Fortinet black logo

CLI Reference

config firewall ssl-server

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server
    Description: Configure SSL servers.
    edit <name>
        set add-header-x-forwarded-proto [enable|disable]
        set ip {ipv4-address-any}
        set mapped-port {integer}
        set port {integer}
        set ssl-algorithm [high|medium|...]
        set ssl-cert {string}
        set ssl-client-renegotiation [allow|deny|...]
        set ssl-dh-bits [768|1024|...]
        set ssl-max-version [tls-1.0|tls-1.1|...]
        set ssl-min-version [tls-1.0|tls-1.1|...]
        set ssl-mode [half|full]
        set ssl-send-empty-frags [enable|disable]
        set url-rewrite [enable|disable]
    next
end

config firewall ssl-server

Parameter

Description

Type

Size

Default

add-header-x-forwarded-proto

Enable/disable adding an X-Forwarded-Proto header to forwarded requests.

option

-

enable

Option

Description

enable

Add X-Forwarded-Proto header.

disable

Do not add X-Forwarded-Proto header.

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

0.0.0.0

mapped-port

Mapped server service port.

integer

Minimum value: 1 Maximum value: 65535

80

name

Server name.

string

Maximum length: 35

port

Server service port.

integer

Minimum value: 1 Maximum value: 65535

443

ssl-algorithm

Relative strength of encryption algorithms accepted in negotiation.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-cert

Name of certificate for SSL connections to this server.

string

Maximum length: 35

Fortinet_CA_SSL

ssl-client-renegotiation

Allow or block client renegotiation by server.

option

-

allow

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-max-version

Highest SSL/TLS version to negotiate.

option

-

tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-min-version

Lowest SSL/TLS version to negotiate.

option

-

tls-1.1

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-mode

SSL/TLS mode for encryption and decryption of traffic.

option

-

full

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV.

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

url-rewrite

Enable/disable rewriting the URL.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

config firewall ssl-server

Configure SSL servers.

config firewall ssl-server
    Description: Configure SSL servers.
    edit <name>
        set add-header-x-forwarded-proto [enable|disable]
        set ip {ipv4-address-any}
        set mapped-port {integer}
        set port {integer}
        set ssl-algorithm [high|medium|...]
        set ssl-cert {string}
        set ssl-client-renegotiation [allow|deny|...]
        set ssl-dh-bits [768|1024|...]
        set ssl-max-version [tls-1.0|tls-1.1|...]
        set ssl-min-version [tls-1.0|tls-1.1|...]
        set ssl-mode [half|full]
        set ssl-send-empty-frags [enable|disable]
        set url-rewrite [enable|disable]
    next
end

config firewall ssl-server

Parameter

Description

Type

Size

Default

add-header-x-forwarded-proto

Enable/disable adding an X-Forwarded-Proto header to forwarded requests.

option

-

enable

Option

Description

enable

Add X-Forwarded-Proto header.

disable

Do not add X-Forwarded-Proto header.

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

0.0.0.0

mapped-port

Mapped server service port.

integer

Minimum value: 1 Maximum value: 65535

80

name

Server name.

string

Maximum length: 35

port

Server service port.

integer

Minimum value: 1 Maximum value: 65535

443

ssl-algorithm

Relative strength of encryption algorithms accepted in negotiation.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-cert

Name of certificate for SSL connections to this server.

string

Maximum length: 35

Fortinet_CA_SSL

ssl-client-renegotiation

Allow or block client renegotiation by server.

option

-

allow

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-max-version

Highest SSL/TLS version to negotiate.

option

-

tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-min-version

Lowest SSL/TLS version to negotiate.

option

-

tls-1.1

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-mode

SSL/TLS mode for encryption and decryption of traffic.

option

-

full

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV.

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

url-rewrite

Enable/disable rewriting the URL.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.