Fortinet black logo

CLI Reference

config firewall ssl setting

config firewall ssl setting

SSL proxy settings.

config firewall ssl setting

Description: SSL proxy settings.

set proxy-connect-timeout {integer}

set ssl-dh-bits [768|1024|...]

set ssl-send-empty-frags [enable|disable]

set no-matching-cipher-action [bypass|drop]

set cert-cache-capacity {integer}

set cert-cache-timeout {integer}

set session-cache-capacity {integer}

set session-cache-timeout {integer}

set kxp-queue-threshold {integer}

set ssl-queue-threshold {integer}

set abbreviate-handshake [enable|disable]

end

config firewall ssl setting

Parameter

Description

Type

Size

Default

proxy-connect-timeout

Time limit to make an internal connection to the appropriate proxy process .

integer

Minimum value: 1 Maximum value: 60

30

ssl-dh-bits

Bit-size of Diffie-Hellman .

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

no-matching-cipher-action

Bypass or drop the connection when no matching cipher is found.

option

-

bypass

Option

Description

bypass

Bypass connection.

drop

Drop connection.

cert-cache-capacity

Maximum capacity of the host certificate cache .

integer

Minimum value: 0 Maximum value: 500

200

cert-cache-timeout

Time limit to keep certificate cache .

integer

Minimum value: 1 Maximum value: 120

10

session-cache-capacity

Capacity of the SSL session cache .

integer

Minimum value: 0 Maximum value: 1000

500

session-cache-timeout

Time limit to keep SSL session state .

integer

Minimum value: 1 Maximum value: 60

20

kxp-queue-threshold *

Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU .

integer

Minimum value: 0 Maximum value: 512

16

ssl-queue-threshold *

Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU .

integer

Minimum value: 0 Maximum value: 512

32

abbreviate-handshake

Enable/disable use of SSL abbreviated handshake.

option

-

enable

Option

Description

enable

Enable use of SSL abbreviated handshake.

disable

Disable use of SSL abbreviated handshake.

* This parameter may not exist in some models.

config firewall ssl setting

SSL proxy settings.

config firewall ssl setting

Description: SSL proxy settings.

set proxy-connect-timeout {integer}

set ssl-dh-bits [768|1024|...]

set ssl-send-empty-frags [enable|disable]

set no-matching-cipher-action [bypass|drop]

set cert-cache-capacity {integer}

set cert-cache-timeout {integer}

set session-cache-capacity {integer}

set session-cache-timeout {integer}

set kxp-queue-threshold {integer}

set ssl-queue-threshold {integer}

set abbreviate-handshake [enable|disable]

end

config firewall ssl setting

Parameter

Description

Type

Size

Default

proxy-connect-timeout

Time limit to make an internal connection to the appropriate proxy process .

integer

Minimum value: 1 Maximum value: 60

30

ssl-dh-bits

Bit-size of Diffie-Hellman .

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

no-matching-cipher-action

Bypass or drop the connection when no matching cipher is found.

option

-

bypass

Option

Description

bypass

Bypass connection.

drop

Drop connection.

cert-cache-capacity

Maximum capacity of the host certificate cache .

integer

Minimum value: 0 Maximum value: 500

200

cert-cache-timeout

Time limit to keep certificate cache .

integer

Minimum value: 1 Maximum value: 120

10

session-cache-capacity

Capacity of the SSL session cache .

integer

Minimum value: 0 Maximum value: 1000

500

session-cache-timeout

Time limit to keep SSL session state .

integer

Minimum value: 1 Maximum value: 60

20

kxp-queue-threshold *

Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU .

integer

Minimum value: 0 Maximum value: 512

16

ssl-queue-threshold *

Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU .

integer

Minimum value: 0 Maximum value: 512

32

abbreviate-handshake

Enable/disable use of SSL abbreviated handshake.

option

-

enable

Option

Description

enable

Enable use of SSL abbreviated handshake.

disable

Disable use of SSL abbreviated handshake.

* This parameter may not exist in some models.