Fortinet white logo
Fortinet white logo

CLI Reference

config firewall ssl-ssh-profile

config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile

Description: Configure SSL/SSH protocol options.

edit <name>

set comment {var-string}

config ssl

Description: Configure SSL options.

set inspect-all [disable|certificate-inspection|...]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

set cert-probe-failure [allow|block]

end

config https

Description: Configure HTTPS options.

set ports {integer}

set status [disable|certificate-inspection|...]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

set cert-probe-failure [allow|block]

end

config ftps

Description: Configure FTPS options.

set ports {integer}

set status [disable|deep-inspection]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config imaps

Description: Configure IMAPS options.

set ports {integer}

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config pop3s

Description: Configure POP3S options.

set ports {integer}

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config smtps

Description: Configure SMTPS options.

set ports {integer}

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config ssh

Description: Configure SSH options.

set ports {integer}

set status [disable|deep-inspection]

set inspect-all [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set unsupported-version [bypass|block]

set ssh-tun-policy-check [disable|enable]

set ssh-algorithm [compatible|high-encryption]

end

config dot

Description: Configure DNS over TLS options.

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

set allowlist [enable|disable]

set block-blocklisted-certificates [disable|enable]

config ssl-exempt

Description: Servers to exempt from SSL inspection.

edit <id>

set type [fortiguard-category|address|...]

set fortiguard-category {integer}

set address {string}

set address6 {string}

set wildcard-fqdn {string}

set regex {string}

next

end

set server-cert-mode [re-sign|replace]

set use-ssl-server [disable|enable]

set caname {string}

set untrusted-caname {string}

set server-cert <name1>, <name2>, ...

config ssl-server

Description: SSL server settings used for client certificate request.

edit <id>

set ip {ipv4-address-any}

set https-client-certificate [bypass|inspect|...]

set smtps-client-certificate [bypass|inspect|...]

set pop3s-client-certificate [bypass|inspect|...]

set imaps-client-certificate [bypass|inspect|...]

set ftps-client-certificate [bypass|inspect|...]

set ssl-other-client-certificate [bypass|inspect|...]

next

end

set ssl-anomaly-log [disable|enable]

set ssl-exemption-log [disable|enable]

set ssl-negotiation-log [disable|enable]

set ssl-server-cert-log [disable|enable]

set ssl-handshake-log [disable|enable]

set rpc-over-https [enable|disable]

set mapi-over-https [enable|disable]

set supported-alpn [http1-1|http2|...]

next

end

config firewall ssl-ssh-profile

Parameter

Description

Type

Size

Default

comment

Optional comments.

var-string

Maximum length: 255

allowlist

Enable/disable exempting servers by FortiGuard allowlist.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

block-blocklisted-certificates

Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist.

option

-

enable

Option

Description

disable

Disable FortiGuard certificate blocklist.

enable

Enable FortiGuard certificate blocklist.

server-cert-mode

Re-sign or replace the server's certificate.

option

-

re-sign

Option

Description

re-sign

Multiple clients connecting to multiple servers.

replace

Protect an SSL server.

use-ssl-server

Enable/disable the use of SSL server table for SSL offloading.

option

-

disable

Option

Description

disable

Don't use SSL server configuration.

enable

Use SSL server configuration.

caname

CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_SSL

untrusted-caname

Untrusted CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_Untrusted

server-cert <name>

Certificate used by SSL Inspection to replace server certificate.

Certificate list.

string

Maximum length: 35

**

ssl-anomaly-log

Enable/disable logging SSL anomalies.

option

-

enable

Option

Description

disable

Disable logging SSL anomalies.

enable

Enable logging SSL anomalies.

ssl-exemption-log

Enable/disable logging SSL exemptions.

option

-

disable

Option

Description

disable

Disable logging SSL exemptions.

enable

Enable logging SSL exemptions.

ssl-negotiation-log

Enable/disable logging SSL negotiation.

option

-

disable

Option

Description

disable

Disable logging SSL negotiation.

enable

Enable logging SSL negotiation.

ssl-server-cert-log

Enable/disable logging of server certificate information.

option

-

disable

Option

Description

disable

Disable logging server certificate.

enable

Enable logging server certificate.

ssl-handshake-log

Enable/disable logging of TLS handshakes.

option

-

disable

Option

Description

disable

Disable logging TLS handshakes.

enable

Enable logging TLS handshakes.

rpc-over-https

Enable/disable inspection of RPC over HTTPS.

option

-

disable

Option

Description

enable

Enable inspection of RPC over HTTPS.

disable

Disable inspection of RPC over HTTPS.

mapi-over-https

Enable/disable inspection of MAPI over HTTPS.

option

-

disable

Option

Description

enable

Enable inspection of MAPI over HTTPS.

disable

Disable inspection of MAPI over HTTPS.

supported-alpn

Configure ALPN option.

option

-

all

Option

Description

http1-1

Enable ALPN of HTTP1.1.

http2

Enable ALPN of HTTP2.

all

Enable ALPN of HTTP1.1 and HTTP2.

none

Do not use ALPN.

** Values may differ between models.

config ssl

Parameter

Description

Type

Size

Default

inspect-all

Level of SSL inspection.

option

-

disable

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

cert-probe-failure

Action based on certificate probe failure.

option

-

block

Option

Description

allow

Bypass the session when unable to retrieve server's certificate for inspection.

block

Block the session when unable to retrieve server's certificate for inspection.

config https

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

cert-probe-failure

Action based on certificate probe failure.

option

-

block

Option

Description

allow

Bypass the session when unable to retrieve server's certificate for inspection.

block

Block the session when unable to retrieve server's certificate for inspection.

config ftps

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config imaps

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config pop3s

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config smtps

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config ssh

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

inspect-all

Level of SSL inspection.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

unsupported-version

Action based on SSH version being unsupported.

option

-

bypass

Option

Description

bypass

Bypass the session.

block

Block the session.

ssh-tun-policy-check

Enable/disable SSH tunnel policy check.

option

-

disable

Option

Description

disable

Disable SSH tunnel policy check.

enable

Enable SSH tunnel policy check.

ssh-algorithm

Relative strength of encryption algorithms accepted during negotiation.

option

-

compatible

Option

Description

compatible

Allow a broader set of encryption algorithms for best compatibility.

high-encryption

Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

config dot

Parameter

Description

Type

Size

Default

status

Configure protocol inspection status.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config ssl-exempt

Parameter

Description

Type

Size

Default

type

Type of address object (IPv4 or IPv6) or FortiGuard category.

option

-

fortiguard-category

Option

Description

fortiguard-category

FortiGuard category.

address

Firewall IPv4 address.

address6

Firewall IPv6 address.

wildcard-fqdn

Fully Qualified Domain Name with wildcard characters.

regex

Regular expression FQDN.

fortiguard-category

FortiGuard category ID.

integer

Minimum value: 0 Maximum value: 255

0

address

IPv4 address object.

string

Maximum length: 79

address6

IPv6 address object.

string

Maximum length: 79

wildcard-fqdn

Exempt servers by wildcard FQDN.

string

Maximum length: 79

regex

Exempt servers by regular expression.

string

Maximum length: 255

config ssl-server

Parameter

Description

Type

Size

Default

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

0.0.0.0

https-client-certificate

Action based on received client certificate during the HTTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

smtps-client-certificate

Action based on received client certificate during the SMTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

pop3s-client-certificate

Action based on received client certificate during the POP3S handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

imaps-client-certificate

Action based on received client certificate during the IMAPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ftps-client-certificate

Action based on received client certificate during the FTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ssl-other-client-certificate

Action based on received client certificate during an SSL protocol handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

config firewall ssl-ssh-profile

config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile

Description: Configure SSL/SSH protocol options.

edit <name>

set comment {var-string}

config ssl

Description: Configure SSL options.

set inspect-all [disable|certificate-inspection|...]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

set cert-probe-failure [allow|block]

end

config https

Description: Configure HTTPS options.

set ports {integer}

set status [disable|certificate-inspection|...]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

set cert-probe-failure [allow|block]

end

config ftps

Description: Configure FTPS options.

set ports {integer}

set status [disable|deep-inspection]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config imaps

Description: Configure IMAPS options.

set ports {integer}

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config pop3s

Description: Configure POP3S options.

set ports {integer}

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config smtps

Description: Configure SMTPS options.

set ports {integer}

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

config ssh

Description: Configure SSH options.

set ports {integer}

set status [disable|deep-inspection]

set inspect-all [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set unsupported-version [bypass|block]

set ssh-tun-policy-check [disable|enable]

set ssh-algorithm [compatible|high-encryption]

end

config dot

Description: Configure DNS over TLS options.

set status [disable|deep-inspection]

set proxy-after-tcp-handshake [enable|disable]

set client-certificate [bypass|inspect|...]

set unsupported-ssl-version [allow|block|...]

set unsupported-ssl-cipher [allow|block]

set unsupported-ssl-negotiation [allow|block]

set expired-server-cert [allow|block|...]

set revoked-server-cert [allow|block|...]

set untrusted-server-cert [allow|block|...]

set cert-validation-timeout [allow|block|...]

set cert-validation-failure [allow|block|...]

set sni-server-cert-check [enable|strict|...]

end

set allowlist [enable|disable]

set block-blocklisted-certificates [disable|enable]

config ssl-exempt

Description: Servers to exempt from SSL inspection.

edit <id>

set type [fortiguard-category|address|...]

set fortiguard-category {integer}

set address {string}

set address6 {string}

set wildcard-fqdn {string}

set regex {string}

next

end

set server-cert-mode [re-sign|replace]

set use-ssl-server [disable|enable]

set caname {string}

set untrusted-caname {string}

set server-cert <name1>, <name2>, ...

config ssl-server

Description: SSL server settings used for client certificate request.

edit <id>

set ip {ipv4-address-any}

set https-client-certificate [bypass|inspect|...]

set smtps-client-certificate [bypass|inspect|...]

set pop3s-client-certificate [bypass|inspect|...]

set imaps-client-certificate [bypass|inspect|...]

set ftps-client-certificate [bypass|inspect|...]

set ssl-other-client-certificate [bypass|inspect|...]

next

end

set ssl-anomaly-log [disable|enable]

set ssl-exemption-log [disable|enable]

set ssl-negotiation-log [disable|enable]

set ssl-server-cert-log [disable|enable]

set ssl-handshake-log [disable|enable]

set rpc-over-https [enable|disable]

set mapi-over-https [enable|disable]

set supported-alpn [http1-1|http2|...]

next

end

config firewall ssl-ssh-profile

Parameter

Description

Type

Size

Default

comment

Optional comments.

var-string

Maximum length: 255

allowlist

Enable/disable exempting servers by FortiGuard allowlist.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

block-blocklisted-certificates

Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist.

option

-

enable

Option

Description

disable

Disable FortiGuard certificate blocklist.

enable

Enable FortiGuard certificate blocklist.

server-cert-mode

Re-sign or replace the server's certificate.

option

-

re-sign

Option

Description

re-sign

Multiple clients connecting to multiple servers.

replace

Protect an SSL server.

use-ssl-server

Enable/disable the use of SSL server table for SSL offloading.

option

-

disable

Option

Description

disable

Don't use SSL server configuration.

enable

Use SSL server configuration.

caname

CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_SSL

untrusted-caname

Untrusted CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_Untrusted

server-cert <name>

Certificate used by SSL Inspection to replace server certificate.

Certificate list.

string

Maximum length: 35

**

ssl-anomaly-log

Enable/disable logging SSL anomalies.

option

-

enable

Option

Description

disable

Disable logging SSL anomalies.

enable

Enable logging SSL anomalies.

ssl-exemption-log

Enable/disable logging SSL exemptions.

option

-

disable

Option

Description

disable

Disable logging SSL exemptions.

enable

Enable logging SSL exemptions.

ssl-negotiation-log

Enable/disable logging SSL negotiation.

option

-

disable

Option

Description

disable

Disable logging SSL negotiation.

enable

Enable logging SSL negotiation.

ssl-server-cert-log

Enable/disable logging of server certificate information.

option

-

disable

Option

Description

disable

Disable logging server certificate.

enable

Enable logging server certificate.

ssl-handshake-log

Enable/disable logging of TLS handshakes.

option

-

disable

Option

Description

disable

Disable logging TLS handshakes.

enable

Enable logging TLS handshakes.

rpc-over-https

Enable/disable inspection of RPC over HTTPS.

option

-

disable

Option

Description

enable

Enable inspection of RPC over HTTPS.

disable

Disable inspection of RPC over HTTPS.

mapi-over-https

Enable/disable inspection of MAPI over HTTPS.

option

-

disable

Option

Description

enable

Enable inspection of MAPI over HTTPS.

disable

Disable inspection of MAPI over HTTPS.

supported-alpn

Configure ALPN option.

option

-

all

Option

Description

http1-1

Enable ALPN of HTTP1.1.

http2

Enable ALPN of HTTP2.

all

Enable ALPN of HTTP1.1 and HTTP2.

none

Do not use ALPN.

** Values may differ between models.

config ssl

Parameter

Description

Type

Size

Default

inspect-all

Level of SSL inspection.

option

-

disable

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

cert-probe-failure

Action based on certificate probe failure.

option

-

block

Option

Description

allow

Bypass the session when unable to retrieve server's certificate for inspection.

block

Block the session when unable to retrieve server's certificate for inspection.

config https

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

cert-probe-failure

Action based on certificate probe failure.

option

-

block

Option

Description

allow

Bypass the session when unable to retrieve server's certificate for inspection.

block

Block the session when unable to retrieve server's certificate for inspection.

config ftps

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config imaps

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config pop3s

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config smtps

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config ssh

Parameter

Description

Type

Size

Default

ports

Ports to use for scanning .

integer

Minimum value: 1 Maximum value: 65535

status

Configure protocol inspection status.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

inspect-all

Level of SSL inspection.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

unsupported-version

Action based on SSH version being unsupported.

option

-

bypass

Option

Description

bypass

Bypass the session.

block

Block the session.

ssh-tun-policy-check

Enable/disable SSH tunnel policy check.

option

-

disable

Option

Description

disable

Disable SSH tunnel policy check.

enable

Enable SSH tunnel policy check.

ssh-algorithm

Relative strength of encryption algorithms accepted during negotiation.

option

-

compatible

Option

Description

compatible

Allow a broader set of encryption algorithms for best compatibility.

high-encryption

Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

config dot

Parameter

Description

Type

Size

Default

status

Configure protocol inspection status.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

inspect

Inspect the session when the version is not supported.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

config ssl-exempt

Parameter

Description

Type

Size

Default

type

Type of address object (IPv4 or IPv6) or FortiGuard category.

option

-

fortiguard-category

Option

Description

fortiguard-category

FortiGuard category.

address

Firewall IPv4 address.

address6

Firewall IPv6 address.

wildcard-fqdn

Fully Qualified Domain Name with wildcard characters.

regex

Regular expression FQDN.

fortiguard-category

FortiGuard category ID.

integer

Minimum value: 0 Maximum value: 255

0

address

IPv4 address object.

string

Maximum length: 79

address6

IPv6 address object.

string

Maximum length: 79

wildcard-fqdn

Exempt servers by wildcard FQDN.

string

Maximum length: 79

regex

Exempt servers by regular expression.

string

Maximum length: 255

config ssl-server

Parameter

Description

Type

Size

Default

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

0.0.0.0

https-client-certificate

Action based on received client certificate during the HTTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

smtps-client-certificate

Action based on received client certificate during the SMTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

pop3s-client-certificate

Action based on received client certificate during the POP3S handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

imaps-client-certificate

Action based on received client certificate during the IMAPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ftps-client-certificate

Action based on received client certificate during the FTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ssl-other-client-certificate

Action based on received client certificate during an SSL protocol handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.