config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile
    Description: Configure SSL/SSH protocol options.
    edit <name>
        set block-blacklisted-certificates [disable|enable]
        set caname {string}
        set comment {var-string}
        config ftps
            Description: Configure FTPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config https
            Description: Configure HTTPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|certificate-inspection|...]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config imaps
            Description: Configure IMAPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set mapi-over-https [enable|disable]
        config pop3s
            Description: Configure POP3S options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set rpc-over-https [enable|disable]
        set server-cert {string}
        set server-cert-mode [re-sign|replace]
        config smtps
            Description: Configure SMTPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config ssh
            Description: Configure SSH options.
            set inspect-all [disable|deep-inspection]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set ssh-algorithm [compatible|high-encryption]
            set ssh-tun-policy-check [disable|enable]
            set status [disable|deep-inspection]
            set unsupported-version [bypass|block]
        end
        config ssl
            Description: Configure SSL options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set inspect-all [disable|certificate-inspection|...]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set ssl-anomalies-log [disable|enable]
        config ssl-exempt
            Description: Servers to exempt from SSL inspection.
            edit <id>
                set address {string}
                set address6 {string}
                set fortiguard-category {integer}
                set regex {string}
                set type [fortiguard-category|address|...]
                set wildcard-fqdn {string}
            next
        end
        set ssl-exemptions-log [disable|enable]
        set ssl-negotiation-log [disable|enable]
        config ssl-server
            Description: SSL server settings used for client certificate request.
            edit <id>
                set ftps-client-certificate [bypass|inspect|...]
                set https-client-certificate [bypass|inspect|...]
                set imaps-client-certificate [bypass|inspect|...]
                set ip {ipv4-address-any}
                set pop3s-client-certificate [bypass|inspect|...]
                set smtps-client-certificate [bypass|inspect|...]
                set ssl-other-client-certificate [bypass|inspect|...]
            next
        end
        set untrusted-caname {string}
        set use-ssl-server [disable|enable]
        set whitelist [enable|disable]
    next
end

config firewall ssl-ssh-profile

Parameter

Description

Type

Size

Default

block-blacklisted-certificates

Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist.

option

enable

Option	Description
disable	Disable FortiGuard certificate blacklist.
enable	Enable FortiGuard certificate blacklist.

caname

CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_SSL

comment

Optional comments.

var-string

Maximum length: 255

mapi-over-https

Enable/disable inspection of MAPI over HTTPS.

option

disable

Option	Description
enable	Enable inspection of MAPI over HTTPS.
disable	Disable inspection of MAPI over HTTPS.

name

Name.

string

Maximum length: 35

rpc-over-https

Enable/disable inspection of RPC over HTTPS.

option

disable

Option	Description
enable	Enable inspection of RPC over HTTPS.
disable	Disable inspection of RPC over HTTPS.

server-cert

Certificate used by SSL Inspection to replace server certificate.

string

Maximum length: 35

Fortinet_SSL

server-cert-mode

Re-sign or replace the server's certificate.

option

re-sign

Option	Description
re-sign	Multiple clients connecting to multiple servers.
replace	Protect an SSL server.

ssl-anomalies-log

Enable/disable logging SSL anomalies.

option

enable

Option	Description
disable	Disable logging SSL anomalies.
enable	Enable logging SSL anomalies.

ssl-exemptions-log

Enable/disable logging SSL exemptions.

option

disable

Option	Description
disable	Disable logging SSL exemptions.
enable	Enable logging SSL exemptions.

ssl-negotiation-log

Enable/disable logging SSL negotiation.

option

disable

Option	Description
disable	Disable logging SSL negotiation.
enable	Enable logging SSL negotiation.

untrusted-caname

Untrusted CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_Untrusted

use-ssl-server

Enable/disable the use of SSL server table for SSL offloading.

option

disable

Option	Description
disable	Don't use SSL server configuration.
enable	Use SSL server configuration.

whitelist

Enable/disable exempting servers by FortiGuard whitelist.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

config ftps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

bypass

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

deep-inspection

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config https

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

bypass

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

deep-inspection

Option	Description
disable	Disable.
certificate-inspection	Inspect SSL handshake only.
deep-inspection	Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config imaps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

inspect

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

deep-inspection

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config pop3s

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

inspect

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

deep-inspection

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config smtps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

inspect

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

deep-inspection

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config ssh

Parameter

Description

Type

Size

Default

inspect-all

Level of SSL inspection.

option

disable

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

ssh-algorithm

Relative strength of encryption algorithms accepted during negotiation.

option

compatible

Option	Description
compatible	Allow a broader set of encryption algorithms for best compatibility.
high-encryption	Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

ssh-tun-policy-check

Enable/disable SSH tunnel policy check.

option

disable

Option	Description
disable	Disable SSH tunnel policy check.
enable	Enable SSH tunnel policy check.

status

Configure protocol inspection status.

option

disable

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

unsupported-version

Action based on SSH version being unsupported.

option

bypass

Option	Description
bypass	Bypass the session.
block	Block the session.

config ssl

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

bypass

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

inspect-all

Level of SSL inspection.

option

disable

Option	Description
disable	Disable.
certificate-inspection	Inspect SSL handshake only.
deep-inspection	Full SSL inspection.

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile
    Description: Configure SSL/SSH protocol options.
    edit <name>
        set block-blacklisted-certificates [disable|enable]
        set caname {string}
        set comment {var-string}
        config ftps
            Description: Configure FTPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config https
            Description: Configure HTTPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|certificate-inspection|...]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config imaps
            Description: Configure IMAPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set mapi-over-https [enable|disable]
        config pop3s
            Description: Configure POP3S options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set rpc-over-https [enable|disable]
        set server-cert {string}
        set server-cert-mode [re-sign|replace]
        config smtps
            Description: Configure SMTPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config ssh
            Description: Configure SSH options.
            set inspect-all [disable|deep-inspection]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set ssh-algorithm [compatible|high-encryption]
            set ssh-tun-policy-check [disable|enable]
            set status [disable|deep-inspection]
            set unsupported-version [bypass|block]
        end
        config ssl
            Description: Configure SSL options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set inspect-all [disable|certificate-inspection|...]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set ssl-anomalies-log [disable|enable]
        config ssl-exempt
            Description: Servers to exempt from SSL inspection.
            edit <id>
                set address {string}
                set address6 {string}
                set fortiguard-category {integer}
                set regex {string}
                set type [fortiguard-category|address|...]
                set wildcard-fqdn {string}
            next
        end
        set ssl-exemptions-log [disable|enable]
        set ssl-negotiation-log [disable|enable]
        config ssl-server
            Description: SSL server settings used for client certificate request.
            edit <id>
                set ftps-client-certificate [bypass|inspect|...]
                set https-client-certificate [bypass|inspect|...]
                set imaps-client-certificate [bypass|inspect|...]
                set ip {ipv4-address-any}
                set pop3s-client-certificate [bypass|inspect|...]
                set smtps-client-certificate [bypass|inspect|...]
                set ssl-other-client-certificate [bypass|inspect|...]
            next
        end
        set untrusted-caname {string}
        set use-ssl-server [disable|enable]
        set whitelist [enable|disable]
    next
end

config firewall ssl-ssh-profile

Parameter

Description

Type

Size

Default

block-blacklisted-certificates

Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist.

option

enable

Option	Description
disable	Disable FortiGuard certificate blacklist.
enable	Enable FortiGuard certificate blacklist.

caname

CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_SSL

comment

Optional comments.

var-string

Maximum length: 255

mapi-over-https

Enable/disable inspection of MAPI over HTTPS.

option

disable

Option	Description
enable	Enable inspection of MAPI over HTTPS.
disable	Disable inspection of MAPI over HTTPS.

name

Name.

string

Maximum length: 35

rpc-over-https

Enable/disable inspection of RPC over HTTPS.

option

disable

Option	Description
enable	Enable inspection of RPC over HTTPS.
disable	Disable inspection of RPC over HTTPS.

server-cert

Certificate used by SSL Inspection to replace server certificate.

string

Maximum length: 35

Fortinet_SSL

server-cert-mode

Re-sign or replace the server's certificate.

option

re-sign

Option	Description
re-sign	Multiple clients connecting to multiple servers.
replace	Protect an SSL server.

ssl-anomalies-log

Enable/disable logging SSL anomalies.

option

enable

Option	Description
disable	Disable logging SSL anomalies.
enable	Enable logging SSL anomalies.

ssl-exemptions-log

Enable/disable logging SSL exemptions.

option

disable

Option	Description
disable	Disable logging SSL exemptions.
enable	Enable logging SSL exemptions.

ssl-negotiation-log

Enable/disable logging SSL negotiation.

option

disable

Option	Description
disable	Disable logging SSL negotiation.
enable	Enable logging SSL negotiation.

untrusted-caname

Untrusted CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_Untrusted

use-ssl-server

Enable/disable the use of SSL server table for SSL offloading.

option

disable

Option	Description
disable	Don't use SSL server configuration.
enable	Use SSL server configuration.

whitelist

Enable/disable exempting servers by FortiGuard whitelist.

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

config ftps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

bypass

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

deep-inspection

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config https

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

bypass

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

deep-inspection

Option	Description
disable	Disable.
certificate-inspection	Inspect SSL handshake only.
deep-inspection	Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config imaps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

inspect

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

deep-inspection

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config pop3s

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

inspect

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

deep-inspection

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config smtps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

inspect

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

deep-inspection

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

config ssh

Parameter

Description

Type

Size

Default

inspect-all

Level of SSL inspection.

option

disable

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

ports

Ports to use for scanning (1 - 65535, default = 443).

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

disable

Option	Description
enable	Enable setting.
disable	Disable setting.

ssh-algorithm

Relative strength of encryption algorithms accepted during negotiation.

option

compatible

Option	Description
compatible	Allow a broader set of encryption algorithms for best compatibility.
high-encryption	Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

ssh-tun-policy-check

Enable/disable SSH tunnel policy check.

option

disable

Option	Description
disable	Disable SSH tunnel policy check.
enable	Enable SSH tunnel policy check.

status

Configure protocol inspection status.

option

disable

Option	Description
disable	Disable.
deep-inspection	Full SSL inspection.

unsupported-version

Action based on SSH version being unsupported.

option

bypass

Option	Description
bypass	Bypass the session.
block	Block the session.

config ssl

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

bypass

Option	Description
bypass	Bypass the session.
inspect	Inspect the session.
block	Block the session.

expired-server-cert

Action based on server certificate is expired.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

inspect-all

Level of SSL inspection.

option

disable

Option	Description
disable	Disable.
certificate-inspection	Inspect SSL handshake only.
deep-inspection	Full SSL inspection.

revoked-server-cert

Action based on server certificate is revoked.

option

block

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

enable

Option	Description
enable	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable	Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the cipher is not supported.
block	Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

allow

Option	Description
allow	Bypass the session when the negotiation is not supported.
block	Block the session when the negotiation is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

allow

Option	Description
allow	Allow the server certificate.
block	Block the session.
ignore	Re-sign the server certificate as trusted.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config firewall ssl-ssh-profile

config firewall ssl-ssh-profile

config firewall ssl-ssh-profile

config ftps

config https

config imaps

config pop3s

config smtps

config ssh

config ssl

config firewall ssl-ssh-profile