config firewall access-proxy

Configure Access Proxy.

config firewall access-proxy

Description: Configure Access Proxy.

edit <name>

set vip {string}

set client-cert [disable|enable]

set empty-cert-action [accept|block]

config api-gateway

Description: Set API Gateway.

edit <id>

set url-map {string}

set service [http|https|...]

set ldb-method [static|round-robin|...]

set virtual-host {string}

set url-map-type [sub-string|wildcard|...]

config realservers

Description: Select the real servers that this Access Proxy will distribute traffic to.

edit <id>

set address {string}

set ip {ipv4-address-any}

set port {integer}

set mappedport {user}

set status [active|standby|...]

set weight {integer}

set http-host {string}

set health-check [disable|enable]

set health-check-proto [ping|http|...]

next

end

set persistence [none|http-cookie]

set http-cookie-domain-from-host [disable|enable]

set http-cookie-domain {string}

set http-cookie-path {string}

set http-cookie-generation {integer}

set http-cookie-age {integer}

set http-cookie-share [disable|same-ip]

set https-cookie-secure [disable|enable]

set saml-server {string}

set ssl-dh-bits [768|1024|...]

set ssl-algorithm [high|medium|...]

config ssl-cipher-suites

Description: SSL/TLS cipher suites to offer to a server, ordered by priority.

edit <priority>

set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

set versions {option1}, {option2}, ...

next

end

set ssl-min-version [tls-1.0|tls-1.1|...]

set ssl-max-version [tls-1.0|tls-1.1|...]

next

end

set server-pubkey-auth [disable|enable]

config server-pubkey-auth-settings

Description: Server SSH public key authentication settings.

set source-address [enable|disable]

set permit-x11-forwarding [enable|disable]

set permit-agent-forwarding [enable|disable]

set permit-port-forwarding [enable|disable]

set permit-pty [enable|disable]

set permit-user-rc [enable|disable]

config cert-extension

Description: Configure certificate extension for user certificate.

edit <name>

set critical [no|yes]

set type [fixed|user]

set data {string}

next

end

set auth-ca {string}

end

set ldb-method [static|round-robin|...]

config realservers

Description: Select the SSL real servers that this Access Proxy will distribute traffic to.

edit <id>

set ip {ipv4-address-any}

set port {integer}

set status [active|standby|...]

set weight {integer}

next

end

next

end

config firewall access-proxy

Parameter

Description

Type

Size

Default

vip

Virtual IP name.

string

Maximum length: 79

client-cert

Enable/disable to request client certificate.

option

-

disable

 

Option

Description

disable

Disable client certificate request.

enable

Enable client certificate request.

empty-cert-action

Action of an empty client certificate.

option

-

accept

 

Option

Description

accept

Accept the SSL handshake if the client certificate is empty.

block

Block the SSL handshake if the client certificate is empty.

server-pubkey-auth

Enable/disable SSH real server public key authentication.

option

-

disable

 

Option

Description

disable

Disable SSH real server public key authentication.

enable

Enable SSH real server public key authentication with SSH certificate.

ldb-method

Method used to distribute sessions to SSL real servers.

option

-

static

 

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

least-session

Distribute to server with lowest session count.

least-rtt

Distribute to server with lowest Round-Trip-Time.

first-alive

Distribute to the first server that is alive.

config api-gateway

Parameter

Description

Type

Size

Default

url-map

URL pattern to match.

string

Maximum length: 511

/

service

Service.

option

-

 

Option

Description

http

HTTP

https

HTTPS

tcp-forwarding

TCP-FORWARDING

samlsp

SAML-SP

ldb-method

Method used to distribute sessions to real servers.

option

-

static

 

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

least-session

Distribute to server with lowest session count.

least-rtt

Distribute to server with lowest Round-Trip-Time.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

virtual-host

Virtual host.

string

Maximum length: 79

url-map-type

Type of url-map.

option

-

sub-string

 

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

 

Option

Description

none

None.

http-cookie

HTTP cookie.

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

 

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-share

Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

 

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

 

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

saml-server

SAML service provider configuration for VIP authentication.

string

Maximum length: 35

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

 

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

high

 

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom

Custom encryption. Use ssl-cipher-suites to select the cipher suites that are allowed.

ssl-min-version

Lowest SSL/TLS version acceptable from a server.

option

-

tls-1.1

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a server.

option

-

tls-1.3

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config realservers

Parameter

Description

Type

Size

Default

address

Address or address group of the real server.

string

Maximum length: 79

ip

IP address of the real server.

ipv4-address-any

Not Specified

0.0.0.0

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

0

mappedport

Port for communicating with the real server.

user

Not Specified

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

 

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

health-check

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

disable

 

Option

Description

disable

Disable per server health check.

enable

Enable per server health check.

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

 

Option

Description

ping

Use PING to test the link with the server.

http

Use HTTP-GET to test the link with the server.

tcp-connect

Use a full TCP connection to test the link with the server.

config realservers

Parameter

Description

Type

Size

Default

ip

IP address of the real server.

ipv4-address-any

Not Specified

0.0.0.0

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

0

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

 

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

-

 

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

TLS-DHE-DSS-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

TLS-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

TLS-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

tls-1.0 tls-1.1 tls-1.2 tls-1.3

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config server-pubkey-auth-settings

Parameter

Description

Type

Size

Default

source-address

Enable/disable appending source-address certificate critical option. This option ensure certificate only accepted from FortiGate source address.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-x11-forwarding

Enable/disable appending permit-x11-forwarding certificate extension.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-agent-forwarding

Enable/disable appending permit-agent-forwarding certificate extension.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-port-forwarding

Enable/disable appending permit-port-forwarding certificate extension.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-pty

Enable/disable appending permit-pty certificate extension.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

permit-user-rc

Enable/disable appending permit-user-rc certificate extension.

option

-

enable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

auth-ca

Name of the SSH server public key authentication CA.

string

Maximum length: 79

config cert-extension

Parameter

Description

Type

Size

Default

critical

Critical option.

option

-

no

 

Option

Description

no

Certificate extension, server ignores the unsupported certificate extension.

yes

Critical option, server refuses to authorize if it cannnot recognise the critical option.

type

Type of certificate extension.

option

-

fixed

 

Option

Description

fixed

Fixed certificate extension entry.

user

Certificate extension entry filled with authenticated username.

data

Name of certificate extension.

string

Maximum length: 127

config realservers