Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server

Description: Configure SSL servers.

edit <name>

set ip {ipv4-address-any}

set port {integer}

set ssl-mode [half|full]

set add-header-x-forwarded-proto [enable|disable]

set mapped-port {integer}

set ssl-cert {string}

set ssl-dh-bits [768|1024|...]

set ssl-algorithm [high|medium|...]

set ssl-client-renegotiation [allow|deny|...]

set ssl-min-version [tls-1.0|tls-1.1|...]

set ssl-max-version [tls-1.0|tls-1.1|...]

set ssl-send-empty-frags [enable|disable]

set url-rewrite [enable|disable]

next

end

config firewall ssl-server

Parameter

Description

Type

Size

Default

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

0.0.0.0

port

Server service port .

integer

Minimum value: 1 Maximum value: 65535

443

ssl-mode

SSL/TLS mode for encryption and decryption of traffic.

option

-

full

 

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

add-header-x-forwarded-proto

Enable/disable adding an X-Forwarded-Proto header to forwarded requests.

option

-

enable

 

Option

Description

enable

Add X-Forwarded-Proto header.

disable

Do not add X-Forwarded-Proto header.

mapped-port

Mapped server service port .

integer

Minimum value: 1 Maximum value: 65535

80

ssl-cert

Name of certificate for SSL connections to this server .

string

Maximum length: 35

Fortinet_CA_SSL

ssl-dh-bits

Bit-size of Diffie-Hellman .

option

-

2048

 

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-algorithm

Relative strength of encryption algorithms accepted in negotiation.

option

-

high

 

Option

Description

high

High encryption. Allow only AES and ChaCha

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-client-renegotiation

Allow or block client renegotiation by server.

option

-

allow

 

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-min-version

Lowest SSL/TLS version to negotiate.

option

-

tls-1.1

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version to negotiate.

option

-

tls-1.2

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV.

option

-

enable

 

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

url-rewrite

Enable/disable rewriting the URL.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server

Description: Configure SSL servers.

edit <name>

set ip {ipv4-address-any}

set port {integer}

set ssl-mode [half|full]

set add-header-x-forwarded-proto [enable|disable]

set mapped-port {integer}

set ssl-cert {string}

set ssl-dh-bits [768|1024|...]

set ssl-algorithm [high|medium|...]

set ssl-client-renegotiation [allow|deny|...]

set ssl-min-version [tls-1.0|tls-1.1|...]

set ssl-max-version [tls-1.0|tls-1.1|...]

set ssl-send-empty-frags [enable|disable]

set url-rewrite [enable|disable]

next

end

config firewall ssl-server

Parameter

Description

Type

Size

Default

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

0.0.0.0

port

Server service port .

integer

Minimum value: 1 Maximum value: 65535

443

ssl-mode

SSL/TLS mode for encryption and decryption of traffic.

option

-

full

 

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

add-header-x-forwarded-proto

Enable/disable adding an X-Forwarded-Proto header to forwarded requests.

option

-

enable

 

Option

Description

enable

Add X-Forwarded-Proto header.

disable

Do not add X-Forwarded-Proto header.

mapped-port

Mapped server service port .

integer

Minimum value: 1 Maximum value: 65535

80

ssl-cert

Name of certificate for SSL connections to this server .

string

Maximum length: 35

Fortinet_CA_SSL

ssl-dh-bits

Bit-size of Diffie-Hellman .

option

-

2048

 

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-algorithm

Relative strength of encryption algorithms accepted in negotiation.

option

-

high

 

Option

Description

high

High encryption. Allow only AES and ChaCha

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-client-renegotiation

Allow or block client renegotiation by server.

option

-

allow

 

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-min-version

Lowest SSL/TLS version to negotiate.

option

-

tls-1.1

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version to negotiate.

option

-

tls-1.2

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV.

option

-

enable

 

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

url-rewrite

Enable/disable rewriting the URL.

option

-

disable

 

Option

Description

enable

Enable setting.

disable

Disable setting.