Fortinet black logo

CLI Reference

firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

  config firewall ssl-ssh-profile
      Description: Configure SSL/SSH protocol options.
      edit <name>
          set comment {var-string}
          config ssl
              Description: Configure SSL options.
              set inspect-all [disable|certificate-inspection|...]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config https
              Description: Configure HTTPS options.
              set ports {integer}
              set status [disable|certificate-inspection|...]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ftps
              Description: Configure FTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config imaps
              Description: Configure IMAPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config pop3s
              Description: Configure POP3S options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config smtps
              Description: Configure SMTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ssh
              Description: Configure SSH options.
              set ports {integer}
              set status [disable|deep-inspection]
              set inspect-all [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set unsupported-version [bypass|block]
              set ssh-tun-policy-check [disable|enable]
              set ssh-algorithm [compatible|high-encryption]
          end
          set whitelist [enable|disable]
          set block-blacklisted-certificates [disable|enable]
          config ssl-exempt
              Description: Servers to exempt from SSL inspection.
              edit <id>
                  set type [fortiguard-category|address|...]
                  set fortiguard-category {integer}
                  set address {string}
                  set address6 {string}
                  set wildcard-fqdn {string}
                  set regex {string}
              next
          end
          set server-cert-mode [re-sign|replace]
          set use-ssl-server [disable|enable]
          set caname {string}
          set untrusted-caname {string}
          set server-cert {string}
          config ssl-server
              Description: SSL server settings used for client certificate request.
              edit <id>
                  set ip {ipv4-address-any}
                  set https-client-certificate [bypass|inspect|...]
                  set smtps-client-certificate [bypass|inspect|...]
                  set pop3s-client-certificate [bypass|inspect|...]
                  set imaps-client-certificate [bypass|inspect|...]
                  set ftps-client-certificate [bypass|inspect|...]
                  set ssl-other-client-certificate [bypass|inspect|...]
              next
          end
          set ssl-anomalies-log [disable|enable]
          set ssl-exemptions-log [disable|enable]
          set ssl-negotiation-log [disable|enable]
          set rpc-over-https [enable|disable]
          set mapi-over-https [enable|disable]
      next
  end

config firewall ssl-ssh-profile

Parameter Name Description Type Size
comment Optional comments. var-string Maximum length: 255
whitelist Enable/disable exempting servers by FortiGuard whitelist.
enable: Enable setting.
disable: Disable setting.
option -
block-blacklisted-certificates Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist.
disable: Disable FortiGuard certificate blacklist.
enable: Enable FortiGuard certificate blacklist.
option -
server-cert-mode Re-sign or replace the server's certificate.
re-sign: Multiple clients connecting to multiple servers.
replace: Protect an SSL server.
option -
use-ssl-server Enable/disable the use of SSL server table for SSL offloading.
disable: Don't use SSL server configuration.
enable: Use SSL server configuration.
option -
caname CA certificate used by SSL Inspection. string Maximum length: 35
untrusted-caname Untrusted CA certificate used by SSL Inspection. string Maximum length: 35
server-cert Certificate used by SSL Inspection to replace server certificate. string Maximum length: 35
ssl-anomalies-log Enable/disable logging SSL anomalies.
disable: Disable logging SSL anomalies.
enable: Enable logging SSL anomalies.
option -
ssl-exemptions-log Enable/disable logging SSL exemptions.
disable: Disable logging SSL exemptions.
enable: Enable logging SSL exemptions.
option -
ssl-negotiation-log Enable/disable logging SSL negotiation.
disable: Disable logging SSL negotiation.
enable: Enable logging SSL negotiation.
option -
rpc-over-https Enable/disable inspection of RPC over HTTPS.
enable: Enable inspection of RPC over HTTPS.
disable: Disable inspection of RPC over HTTPS.
option -
mapi-over-https Enable/disable inspection of MAPI over HTTPS.
enable: Enable inspection of MAPI over HTTPS.
disable: Disable inspection of MAPI over HTTPS.
option -

config ssl

Parameter Name Description Type Size
inspect-all Level of SSL inspection.
disable: Disable.
certificate-inspection: Inspect SSL handshake only.
deep-inspection: Full SSL inspection.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config https

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
certificate-inspection: Inspect SSL handshake only.
deep-inspection: Full SSL inspection.
option -
proxy-after-tcp-handshake Proxy traffic after the TCP 3-way handshake has been established (not before).
enable: Enable setting.
disable: Disable setting.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config ftps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config imaps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
proxy-after-tcp-handshake Proxy traffic after the TCP 3-way handshake has been established (not before).
enable: Enable setting.
disable: Disable setting.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config pop3s

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
proxy-after-tcp-handshake Proxy traffic after the TCP 3-way handshake has been established (not before).
enable: Enable setting.
disable: Disable setting.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config smtps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
proxy-after-tcp-handshake Proxy traffic after the TCP 3-way handshake has been established (not before).
enable: Enable setting.
disable: Disable setting.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config ssh

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
inspect-all Level of SSL inspection.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
proxy-after-tcp-handshake Proxy traffic after the TCP 3-way handshake has been established (not before).
enable: Enable setting.
disable: Disable setting.
option -
unsupported-version Action based on SSH version being unsupported.
bypass: Bypass the session.
block: Block the session.
option -
ssh-tun-policy-check Enable/disable SSH tunnel policy check.
disable: Disable SSH tunnel policy check.
enable: Enable SSH tunnel policy check.
option -
ssh-algorithm Relative strength of encryption algorithms accepted during negotiation.
compatible: Allow a broader set of encryption algorithms for best compatibility.
high-encryption: Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.
option -

config ssl-exempt

Parameter Name Description Type Size
type Type of address object (IPv4 or IPv6) or FortiGuard category.
fortiguard-category: FortiGuard category.
address: Firewall IPv4 address.
address6: Firewall IPv6 address.
wildcard-fqdn: Fully Qualified Domain Name with wildcard characters.
regex: Regular expression FQDN.
option -
fortiguard-category FortiGuard category ID. integer Minimum value: 0 Maximum value: 255
address IPv4 address object. string Maximum length: 79
address6 IPv6 address object. string Maximum length: 79
wildcard-fqdn Exempt servers by wildcard FQDN. string Maximum length: 79
regex Exempt servers by regular expression. string Maximum length: 255

config ssl-server

Parameter Name Description Type Size
ip IPv4 address of the SSL server. ipv4-address-any Not Specified
https-client-certificate Action based on received client certificate during the HTTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
smtps-client-certificate Action based on received client certificate during the SMTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
pop3s-client-certificate Action based on received client certificate during the POP3S handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
imaps-client-certificate Action based on received client certificate during the IMAPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
ftps-client-certificate Action based on received client certificate during the FTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
ssl-other-client-certificate Action based on received client certificate during an SSL protocol handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -

Configure SSL/SSH protocol options.

  config firewall ssl-ssh-profile
      Description: Configure SSL/SSH protocol options.
      edit <name>
          set comment {var-string}
          config ssl
              Description: Configure SSL options.
              set inspect-all [disable|certificate-inspection|...]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config https
              Description: Configure HTTPS options.
              set ports {integer}
              set status [disable|certificate-inspection|...]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ftps
              Description: Configure FTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config imaps
              Description: Configure IMAPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config pop3s
              Description: Configure POP3S options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config smtps
              Description: Configure SMTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ssh
              Description: Configure SSH options.
              set ports {integer}
              set status [disable|deep-inspection]
              set inspect-all [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set unsupported-version [bypass|block]
              set ssh-tun-policy-check [disable|enable]
              set ssh-algorithm [compatible|high-encryption]
          end
          set whitelist [enable|disable]
          set block-blacklisted-certificates [disable|enable]
          config ssl-exempt
              Description: Servers to exempt from SSL inspection.
              edit <id>
                  set type [fortiguard-category|address|...]
                  set fortiguard-category {integer}
                  set address {string}
                  set address6 {string}
                  set wildcard-fqdn {string}
                  set regex {string}
              next
          end
          set server-cert-mode [re-sign|replace]
          set use-ssl-server [disable|enable]
          set caname {string}
          set untrusted-caname {string}
          set server-cert {string}
          config ssl-server
              Description: SSL server settings used for client certificate request.
              edit <id>
                  set ip {ipv4-address-any}
                  set https-client-certificate [bypass|inspect|...]
                  set smtps-client-certificate [bypass|inspect|...]
                  set pop3s-client-certificate [bypass|inspect|...]
                  set imaps-client-certificate [bypass|inspect|...]
                  set ftps-client-certificate [bypass|inspect|...]
                  set ssl-other-client-certificate [bypass|inspect|...]
              next
          end
          set ssl-anomalies-log [disable|enable]
          set ssl-exemptions-log [disable|enable]
          set ssl-negotiation-log [disable|enable]
          set rpc-over-https [enable|disable]
          set mapi-over-https [enable|disable]
      next
  end

config firewall ssl-ssh-profile

Parameter Name Description Type Size
comment Optional comments. var-string Maximum length: 255
whitelist Enable/disable exempting servers by FortiGuard whitelist.
enable: Enable setting.
disable: Disable setting.
option -
block-blacklisted-certificates Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist.
disable: Disable FortiGuard certificate blacklist.
enable: Enable FortiGuard certificate blacklist.
option -
server-cert-mode Re-sign or replace the server's certificate.
re-sign: Multiple clients connecting to multiple servers.
replace: Protect an SSL server.
option -
use-ssl-server Enable/disable the use of SSL server table for SSL offloading.
disable: Don't use SSL server configuration.
enable: Use SSL server configuration.
option -
caname CA certificate used by SSL Inspection. string Maximum length: 35
untrusted-caname Untrusted CA certificate used by SSL Inspection. string Maximum length: 35
server-cert Certificate used by SSL Inspection to replace server certificate. string Maximum length: 35
ssl-anomalies-log Enable/disable logging SSL anomalies.
disable: Disable logging SSL anomalies.
enable: Enable logging SSL anomalies.
option -
ssl-exemptions-log Enable/disable logging SSL exemptions.
disable: Disable logging SSL exemptions.
enable: Enable logging SSL exemptions.
option -
ssl-negotiation-log Enable/disable logging SSL negotiation.
disable: Disable logging SSL negotiation.
enable: Enable logging SSL negotiation.
option -
rpc-over-https Enable/disable inspection of RPC over HTTPS.
enable: Enable inspection of RPC over HTTPS.
disable: Disable inspection of RPC over HTTPS.
option -
mapi-over-https Enable/disable inspection of MAPI over HTTPS.
enable: Enable inspection of MAPI over HTTPS.
disable: Disable inspection of MAPI over HTTPS.
option -

config ssl

Parameter Name Description Type Size
inspect-all Level of SSL inspection.
disable: Disable.
certificate-inspection: Inspect SSL handshake only.
deep-inspection: Full SSL inspection.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config https

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
certificate-inspection: Inspect SSL handshake only.
deep-inspection: Full SSL inspection.
option -
proxy-after-tcp-handshake Proxy traffic after the TCP 3-way handshake has been established (not before).
enable: Enable setting.
disable: Disable setting.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config ftps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config imaps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
proxy-after-tcp-handshake Proxy traffic after the TCP 3-way handshake has been established (not before).
enable: Enable setting.
disable: Disable setting.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config pop3s

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
proxy-after-tcp-handshake Proxy traffic after the TCP 3-way handshake has been established (not before).
enable: Enable setting.
disable: Disable setting.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config smtps

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
proxy-after-tcp-handshake Proxy traffic after the TCP 3-way handshake has been established (not before).
enable: Enable setting.
disable: Disable setting.
option -
client-certificate Action based on received client certificate.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
unsupported-ssl-cipher Action based on the SSL cipher used being unsupported.
allow: Bypass the session when the cipher is not supported.
block: Block the session when the cipher is not supported.
option -
unsupported-ssl-negotiation Action based on the SSL negotiation used being unsupported.
allow: Bypass the session when the negotiation is not supported.
block: Block the session when the negotiation is not supported.
option -
expired-server-cert Action based on server certificate is expired.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
revoked-server-cert Action based on server certificate is revoked.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
untrusted-server-cert Action based on server certificate is not issued by a trusted CA.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-timeout Action based on certificate validation timeout.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
cert-validation-failure Action based on certificate validation failure.
allow: Allow the server certificate.
block: Block the session.
ignore: Re-sign the server certificate as trusted.
option -
sni-server-cert-check Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.
strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.
disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.
option -

config ssh

Parameter Name Description Type Size
ports Ports to use for scanning (1 - 65535, default = 443). integer Minimum value: 1 Maximum value: 65535
status Configure protocol inspection status.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
inspect-all Level of SSL inspection.
disable: Disable.
deep-inspection: Full SSL inspection.
option -
proxy-after-tcp-handshake Proxy traffic after the TCP 3-way handshake has been established (not before).
enable: Enable setting.
disable: Disable setting.
option -
unsupported-version Action based on SSH version being unsupported.
bypass: Bypass the session.
block: Block the session.
option -
ssh-tun-policy-check Enable/disable SSH tunnel policy check.
disable: Disable SSH tunnel policy check.
enable: Enable SSH tunnel policy check.
option -
ssh-algorithm Relative strength of encryption algorithms accepted during negotiation.
compatible: Allow a broader set of encryption algorithms for best compatibility.
high-encryption: Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.
option -

config ssl-exempt

Parameter Name Description Type Size
type Type of address object (IPv4 or IPv6) or FortiGuard category.
fortiguard-category: FortiGuard category.
address: Firewall IPv4 address.
address6: Firewall IPv6 address.
wildcard-fqdn: Fully Qualified Domain Name with wildcard characters.
regex: Regular expression FQDN.
option -
fortiguard-category FortiGuard category ID. integer Minimum value: 0 Maximum value: 255
address IPv4 address object. string Maximum length: 79
address6 IPv6 address object. string Maximum length: 79
wildcard-fqdn Exempt servers by wildcard FQDN. string Maximum length: 79
regex Exempt servers by regular expression. string Maximum length: 255

config ssl-server

Parameter Name Description Type Size
ip IPv4 address of the SSL server. ipv4-address-any Not Specified
https-client-certificate Action based on received client certificate during the HTTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
smtps-client-certificate Action based on received client certificate during the SMTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
pop3s-client-certificate Action based on received client certificate during the POP3S handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
imaps-client-certificate Action based on received client certificate during the IMAPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
ftps-client-certificate Action based on received client certificate during the FTPS handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -
ssl-other-client-certificate Action based on received client certificate during an SSL protocol handshake.
bypass: Bypass the session.
inspect: Inspect the session.
block: Block the session.
option -