config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile

Description: Configure SSL/SSH protocol options.

edit <name>

set comment {var-string}

config ssl

Description: Configure SSL options.

set inspect-all [disable|certificate-inspection|...]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config https

Description: Configure HTTPS options.

set ports {integer}

set status [disable|certificate-inspection|...]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config ftps

Description: Configure FTPS options.

set ports {integer}

set status [disable|deep-inspection]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config imaps

Description: Configure IMAPS options.

set ports {integer}

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config pop3s

Description: Configure POP3S options.

set ports {integer}

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config smtps

Description: Configure SMTPS options.

set ports {integer}

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config ssh

Description: Configure SSH options.

set ports {integer}

set status [disable|deep-inspection]

set inspect-all [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set unsupported-version [bypass|block]

set ssh-tun-policy-check [disable|enable]

set ssh-algorithm [compatible|high-encryption]

end

set whitelist [enable|disable]

set block-blacklisted-certificates [disable|enable]

config ssl-exempt

Description: Servers to exempt from SSL inspection.

edit <id>

set type [fortiguard-category|address|...]

set fortiguard-category {integer}

set address {string}

set address6 {string}

set wildcard-fqdn {string}

set regex {string}

next

end

set server-cert-mode [re-sign|replace]

set use-ssl-server [disable|enable]

set caname {string}

set untrusted-caname {string}

set server-cert {string}

config ssl-server

Description: SSL server settings used for client certificate request.

edit <id>

set ip {ipv4-address-any}

set https-client-certificate [bypass|inspect|...]

set smtps-client-certificate [bypass|inspect|...]

set pop3s-client-certificate [bypass|inspect|...]

set imaps-client-certificate [bypass|inspect|...]

set ftps-client-certificate [bypass|inspect|...]

set ssl-other-client-certificate [bypass|inspect|...]

next

end

set ssl-anomalies-log [disable|enable]

set ssl-exemptions-log [disable|enable]

set ssl-negotiation-log [disable|enable]

set rpc-over-https [enable|disable]

set mapi-over-https [enable|disable]

next

end

config firewall ssl-ssh-profile

Parameter	Description	Type	Size	Default
comment	Optional comments.	var-string	Not Specified
whitelist	Enable/disable exempting servers by FortiGuard whitelist.	option	-	disable
	Option Description enable Enable setting. disable Disable setting.
block-blacklisted-certificates	Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist.	option	-	enable
	Option Description disable Disable FortiGuard certificate blacklist. enable Enable FortiGuard certificate blacklist.
server-cert-mode	Re-sign or replace the server's certificate.	option	-	re-sign
	Option Description re-sign Multiple clients connecting to multiple servers. replace Protect an SSL server.
use-ssl-server	Enable/disable the use of SSL server table for SSL offloading.	option	-	disable
	Option Description disable Don't use SSL server configuration. enable Use SSL server configuration.
caname	CA certificate used by SSL Inspection.	string	Not Specified	Fortinet_CA_SSL
untrusted-caname	Untrusted CA certificate used by SSL Inspection.	string	Not Specified	Fortinet_CA_Untrusted
server-cert	Certificate used by SSL Inspection to replace server certificate.	string	Not Specified	Fortinet_SSL
ssl-anomalies-log	Enable/disable logging SSL anomalies.	option	-	enable
	Option Description disable Disable logging SSL anomalies. enable Enable logging SSL anomalies.
ssl-exemptions-log	Enable/disable logging SSL exemptions.	option	-	disable
	Option Description disable Disable logging SSL exemptions. enable Enable logging SSL exemptions.
ssl-negotiation-log	Enable/disable logging SSL negotiation.	option	-	disable
	Option Description disable Disable logging SSL negotiation. enable Enable logging SSL negotiation.
rpc-over-https	Enable/disable inspection of RPC over HTTPS.	option	-	disable
	Option Description enable Enable inspection of RPC over HTTPS. disable Disable inspection of RPC over HTTPS.
mapi-over-https	Enable/disable inspection of MAPI over HTTPS.	option	-	disable
	Option Description enable Enable inspection of MAPI over HTTPS. disable Disable inspection of MAPI over HTTPS.

config ssl

Parameter	Description	Type	Size	Default
inspect-all	Level of SSL inspection.	option	-	disable
	Option Description disable Disable. certificate-inspection Inspect SSL handshake only. deep-inspection Full SSL inspection.
client-certificate	Action based on received client certificate.	option	-	bypass
	Option Description bypass Bypass the session. inspect Inspect the session. block Block the session.
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported.	option	-	allow
	Option Description allow Bypass the session when the cipher is not supported. block Block the session when the cipher is not supported.
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported.	option	-	allow
	Option Description allow Bypass the session when the negotiation is not supported. block Block the session when the negotiation is not supported.
expired-server-cert	Action based on server certificate is expired.	option	-	block
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
revoked-server-cert	Action based on server certificate is revoked.	option	-	block
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA.	option	-	allow
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
cert-validation-timeout	Action based on certificate validation timeout.	option	-	allow
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
cert-validation-failure	Action based on certificate validation failure.	option	-	block
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-	enable
	Option Description enable Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config https

Parameter	Description	Type	Size	Default
ports	Ports to use for scanning .	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status.	option	-	deep-inspection
	Option Description disable Disable. certificate-inspection Inspect SSL handshake only. deep-inspection Full SSL inspection.
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before).	option	-	disable
	Option Description enable Enable setting. disable Disable setting.
client-certificate	Action based on received client certificate.	option	-	bypass
	Option Description bypass Bypass the session. inspect Inspect the session. block Block the session.
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported.	option	-	allow
	Option Description allow Bypass the session when the cipher is not supported. block Block the session when the cipher is not supported.
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported.	option	-	allow
	Option Description allow Bypass the session when the negotiation is not supported. block Block the session when the negotiation is not supported.
expired-server-cert	Action based on server certificate is expired.	option	-	block
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
revoked-server-cert	Action based on server certificate is revoked.	option	-	block
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA.	option	-	allow
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
cert-validation-timeout	Action based on certificate validation timeout.	option	-	allow
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
cert-validation-failure	Action based on certificate validation failure.	option	-	block
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-	enable
	Option Description enable Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config ftps

Parameter	Description	Type	Size	Default
ports	Ports to use for scanning .	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status.	option	-	deep-inspection
	Option Description disable Disable. deep-inspection Full SSL inspection.
client-certificate	Action based on received client certificate.	option	-	bypass
	Option Description bypass Bypass the session. inspect Inspect the session. block Block the session.
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported.	option	-	allow
	Option Description allow Bypass the session when the cipher is not supported. block Block the session when the cipher is not supported.
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported.	option	-	allow
	Option Description allow Bypass the session when the negotiation is not supported. block Block the session when the negotiation is not supported.
expired-server-cert	Action based on server certificate is expired.	option	-	block
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
revoked-server-cert	Action based on server certificate is revoked.	option	-	block
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA.	option	-	allow
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
cert-validation-timeout	Action based on certificate validation timeout.	option	-	allow
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.
cert-validation-failure	Action based on certificate validation failure.	option	-	block
	Option Description allow Allow the server certificate. block Block the session. ignore Re-sign the server certificate as trusted.