

next

end

config firewall ssl-server

Parameter name

Description

Type

Size

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

port

Server service port (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

ssl-mode

SSL/TLS mode for encryption and decryption of traffic.

option

-

 

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

add-header-x-forwarded-proto

Enable/disable adding an X-Forwarded-Proto header to forwarded requests.

option

-

 

Option

Description

enable

Add X-Forwarded-Proto header.

disable

Do not add X-Forwarded-Proto header.

mapped-port

Mapped server service port (1 - 65535, default = 80).

integer

Minimum value: 1 Maximum value: 65535

ssl-cert

Name of certificate for SSL connections to this server (default = "Fortinet_CA_SSL").

string

Maximum length: 35

ssl-dh-bits

Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).

option

-

 

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-algorithm

Relative strength of encryption algorithms accepted in negotiation.

option

-

 

Option

Description

high

High encryption. Allow only AES and ChaCha

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-client-renegotiation

Allow or block client renegotiation by server.

option

-

 

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-min-version

Lowest SSL/TLS version to negotiate.

option

-

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

ssl-max-version

Highest SSL/TLS version to negotiate.

option

-

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV.

option

-

 

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

url-rewrite

Enable/disable rewriting the URL.

option

-

 

Option

Description

enable

Enable setting.

disable

Disable setting.