Fortinet black logo

CLI Reference

7.6.0
7.6.0
7.4.5
7.4.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.0.0
5.6.0
5.4.0
5.2.0
5.0.0

config firewall ssl-ssh-profile

config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile
    Description: Configure SSL/SSH protocol options.
    edit <name>
        set allowlist [enable|disable]
        set block-blocklisted-certificates [disable|enable]
        set caname {string}
        set comment {var-string}
        config dot
            Description: Configure DNS over TLS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set proxy-after-tcp-handshake [enable|disable]
            set quic [inspect|bypass|...]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config ech-outer-sni
            Description: ClientHelloOuter SNIs to be blocked.
            edit <name>
                set sni {string}
            next
        end
        config ftps
            Description: Configure FTPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
            set ports {integer}
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config https
            Description: Configure HTTPS options.
            set cert-probe-failure [allow|block]
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set encrypted-client-hello [allow|block]
            set expired-server-cert [allow|block|...]
            set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set quic [inspect|bypass|...]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|certificate-inspection|...]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config imaps
            Description: Configure IMAPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set mapi-over-https [enable|disable]
        config pop3s
            Description: Configure POP3S options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set rpc-over-https [enable|disable]
        set server-cert <name1>, <name2>, ...
        set server-cert-mode [re-sign|replace]
        config smtps
            Description: Configure SMTPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config ssh
            Description: Configure SSH options.
            set inspect-all [disable|deep-inspection]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set ssh-algorithm [compatible|high-encryption]
            set ssh-tun-policy-check [disable|enable]
            set status [disable|deep-inspection]
            set unsupported-version [bypass|block]
        end
        config ssl
            Description: Configure SSL options.
            set cert-probe-failure [allow|block]
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set encrypted-client-hello [allow|block]
            set expired-server-cert [allow|block|...]
            set inspect-all [disable|certificate-inspection|...]
            set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set ssl-anomaly-log [disable|enable]
        config ssl-exempt
            Description: Servers to exempt from SSL inspection.
            edit <id>
                set address {string}
                set address6 {string}
                set fortiguard-category {integer}
                set regex {string}
                set type [fortiguard-category|address|...]
                set wildcard-fqdn {string}
            next
        end
        set ssl-exemption-ip-rating [enable|disable]
        set ssl-exemption-log [disable|enable]
        set ssl-handshake-log [disable|enable]
        set ssl-negotiation-log [disable|enable]
        config ssl-server
            Description: SSL server settings used for client certificate request.
            edit <id>
                set ftps-client-certificate [bypass|inspect|...]
                set https-client-certificate [bypass|inspect|...]
                set imaps-client-certificate [bypass|inspect|...]
                set ip {ipv4-address-any}
                set pop3s-client-certificate [bypass|inspect|...]
                set smtps-client-certificate [bypass|inspect|...]
                set ssl-other-client-certificate [bypass|inspect|...]
            next
        end
        set ssl-server-cert-log [disable|enable]
        set supported-alpn [http1-1|http2|...]
        set untrusted-caname {string}
        set use-ssl-server [disable|enable]
    next
end

config firewall ssl-ssh-profile

Parameter

Description

Type

Size

Default

allowlist

Enable/disable exempting servers by FortiGuard allowlist.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

block-blocklisted-certificates

Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist.

option

-

enable

Option

Description

disable

Disable FortiGuard certificate blocklist.

enable

Enable FortiGuard certificate blocklist.

caname

CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_SSL

comment

Optional comments.

var-string

Maximum length: 255

mapi-over-https

Enable/disable inspection of MAPI over HTTPS.

option

-

disable

Option

Description

enable

Enable inspection of MAPI over HTTPS.

disable

Disable inspection of MAPI over HTTPS.

name

Name.

string

Maximum length: 35

rpc-over-https

Enable/disable inspection of RPC over HTTPS.

option

-

disable

Option

Description

enable

Enable inspection of RPC over HTTPS.

disable

Disable inspection of RPC over HTTPS.

server-cert <name>

Certificate used by SSL Inspection to replace server certificate.

Certificate list.

string

Maximum length: 79

server-cert-mode

Re-sign or replace the server's certificate.

option

-

re-sign

Option

Description

re-sign

Multiple clients connecting to multiple servers.

replace

Protect an SSL server.

ssl-anomaly-log

Enable/disable logging of SSL anomalies.

option

-

enable

Option

Description

disable

Disable logging of SSL anomalies.

enable

Enable logging of SSL anomalies.

ssl-exemption-ip-rating

Enable/disable IP based URL rating.

option

-

enable

Option

Description

enable

Enable IP based URL rating.

disable

Disable IP based URL rating.

ssl-exemption-log

Enable/disable logging of SSL exemptions.

option

-

disable

Option

Description

disable

Disable logging of SSL exemptions.

enable

Enable logging of SSL exemptions.

ssl-handshake-log

Enable/disable logging of TLS handshakes.

option

-

disable

Option

Description

disable

Disable logging of TLS handshakes.

enable

Enable logging of TLS handshakes.

ssl-negotiation-log

Enable/disable logging of SSL negotiation events.

option

-

enable

Option

Description

disable

Disable logging of SSL negotiation events.

enable

Enable logging of SSL negotiation events.

ssl-server-cert-log

Enable/disable logging of server certificate information.

option

-

disable

Option

Description

disable

Disable logging of server certificate information.

enable

Enable logging of server certificate information.

supported-alpn

Configure ALPN option.

option

-

all

Option

Description

http1-1

Enable all ALPN including HTTP1.1 except HTTP2 and SPDY.

http2

Enable all ALPN including HTTP2 except HTTP1.1 and SPDY.

all

Allow all ALPN extensions except SPDY.

none

Do not use ALPN.

untrusted-caname

Untrusted CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_Untrusted

use-ssl-server

Enable/disable the use of SSL server table for SSL offloading.

option

-

disable

Option

Description

disable

Don't use SSL server configuration.

enable

Use SSL server configuration.

config dot

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

quic

QUIC inspection status.

option

-

inspect

Option

Description

inspect

Inspect QUIC traffic.

bypass

Bypass QUIC traffic.

block

Block QUIC traffic.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config ech-outer-sni

Parameter

Description

Type

Size

Default

name

ClientHelloOuter SNI name.

string

Maximum length: 79

sni

ClientHelloOuter SNI to be blocked.

string

Maximum length: 255

config ftps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

min-allowed-ssl-version

Minimum SSL version to be allowed. Flow-based inspection does not support SSL version control.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config https

Parameter

Description

Type

Size

Default

cert-probe-failure

Action based on certificate probe failure.

option

-

allow

Option

Description

allow

Bypass the session when unable to retrieve server's certificate for inspection.

block

Block the session when unable to retrieve server's certificate for inspection.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

encrypted-client-hello

Block/allow session based on existence of encrypted-client-hello.

option

-

block

Option

Description

allow

Pass the session when encrypted-client-hello exists.

block

Block the session when encrypted-client-hello exists.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

min-allowed-ssl-version

Minimum SSL version to be allowed. Flow-based inspection does not support SSL version control.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

quic

QUIC inspection status.

option

-

inspect

Option

Description

inspect

Inspect QUIC traffic.

bypass

Bypass QUIC traffic.

block

Block QUIC traffic.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config imaps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config pop3s

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config smtps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config ssh

Parameter

Description

Type

Size

Default

inspect-all

Level of SSL inspection.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssh-algorithm

Relative strength of encryption algorithms accepted during negotiation.

option

-

compatible

Option

Description

compatible

Allow a broader set of encryption algorithms for best compatibility.

high-encryption

Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

ssh-tun-policy-check

Enable/disable SSH tunnel policy check.

option

-

disable

Option

Description

disable

Disable SSH tunnel policy check.

enable

Enable SSH tunnel policy check.

status

Configure protocol inspection status.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-version

Action based on SSH version being unsupported.

option

-

bypass

Option

Description

bypass

Bypass the session.

block

Block the session.

config ssl

Parameter

Description

Type

Size

Default

cert-probe-failure

Action based on certificate probe failure.

option

-

allow

Option

Description

allow

Bypass the session when unable to retrieve server's certificate for inspection.

block

Block the session when unable to retrieve server's certificate for inspection.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

encrypted-client-hello

Block/allow session based on existence of encrypted-client-hello.

option

-

block

Option

Description

allow

Pass the session when encrypted-client-hello exists.

block

Block the session when encrypted-client-hello exists.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

inspect-all

Level of SSL inspection.

option

-

disable

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

min-allowed-ssl-version

Minimum SSL version to be allowed. Flow-based inspection does not support SSL version control.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config ssl-exempt

Parameter

Description

Type

Size

Default

address

IPv4 address object.

string

Maximum length: 79

address6

IPv6 address object.

string

Maximum length: 79

fortiguard-category

FortiGuard category ID.

integer

Minimum value: 0 Maximum value: 255

0

id

ID number.

integer

Minimum value: 0 Maximum value: 512

0

regex

Exempt servers by regular expression.

string

Maximum length: 255

type

Type of address object (IPv4 or IPv6) or FortiGuard category.

option

-

fortiguard-category

Option

Description

fortiguard-category

FortiGuard category.

address

Firewall IPv4 address.

address6

Firewall IPv6 address.

wildcard-fqdn

Fully Qualified Domain Name with wildcard characters.

regex

Regular expression FQDN.

wildcard-fqdn

Exempt servers by wildcard FQDN.

string

Maximum length: 79

config ssl-server

Parameter

Description

Type

Size

Default

ftps-client-certificate

Action based on received client certificate during the FTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

https-client-certificate

Action based on received client certificate during the HTTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

id

SSL server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

imaps-client-certificate

Action based on received client certificate during the IMAPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

0.0.0.0

pop3s-client-certificate

Action based on received client certificate during the POP3S handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

smtps-client-certificate

Action based on received client certificate during the SMTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ssl-other-client-certificate

Action based on received client certificate during an SSL protocol handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.
Previous
Next

config firewall ssl-ssh-profile

config firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile
    Description: Configure SSL/SSH protocol options.
    edit <name>
        set allowlist [enable|disable]
        set block-blocklisted-certificates [disable|enable]
        set caname {string}
        set comment {var-string}
        config dot
            Description: Configure DNS over TLS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set proxy-after-tcp-handshake [enable|disable]
            set quic [inspect|bypass|...]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config ech-outer-sni
            Description: ClientHelloOuter SNIs to be blocked.
            edit <name>
                set sni {string}
            next
        end
        config ftps
            Description: Configure FTPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
            set ports {integer}
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config https
            Description: Configure HTTPS options.
            set cert-probe-failure [allow|block]
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set encrypted-client-hello [allow|block]
            set expired-server-cert [allow|block|...]
            set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set quic [inspect|bypass|...]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|certificate-inspection|...]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config imaps
            Description: Configure IMAPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set mapi-over-https [enable|disable]
        config pop3s
            Description: Configure POP3S options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set rpc-over-https [enable|disable]
        set server-cert <name1>, <name2>, ...
        set server-cert-mode [re-sign|replace]
        config smtps
            Description: Configure SMTPS options.
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set expired-server-cert [allow|block|...]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set status [disable|deep-inspection]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        config ssh
            Description: Configure SSH options.
            set inspect-all [disable|deep-inspection]
            set ports {integer}
            set proxy-after-tcp-handshake [enable|disable]
            set ssh-algorithm [compatible|high-encryption]
            set ssh-tun-policy-check [disable|enable]
            set status [disable|deep-inspection]
            set unsupported-version [bypass|block]
        end
        config ssl
            Description: Configure SSL options.
            set cert-probe-failure [allow|block]
            set cert-validation-failure [allow|block|...]
            set cert-validation-timeout [allow|block|...]
            set client-certificate [bypass|inspect|...]
            set encrypted-client-hello [allow|block]
            set expired-server-cert [allow|block|...]
            set inspect-all [disable|certificate-inspection|...]
            set min-allowed-ssl-version [ssl-3.0|tls-1.0|...]
            set revoked-server-cert [allow|block|...]
            set sni-server-cert-check [enable|strict|...]
            set unsupported-ssl-cipher [allow|block]
            set unsupported-ssl-negotiation [allow|block]
            set unsupported-ssl-version [allow|block]
            set untrusted-server-cert [allow|block|...]
        end
        set ssl-anomaly-log [disable|enable]
        config ssl-exempt
            Description: Servers to exempt from SSL inspection.
            edit <id>
                set address {string}
                set address6 {string}
                set fortiguard-category {integer}
                set regex {string}
                set type [fortiguard-category|address|...]
                set wildcard-fqdn {string}
            next
        end
        set ssl-exemption-ip-rating [enable|disable]
        set ssl-exemption-log [disable|enable]
        set ssl-handshake-log [disable|enable]
        set ssl-negotiation-log [disable|enable]
        config ssl-server
            Description: SSL server settings used for client certificate request.
            edit <id>
                set ftps-client-certificate [bypass|inspect|...]
                set https-client-certificate [bypass|inspect|...]
                set imaps-client-certificate [bypass|inspect|...]
                set ip {ipv4-address-any}
                set pop3s-client-certificate [bypass|inspect|...]
                set smtps-client-certificate [bypass|inspect|...]
                set ssl-other-client-certificate [bypass|inspect|...]
            next
        end
        set ssl-server-cert-log [disable|enable]
        set supported-alpn [http1-1|http2|...]
        set untrusted-caname {string}
        set use-ssl-server [disable|enable]
    next
end

config firewall ssl-ssh-profile

Parameter

Description

Type

Size

Default

allowlist

Enable/disable exempting servers by FortiGuard allowlist.

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

block-blocklisted-certificates

Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist.

option

-

enable

Option

Description

disable

Disable FortiGuard certificate blocklist.

enable

Enable FortiGuard certificate blocklist.

caname

CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_SSL

comment

Optional comments.

var-string

Maximum length: 255

mapi-over-https

Enable/disable inspection of MAPI over HTTPS.

option

-

disable

Option

Description

enable

Enable inspection of MAPI over HTTPS.

disable

Disable inspection of MAPI over HTTPS.

name

Name.

string

Maximum length: 35

rpc-over-https

Enable/disable inspection of RPC over HTTPS.

option

-

disable

Option

Description

enable

Enable inspection of RPC over HTTPS.

disable

Disable inspection of RPC over HTTPS.

server-cert <name>

Certificate used by SSL Inspection to replace server certificate.

Certificate list.

string

Maximum length: 79

server-cert-mode

Re-sign or replace the server's certificate.

option

-

re-sign

Option

Description

re-sign

Multiple clients connecting to multiple servers.

replace

Protect an SSL server.

ssl-anomaly-log

Enable/disable logging of SSL anomalies.

option

-

enable

Option

Description

disable

Disable logging of SSL anomalies.

enable

Enable logging of SSL anomalies.

ssl-exemption-ip-rating

Enable/disable IP based URL rating.

option

-

enable

Option

Description

enable

Enable IP based URL rating.

disable

Disable IP based URL rating.

ssl-exemption-log

Enable/disable logging of SSL exemptions.

option

-

disable

Option

Description

disable

Disable logging of SSL exemptions.

enable

Enable logging of SSL exemptions.

ssl-handshake-log

Enable/disable logging of TLS handshakes.

option

-

disable

Option

Description

disable

Disable logging of TLS handshakes.

enable

Enable logging of TLS handshakes.

ssl-negotiation-log

Enable/disable logging of SSL negotiation events.

option

-

enable

Option

Description

disable

Disable logging of SSL negotiation events.

enable

Enable logging of SSL negotiation events.

ssl-server-cert-log

Enable/disable logging of server certificate information.

option

-

disable

Option

Description

disable

Disable logging of server certificate information.

enable

Enable logging of server certificate information.

supported-alpn

Configure ALPN option.

option

-

all

Option

Description

http1-1

Enable all ALPN including HTTP1.1 except HTTP2 and SPDY.

http2

Enable all ALPN including HTTP2 except HTTP1.1 and SPDY.

all

Allow all ALPN extensions except SPDY.

none

Do not use ALPN.

untrusted-caname

Untrusted CA certificate used by SSL Inspection.

string

Maximum length: 35

Fortinet_CA_Untrusted

use-ssl-server

Enable/disable the use of SSL server table for SSL offloading.

option

-

disable

Option

Description

disable

Don't use SSL server configuration.

enable

Use SSL server configuration.

config dot

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

quic

QUIC inspection status.

option

-

inspect

Option

Description

inspect

Inspect QUIC traffic.

bypass

Bypass QUIC traffic.

block

Block QUIC traffic.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config ech-outer-sni

Parameter

Description

Type

Size

Default

name

ClientHelloOuter SNI name.

string

Maximum length: 79

sni

ClientHelloOuter SNI to be blocked.

string

Maximum length: 255

config ftps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

min-allowed-ssl-version

Minimum SSL version to be allowed. Flow-based inspection does not support SSL version control.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config https

Parameter

Description

Type

Size

Default

cert-probe-failure

Action based on certificate probe failure.

option

-

allow

Option

Description

allow

Bypass the session when unable to retrieve server's certificate for inspection.

block

Block the session when unable to retrieve server's certificate for inspection.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

encrypted-client-hello

Block/allow session based on existence of encrypted-client-hello.

option

-

block

Option

Description

allow

Pass the session when encrypted-client-hello exists.

block

Block the session when encrypted-client-hello exists.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

min-allowed-ssl-version

Minimum SSL version to be allowed. Flow-based inspection does not support SSL version control.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

quic

QUIC inspection status.

option

-

inspect

Option

Description

inspect

Inspect QUIC traffic.

bypass

Bypass QUIC traffic.

block

Block QUIC traffic.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config imaps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config pop3s

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config smtps

Parameter

Description

Type

Size

Default

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

inspect

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

status

Configure protocol inspection status.

option

-

deep-inspection

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config ssh

Parameter

Description

Type

Size

Default

inspect-all

Level of SSL inspection.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

ports

Ports to use for scanning.

integer

Minimum value: 1 Maximum value: 65535

proxy-after-tcp-handshake

Proxy traffic after the TCP 3-way handshake has been established (not before).

option

-

disable

Option

Description

enable

Enable setting.

disable

Disable setting.

ssh-algorithm

Relative strength of encryption algorithms accepted during negotiation.

option

-

compatible

Option

Description

compatible

Allow a broader set of encryption algorithms for best compatibility.

high-encryption

Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.

ssh-tun-policy-check

Enable/disable SSH tunnel policy check.

option

-

disable

Option

Description

disable

Disable SSH tunnel policy check.

enable

Enable SSH tunnel policy check.

status

Configure protocol inspection status.

option

-

disable

Option

Description

disable

Disable.

deep-inspection

Full SSL inspection.

unsupported-version

Action based on SSH version being unsupported.

option

-

bypass

Option

Description

bypass

Bypass the session.

block

Block the session.

config ssl

Parameter

Description

Type

Size

Default

cert-probe-failure

Action based on certificate probe failure.

option

-

allow

Option

Description

allow

Bypass the session when unable to retrieve server's certificate for inspection.

block

Block the session when unable to retrieve server's certificate for inspection.

cert-validation-failure

Action based on certificate validation failure.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

cert-validation-timeout

Action based on certificate validation timeout.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

client-certificate

Action based on received client certificate.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

encrypted-client-hello

Block/allow session based on existence of encrypted-client-hello.

option

-

block

Option

Description

allow

Pass the session when encrypted-client-hello exists.

block

Block the session when encrypted-client-hello exists.

expired-server-cert

Action based on server certificate is expired.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

inspect-all

Level of SSL inspection.

option

-

disable

Option

Description

disable

Disable.

certificate-inspection

Inspect SSL handshake only.

deep-inspection

Full SSL inspection.

min-allowed-ssl-version

Minimum SSL version to be allowed. Flow-based inspection does not support SSL version control.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

revoked-server-cert

Action based on server certificate is revoked.

option

-

block

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

sni-server-cert-check

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

option

-

enable

Option

Description

enable

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering.

strict

Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection.

disable

Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.

unsupported-ssl-cipher

Action based on the SSL cipher used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the cipher is not supported.

block

Block the session when the cipher is not supported.

unsupported-ssl-negotiation

Action based on the SSL negotiation used being unsupported.

option

-

allow

Option

Description

allow

Bypass the session when the negotiation is not supported.

block

Block the session when the negotiation is not supported.

unsupported-ssl-version

Action based on the SSL version used being unsupported.

option

-

block

Option

Description

allow

Bypass the session when the version is not supported.

block

Block the session when the version is not supported.

untrusted-server-cert

Action based on server certificate is not issued by a trusted CA.

option

-

allow

Option

Description

allow

Allow the server certificate.

block

Block the session.

ignore

Re-sign the server certificate as trusted.

config ssl-exempt

Parameter

Description

Type

Size

Default

address

IPv4 address object.

string

Maximum length: 79

address6

IPv6 address object.

string

Maximum length: 79

fortiguard-category

FortiGuard category ID.

integer

Minimum value: 0 Maximum value: 255

0

id

ID number.

integer

Minimum value: 0 Maximum value: 512

0

regex

Exempt servers by regular expression.

string

Maximum length: 255

type

Type of address object (IPv4 or IPv6) or FortiGuard category.

option

-

fortiguard-category

Option

Description

fortiguard-category

FortiGuard category.

address

Firewall IPv4 address.

address6

Firewall IPv6 address.

wildcard-fqdn

Fully Qualified Domain Name with wildcard characters.

regex

Regular expression FQDN.

wildcard-fqdn

Exempt servers by wildcard FQDN.

string

Maximum length: 79

config ssl-server

Parameter

Description

Type

Size

Default

ftps-client-certificate

Action based on received client certificate during the FTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

https-client-certificate

Action based on received client certificate during the HTTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

id

SSL server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

imaps-client-certificate

Action based on received client certificate during the IMAPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ip

IPv4 address of the SSL server.

ipv4-address-any

Not Specified

0.0.0.0

pop3s-client-certificate

Action based on received client certificate during the POP3S handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

smtps-client-certificate

Action based on received client certificate during the SMTPS handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.

ssl-other-client-certificate

Action based on received client certificate during an SSL protocol handshake.

option

-

bypass

Option

Description

bypass

Bypass the session.

inspect

Inspect the session.

block

Block the session.
Previous
Next