config firewall ssl-server
Configure SSL servers.
config firewall ssl-server
Description: Configure SSL servers.
edit <name>
set ip {ipv4-address-any}
set port {integer}
set ssl-mode [half|full]
set add-header-x-forwarded-proto [enable|disable]
set mapped-port {integer}
set ssl-cert {string}
set ssl-dh-bits [768|1024|...]
set ssl-algorithm [high|medium|...]
set ssl-client-renegotiation [allow|deny|...]
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-send-empty-frags [enable|disable]
set url-rewrite [enable|disable]
next
end
config firewall ssl-server
Parameter |
Description |
Type |
Size |
Default |
||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ip |
IPv4 address of the SSL server. |
ipv4-address-any |
Not Specified |
0.0.0.0 |
||||||||||
port |
Server service port . |
integer |
Minimum value: 1 Maximum value: 65535 |
443 |
||||||||||
ssl-mode |
SSL/TLS mode for encryption and decryption of traffic. |
option |
- |
full |
||||||||||
|
|
|||||||||||||
add-header-x-forwarded-proto |
Enable/disable adding an X-Forwarded-Proto header to forwarded requests. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
mapped-port |
Mapped server service port . |
integer |
Minimum value: 1 Maximum value: 65535 |
80 |
||||||||||
ssl-cert |
Name of certificate for SSL connections to this server . |
string |
Maximum length: 35 |
Fortinet_CA_SSL |
||||||||||
ssl-dh-bits |
Bit-size of Diffie-Hellman . |
option |
- |
2048 |
||||||||||
|
|
|||||||||||||
ssl-algorithm |
Relative strength of encryption algorithms accepted in negotiation. |
option |
- |
high |
||||||||||
|
|
|||||||||||||
ssl-client-renegotiation |
Allow or block client renegotiation by server. |
option |
- |
allow |
||||||||||
|
|
|||||||||||||
ssl-min-version |
Lowest SSL/TLS version to negotiate. |
option |
- |
tls-1.1 |
||||||||||
|
|
|||||||||||||
ssl-max-version |
Highest SSL/TLS version to negotiate. |
option |
- |
tls-1.2 |
||||||||||
|
|
|||||||||||||
ssl-send-empty-frags |
Enable/disable sending empty fragments to avoid attack on CBC IV. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
url-rewrite |
Enable/disable rewriting the URL. |
option |
- |
disable |
||||||||||
|
|