config firewall access-proxy

Configure IPv4 access proxy.

config firewall access-proxy

Description: Configure IPv4 access proxy.

edit <name>

set vip {string}

set client-cert [disable|enable]

set empty-cert-action [accept|block]

set log-blocked-traffic [enable|disable]

set decrypted-traffic-mirror {string}

config api-gateway

Description: Set IPv4 API Gateway.

edit <id>

set url-map {string}

set service [http|https|...]

set ldb-method [static|round-robin|...]

set virtual-host {string}

set url-map-type [sub-string|wildcard|...]

config realservers

Description: Select the real servers that this Access Proxy will distribute traffic to.

edit <id>

set addr-type [ip|fqdn]

set address {string}

set ip {ipv4-address-any}

set port {integer}

set mappedport {user}

set status [active|standby|...]

set type [tcp-forwarding|ssh]

set weight {integer}

set http-host {string}

set health-check [disable|enable]

set health-check-proto [ping|http|...]

set holddown-interval [enable|disable]

set ssh-client-cert {string}

set ssh-host-key-validation [disable|enable]

set ssh-host-key <name1>, <name2>, ...

next

end

set persistence [none|http-cookie]

set http-cookie-domain-from-host [disable|enable]

set http-cookie-domain {string}

set http-cookie-path {string}

set http-cookie-generation {integer}

set http-cookie-age {integer}

set http-cookie-share [disable|same-ip]

set https-cookie-secure [disable|enable]

set saml-server {string}

set saml-redirect [disable|enable]

set ssl-dh-bits [768|1024|...]

set ssl-algorithm [high|medium|...]

config ssl-cipher-suites

Description: SSL/TLS cipher suites to offer to a server, ordered by priority.

edit <priority>

set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

set versions {option1}, {option2}, ...

next

end

set ssl-min-version [tls-1.0|tls-1.1|...]

set ssl-max-version [tls-1.0|tls-1.1|...]

next

end

config api-gateway6

Description: Set IPv6 API Gateway.

edit <id>

set url-map {string}

set service [http|https|...]

set ldb-method [static|round-robin|...]

set virtual-host {string}

set url-map-type [sub-string|wildcard|...]

config realservers

Description: Select the real servers that this Access Proxy will distribute traffic to.

edit <id>

set addr-type [ip|fqdn]

set address {string}

set ip {ipv6-address}

set port {integer}

set mappedport {user}

set status [active|standby|...]

set type [tcp-forwarding|ssh]

set weight {integer}

set http-host {string}

set health-check [disable|enable]

set health-check-proto [ping|http|...]

set holddown-interval [enable|disable]

set ssh-client-cert {string}

set ssh-host-key-validation [disable|enable]

set ssh-host-key <name1>, <name2>, ...

next

end

set persistence [none|http-cookie]

set http-cookie-domain-from-host [disable|enable]

set http-cookie-domain {string}

set http-cookie-path {string}

set http-cookie-generation {integer}

set http-cookie-age {integer}

set http-cookie-share [disable|same-ip]

set https-cookie-secure [disable|enable]

set saml-server {string}

set saml-redirect [disable|enable]

set ssl-dh-bits [768|1024|...]

set ssl-algorithm [high|medium|...]

config ssl-cipher-suites

Description: SSL/TLS cipher suites to offer to a server, ordered by priority.

edit <priority>

set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

set versions {option1}, {option2}, ...

next

end

set ssl-min-version [tls-1.0|tls-1.1|...]

set ssl-max-version [tls-1.0|tls-1.1|...]

next

end

next

end

config firewall access-proxy

Parameter

Description

Type

Size

Default

vip

Virtual IP name.

string

Maximum length: 79

client-cert

Enable/disable to request client certificate.

option

-

disable

 

Option

Description

disable

Disable client certificate request.

enable

Enable client certificate request.

empty-cert-action

Action of an empty client certificate.

option

-

block

 

Option

Description

accept

Accept the SSL handshake if the client certificate is empty.

block

Block the SSL handshake if the client certificate is empty.

log-blocked-traffic

Enable/disable logging of blocked traffic.

option

-

disable

 

Option

Description

enable

Log all traffic denied by this access proxy.

disable

Do not log all traffic denied by this access proxy.

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

config api-gateway

Parameter

Description

Type

Size

Default

url-map

URL pattern to match.

string

Maximum length: 511

/

service

Service.

option

-

https

 

Option

Description

http

HTTP

https

HTTPS

tcp-forwarding

TCP-FORWARDING

samlsp

SAML-SP

ldb-method

Method used to distribute sessions to real servers.

option

-

static

 

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

virtual-host

Virtual host.

string

Maximum length: 79

url-map-type

Type of url-map.

option

-

sub-string

 

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

 

Option

Description

none

None.

http-cookie

HTTP cookie.

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

 

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-share

Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

 

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

 

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

saml-server

SAML service provider configuration for VIP authentication.

string

Maximum length: 35

saml-redirect

Enable/disable SAML redirection after successful authentication.

option

-

disable

 

Option

Description

disable

Do not support redirection after successful SAML authentication.

enable

Support redirection after successful SAML authentication.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

 

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

high

 

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min-version

Lowest SSL/TLS version acceptable from a server.

option

-

tls-1.1

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a server.

option

-

tls-1.3

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config realservers

Parameter

Description

Type

Size

Default

addr-type

Type of address.

option

-

ip

 

Option

Description

ip

Standard IPv4 address.

fqdn

Non-wildcard FQDN address object.

address

Address or address group of the real server.

string

Maximum length: 79

ip

IPv6 address of the real server.

ipv6-address

Not Specified

::

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

443

mappedport

Port for communicating with the real server.

user

Not Specified

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

 

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

type

TCP forwarding server type.

option

-

tcp-forwarding

 

Option

Description

tcp-forwarding

TCP forwarding.

ssh

SSH.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

health-check

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

disable

 

Option

Description

disable

Disable per server health check.

enable

Enable per server health check.

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

 

Option

Description

ping

Use PING to test the link with the server.

http

Use HTTP-GET to test the link with the server.

tcp-connect

Use a full TCP connection to test the link with the server.

holddown-interval

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

option

-

enable

 

Option

Description

enable

Enable per server holddown.

disable

Disable per server holddown.

ssh-client-cert

Set access-proxy SSH client certificate profile.

string

Maximum length: 79

ssh-host-key-validation

Enable/disable SSH real server host key validation.

option

-

disable

 

Option

Description

disable

Disable SSH real server host key validation.

enable

Enable SSH real server host key validation.

ssh-host-key <name>

One or more server host key.

Server host key name.

string

Maximum length: 79

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

-

 

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

TLS-DHE-DSS-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

TLS-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

TLS-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

tls-1.0 tls-1.1 tls-1.2 tls-1.3

 

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config api-gateway6

Parameter

Description

Type

Size

Default

url-map

URL pattern to match.

string

Maximum length: 511

/

service

Service.

option

-

https

 

Option

Description

http

HTTP

https

HTTPS

tcp-forwarding

TCP-FORWARDING

samlsp

SAML-SP

ldb-method

Method used to distribute sessions to real servers.

option

-

static

 

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

virtual-host

Virtual host.

string

Maximum length: 79

url-map-type

Type of url-map.

option

-

sub-string

 

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

 

Option

Description

none

None.

http-cookie

HTTP cookie.

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

 

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-share

Control sharing of cookies across API Gateway. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

 

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable