config firewall vip6

Configure virtual IP for IPv6.

config firewall vip6

Description: Configure virtual IP for IPv6.

edit <name>

set id {integer}

set uuid {uuid}

set comment {var-string}

set type [static-nat|server-load-balance|...]

set src-filter <range1>, <range2>, ...

set extip {user}

set mappedip {user}

set nat-source-vip [disable|enable]

set arp-reply [disable|enable]

set portforward [disable|enable]

set protocol [tcp|udp|...]

set extport {user}

set mappedport {user}

set color {integer}

set ldb-method [static|round-robin|...]

set server-type [http|https|...]

set http-redirect [enable|disable]

set persistence [none|http-cookie|...]

set nat66 [disable|enable]

set nat64 [disable|enable]

set add-nat64-route [disable|enable]

config realservers

Description: Select the real servers that this server load balancing VIP will distribute traffic to.

edit <id>

set ip {user}

set port {integer}

set status [active|standby|...]

set weight {integer}

set holddown-interval {integer}

set healthcheck [disable|enable|...]

set http-host {string}

set max-connections {integer}

set monitor <name1>, <name2>, ...

set client-ip {user}

next

end

set http-cookie-domain-from-host [disable|enable]

set http-cookie-domain {string}

set http-cookie-path {string}

set http-cookie-generation {integer}

set http-cookie-age {integer}

set http-cookie-share [disable|same-ip]

set https-cookie-secure [disable|enable]

set http-multiplex [enable|disable]

set http-ip-header [enable|disable]

set http-ip-header-name {string}

set outlook-web-access [disable|enable]

set weblogic-server [disable|enable]

set websphere-server [disable|enable]

set ssl-mode [half|full]

set ssl-certificate {string}

set ssl-dh-bits [768|1024|...]

set ssl-algorithm [high|medium|...]

config ssl-cipher-suites

Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.

edit <priority>

set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

set versions {option1}, {option2}, ...

next

end

set ssl-server-algorithm [high|medium|...]

config ssl-server-cipher-suites

Description: SSL/TLS cipher suites to offer to a server, ordered by priority.

edit <priority>

set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

set versions {option1}, {option2}, ...

next

end

set ssl-pfs [require|deny|...]

set ssl-min-version [ssl-3.0|tls-1.0|...]

set ssl-max-version [ssl-3.0|tls-1.0|...]

set ssl-server-min-version [ssl-3.0|tls-1.0|...]

set ssl-server-max-version [ssl-3.0|tls-1.0|...]

set ssl-accept-ffdhe-groups [enable|disable]

set ssl-send-empty-frags [enable|disable]

set ssl-client-fallback [disable|enable]

set ssl-client-renegotiation [allow|deny|...]

set ssl-client-session-state-type [disable|time|...]

set ssl-client-session-state-timeout {integer}

set ssl-client-session-state-max {integer}

set ssl-client-rekey-count {integer}

set ssl-server-session-state-type [disable|time|...]

set ssl-server-session-state-timeout {integer}

set ssl-server-session-state-max {integer}

set ssl-http-location-conversion [enable|disable]

set ssl-http-match-host [enable|disable]

set ssl-hpkp [disable|enable|...]

set ssl-hpkp-primary {string}

set ssl-hpkp-backup {string}

set ssl-hpkp-age {integer}

set ssl-hpkp-report-uri {var-string}

set ssl-hpkp-include-subdomains [disable|enable]

set ssl-hsts [disable|enable]

set ssl-hsts-age {integer}

set ssl-hsts-include-subdomains [disable|enable]

set monitor <name1>, <name2>, ...

set max-embryonic-connections {integer}

set embedded-ipv4-address [disable|enable]

set ipv4-mappedip {user}

set ipv4-mappedport {user}

next

end

config firewall vip6

Parameter

Description

Type

Size

Default

id

Custom defined ID.

integer

Minimum value: 0 Maximum value: 65535

0

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

comment

Comment.

var-string

Not Specified

type

Configure a static NAT server load balance VIP or access proxy.

option

-

static-nat

 

Option

Description

static-nat

Static NAT.

server-load-balance

Server load balance.

access-proxy

Access proxy.

src-filter <range>

Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces.

Source-filter range.

string

Maximum length: 79

extip

IPv6 address or address range on the external interface that you want to map to an address or address range on the destination network.

user

Not Specified

mappedip

Mapped IPv6 address range in the format startIP-endIP.

user

Not Specified

nat-source-vip

Enable to perform SNAT on traffic from mappedip to the extip for all egress interfaces.

option

-

disable

 

Option

Description

disable

Disable nat-source-vip.

enable

Perform SNAT on traffic from mappedip to the extip for all egress interfaces.

arp-reply

Enable to respond to ARP requests for this virtual IP address. Enabled by default.

option

-

enable

 

Option

Description

disable

Disable ARP reply.

enable

Enable ARP reply.

portforward

Enable port forwarding.

option

-

disable

 

Option

Description

disable

Disable port forward.

enable

Enable/disable port forwarding.

protocol

Protocol to use when forwarding packets.

option

-

tcp

 

Option

Description

tcp

TCP.

udp

UDP.

sctp

SCTP.

extport

Incoming port number range that you want to map to a port number range on the destination network.

user

Not Specified

mappedport

Port number range on the destination network to which the external port number range is mapped.

user

Not Specified

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

0

ldb-method

Method used to distribute sessions to real servers.

option

-

static

 

Option

Description

static

Distribute sessions based on source IP.

round-robin

Distribute sessions based round robin order.

weighted

Distribute sessions based on weight.

least-session

Sends new sessions to the server with the lowest session count.

least-rtt

Distribute new sessions to the server with lowest Round-Trip-Time.

first-alive

Distribute sessions to the first server that is alive.

http-host

Distribute sessions to servers based on host field in HTTP header.

server-type

Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).

option

-

 

Option

Description

http

HTTP.

https

HTTPS.

imaps

IMAPS.

pop3s

POP3S.

smtps

SMTPS.

ssl

SSL.

tcp

TCP.

udp

UDP.

ip

IP.

http-redirect

Enable/disable redirection of HTTP to HTTPS.

option

-

disable

 

Option

Description

enable

Enable redirection of HTTP to HTTPS.

disable

Disable redirection of HTTP to HTTPS.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

 

Option

Description

none

None.

http-cookie

HTTP cookie.

ssl-session-id

SSL session ID.

nat66

Enable/disable DNAT66.

option

-

enable

 

Option

Description

disable

Disable DNAT66.

enable

Enable DNAT66.

nat64

Enable/disable DNAT64.

option

-

disable

 

Option

Description

disable

Disable DNAT64.

enable

Enable DNAT64.

add-nat64-route

Enable/disable adding NAT64 route.

option

-

enable

 

Option

Description

disable

Disable adding NAT64 route.

enable

Enable adding NAT64 route.

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

 

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Not Specified

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Not Specified

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-share

Control sharing of cookies across virtual servers. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

 

Option

Description

disable

Only allow HTTP cookie to match this virtual server.

same-ip

Allow HTTP cookie to match any virtual server with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

 

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

http-multiplex

Enable/disable HTTP multiplexing.

option

-

disable

 

Option

Description

enable

Enable HTTP session multiplexing.

disable

Disable HTTP session multiplexing.

http-ip-header

For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.

option

-

disable

 

Option

Description

enable

Enable adding HTTP header.

disable

Disable adding HTTP header.

http-ip-header-name

For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.

string

Not Specified

outlook-web-access

Enable to add the Front-End-Https header for Microsoft Outlook Web Access.

option

-

disable

 

Option

Description

disable

Disable Outlook Web Access support.

enable

Enable Outlook Web Access support.

weblogic-server

Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.

option

-

disable

 

Option

Description

disable

Do not add HTTP header indicating SSL offload for WebLogic server.

enable

Add HTTP header indicating SSL offload for WebLogic server.

websphere-server

Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.

option

-

disable

 

Option

Description

disable

Do not add HTTP header indicating SSL offload for WebSphere server.

enable

Add HTTP header indicating SSL offload for WebSphere server.

ssl-mode

Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).

option

-

half

 

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-certificate

The name of the certificate to use for SSL handshake.

string

Not Specified

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

 

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for SSL sessions according to encryption strength.

option

-

high

 

Option

Description

high

Use AES.

medium

Use AES, 3DES, or RC4.

low

Use AES, 3DES, RC4, or DES.

custom

Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-server-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

client

 

Option

Description

high

Use AES.

medium

Use AES, 3DES, or RC4.

low

Use AES, 3DES, RC4, or DES.

custom

Use config ssl-server-cipher-suites to select the cipher suites that are allowed.

client

Use the same encryption algorithms for client and server sessions.

ssl-pfs

Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

option

-

require

 

Option

Description

require

Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny

Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow

Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

ssl-min-version

Lowest SSL/TLS version acceptable from a client.

option

-

tls-1.1

 

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a client.

option

-

tls-1.3

 

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-server-min-version

Lowest SSL/TLS version acceptable from a server. Use the client setting by default.

option

-

client

 

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

client

Use same value as client configuration.

ssl-server-max-version

Highest SSL/TLS version acceptable from a server. Use the client setting by default.

option

-

client

 

Option

Description

ssl-3.0

SSL 3.0.