config firewall access-proxy
Configure Access Proxy.
config firewall access-proxy
Description: Configure Access Proxy.
edit <name>
set vip {string}
set client-cert [disable|enable]
set empty-cert-action [accept|block]
config api-gateway
Description: Set API Gateway.
edit <id>
set url-map {string}
set service [http|https|...]
set ldb-method [static|round-robin|...]
set virtual-host {string}
set url-map-type [sub-string|wildcard|...]
config realservers
Description: Select the real servers that this Access Proxy will distribute traffic to.
edit <id>
set address {string}
set ip {ipv4-address-any}
set port {integer}
set mappedport {user}
set status [active|standby|...]
set weight {integer}
set http-host {string}
set health-check [disable|enable]
set health-check-proto [ping|http|...]
next
end
set persistence [none|http-cookie]
set http-cookie-domain-from-host [disable|enable]
set http-cookie-domain {string}
set http-cookie-path {string}
set http-cookie-generation {integer}
set http-cookie-age {integer}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set saml-server {string}
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
next
end
set server-pubkey-auth [disable|enable]
config server-pubkey-auth-settings
Description: Server SSH public key authentication settings.
set source-address [enable|disable]
set permit-x11-forwarding [enable|disable]
set permit-agent-forwarding [enable|disable]
set permit-port-forwarding [enable|disable]
set permit-pty [enable|disable]
set permit-user-rc [enable|disable]
config cert-extension
Description: Configure certificate extension for user certificate.
edit <name>
set critical [no|yes]
set type [fixed|user]
set data {string}
next
end
set auth-ca {string}
end
set ldb-method [static|round-robin|...]
config realservers
Description: Select the SSL real servers that this Access Proxy will distribute traffic to.
edit <id>
set ip {ipv4-address-any}
set port {integer}
set status [active|standby|...]
set weight {integer}
next
end
next
end
config firewall access-proxy
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
vip |
Virtual IP name. |
string |
Maximum length: 79 |
|
||||||||||||||
client-cert |
Enable/disable to request client certificate. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
empty-cert-action |
Action of an empty client certificate. |
option |
- |
accept |
||||||||||||||
|
|
|||||||||||||||||
server-pubkey-auth |
Enable/disable SSH real server public key authentication. |
option |
- |
disable |
||||||||||||||
|
|
|||||||||||||||||
ldb-method |
Method used to distribute sessions to SSL real servers. |
option |
- |
static |
||||||||||||||
|
|
config api-gateway
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
url-map |
URL pattern to match. |
string |
Maximum length: 511 |
/ |
||||||||||||||||
service |
Service. |
option |
- |
|
||||||||||||||||
|
|
|||||||||||||||||||
ldb-method |
Method used to distribute sessions to real servers. |
option |
- |
static |
||||||||||||||||
|
|
|||||||||||||||||||
virtual-host |
Virtual host. |
string |
Maximum length: 79 |
|
||||||||||||||||
url-map-type |
Type of url-map. |
option |
- |
sub-string |
||||||||||||||||
|
|
|||||||||||||||||||
persistence |
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. |
option |
- |
none |
||||||||||||||||
|
|
|||||||||||||||||||
http-cookie-domain-from-host |
Enable/disable use of HTTP cookie domain from host field in HTTP. |
option |
- |
disable |
||||||||||||||||
|
|
|||||||||||||||||||
http-cookie-domain |
Domain that HTTP cookie persistence should apply to. |
string |
Maximum length: 35 |
|
||||||||||||||||
http-cookie-path |
Limit HTTP cookie persistence to the specified path. |
string |
Maximum length: 35 |
|
||||||||||||||||
http-cookie-generation |
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||||
http-cookie-age |
Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. |
integer |
Minimum value: 0 Maximum value: 525600 |
60 |
||||||||||||||||
http-cookie-share |
Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. |
option |
- |
same-ip |
||||||||||||||||
|
|
|||||||||||||||||||
https-cookie-secure |
Enable/disable verification that inserted HTTPS cookies are secure. |
option |
- |
disable |
||||||||||||||||
|
|
|||||||||||||||||||
saml-server |
SAML service provider configuration for VIP authentication. |
string |
Maximum length: 35 |
|
||||||||||||||||
ssl-dh-bits |
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. |
option |
- |
2048 |
||||||||||||||||
|
|
|||||||||||||||||||
ssl-algorithm |
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. |
option |
- |
high |
||||||||||||||||
|
|
|||||||||||||||||||
ssl-min-version |
Lowest SSL/TLS version acceptable from a server. |
option |
- |
tls-1.1 |
||||||||||||||||
|
|
|||||||||||||||||||
ssl-max-version |
Highest SSL/TLS version acceptable from a server. |
option |
- |
tls-1.3 |
||||||||||||||||
|
|
config realservers
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
address |
Address or address group of the real server. |
string |
Maximum length: 79 |
|
||||||||
ip |
IP address of the real server. |
ipv4-address-any |
Not Specified |
0.0.0.0 |
||||||||
port |
Port for communicating with the real server. |
integer |
Minimum value: 1 Maximum value: 65535 |
0 |
||||||||
mappedport |
Port for communicating with the real server. |
user |
Not Specified |
|
||||||||
status |
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. |
option |
- |
active |
||||||||
|
|
|||||||||||
weight |
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
integer |
Minimum value: 1 Maximum value: 255 |
1 |
||||||||
http-host |
HTTP server domain name in HTTP header. |
string |
Maximum length: 63 |
|
||||||||
health-check |
Enable to check the responsiveness of the real server before forwarding traffic. |
option |
- |
disable |
||||||||
|
|
|||||||||||
health-check-proto |
Protocol of the health check monitor to use when polling to determine server's connectivity status. |
option |
- |
ping |
||||||||
|
|
config realservers
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
ip |
IP address of the real server. |
ipv4-address-any |
Not Specified |
0.0.0.0 |
||||||||
port |
Port for communicating with the real server. |
integer |
Minimum value: 1 Maximum value: 65535 |
0 |
||||||||
status |
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. |
option |
- |
active |
||||||||
|
|
|||||||||||
weight |
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
integer |
Minimum value: 1 Maximum value: 255 |
1 |
config ssl-cipher-suites
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
cipher |
Cipher suite name. |
option |
- |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
versions |
SSL/TLS versions that the cipher suite can be used with. |
option |
- |
tls-1.0 tls-1.1 tls-1.2 tls-1.3 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
config server-pubkey-auth-settings
Parameter |
Description |
Type |
Size |
Default |
||||||
---|---|---|---|---|---|---|---|---|---|---|
source-address |
Enable/disable appending source-address certificate critical option. This option ensure certificate only accepted from FortiGate source address. |
option |
- |
disable |
||||||
|
|
|||||||||
permit-x11-forwarding |
Enable/disable appending permit-x11-forwarding certificate extension. |
option |
- |
enable |
||||||
|
|
|||||||||
permit-agent-forwarding |
Enable/disable appending permit-agent-forwarding certificate extension. |
option |
- |
enable |
||||||
|
|
|||||||||
permit-port-forwarding |
Enable/disable appending permit-port-forwarding certificate extension. |
option |
- |
enable |
||||||
|
|
|||||||||
permit-pty |
Enable/disable appending permit-pty certificate extension. |
option |
- |
enable |
||||||
|
|
|||||||||
permit-user-rc |
Enable/disable appending permit-user-rc certificate extension. |
option |
- |
enable |
||||||
|
|
|||||||||
auth-ca |
Name of the SSH server public key authentication CA. |
string |
Maximum length: 79 |
|
config cert-extension
Parameter |
Description |
Type |
Size |
Default |
||||||
---|---|---|---|---|---|---|---|---|---|---|
critical |
Critical option. |
option |
- |
no |
||||||
|
|
|||||||||
type |
Type of certificate extension. |
option |
- |
fixed |
||||||
|
|
|||||||||
data |
Name of certificate extension. |
string |
Maximum length: 127 |
|
config realservers
Parameter |
Description |
Type |
Size |
Default |
---|---|---|---|---|
address |
Address or address group of the real server. |
string |
Maximum length: 79 |
|
ip |
IP address of the real server. |
ipv4-address-any |
Not Specified |
0.0.0.0 |
port |
Port for communicating with the real server. |
integer |
Minimum value: 1 Maximum value: 65535 |
0 |
mappedport |
Port for communicating with the real server. |
user |
Not Specified |
|
status |
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. |
option |
- |
active |
weight |
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
integer |
Minimum value: 1 Maximum value: 255 |
1 |
http-host |
HTTP server domain name in HTTP header. |
string |
Maximum length: 63 |
|
health-check |
Enable to check the responsiveness of the real server before forwarding traffic. |
option |
- |
disable |
health-check-proto |
Protocol of the health check monitor to use when polling to determine server's connectivity status. |
option |
- |
ping |
config realservers
Parameter |
Description |
Type |
Size |
Default |
---|---|---|---|---|
ip |
IP address of the real server. |
ipv4-address-any |
Not Specified |
0.0.0.0 |
port |
Port for communicating with the real server. |
integer |
Minimum value: 1 Maximum value: 65535 |
0 |
status |
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. |
option |
- |
active |
weight |
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
integer |
Minimum value: 1 Maximum value: 255 |
1 |