config firewall access-proxy
This command is available for model(s): FortiGate-VM64 Aliyun, FortiGate-VM64 AWS, FortiGate-VM64 Azure, FortiGate-VM64 GCP, FortiGate-VM64 OPC, FortiGate-VM64.
It is not available for: FortiGate 1000D, FortiGate 1000F, FortiGate 1001F, FortiGate 100F, FortiGate 101F Gen2, FortiGate 1100E, FortiGate 1101E, FortiGate 120G, FortiGate 121G, FortiGate 1800F, FortiGate 1801F, FortiGate 2000E, FortiGate 200E, FortiGate 200F, FortiGate 200G, FortiGate 201E, FortiGate 201F, FortiGate 201G, FortiGate 2200E, FortiGate 2201E, FortiGate 2500E, FortiGate 2600F, FortiGate 2601F, FortiGate 3000F, FortiGate 3001F, FortiGate 300E, FortiGate 301E, FortiGate 30G, FortiGate 31G, FortiGate 3200F, FortiGate 3201F Gen2, FortiGate 3300E, FortiGate 3301E, FortiGate 3400E, FortiGate 3401E, FortiGate 3500F Gen2, FortiGate 3501F Gen2, FortiGate 3600E, FortiGate 3601E, FortiGate 3700F, FortiGate 3701F, FortiGate 3960E, FortiGate 3980E, FortiGate 400E Bypass, FortiGate 400E, FortiGate 400F, FortiGate 401E, FortiGate 401F, FortiGate 40F 3G4G, FortiGate 40F, FortiGate 4200F, FortiGate 4201F Gen2, FortiGate 4400F, FortiGate 4401F Gen2, FortiGate 4800F, FortiGate 4801F, FortiGate 500E, FortiGate 501E, FortiGate 50G 5G, FortiGate 50G DSL, FortiGate 50G SFP-POE, FortiGate 50G SFP, FortiGate 50G, FortiGate 51G 5G, FortiGate 51G SFP-POE, FortiGate 51G, FortiGate 600E, FortiGate 600F, FortiGate 601E, FortiGate 601F, FortiGate 60F, FortiGate 61F, FortiGate 70F, FortiGate 70G-POE, FortiGate 70G, FortiGate 71F, FortiGate 71G-POE, FortiGate 71G, FortiGate 800D, FortiGate 80F Bypass, FortiGate 80F DSL, FortiGate 80F Gen2, FortiGate 80F-POE, FortiGate 81F Gen2, FortiGate 81F-POE, FortiGate 900D, FortiGate 900G, FortiGate 901G, FortiGate 90G Gen2, FortiGate 90G, FortiGate 91G Gen2, FortiGate 91G, FortiGateRugged 50G 5G, FortiGateRugged 60F 3G4G, FortiGateRugged 60F Gen2, FortiGateRugged 70F 3G4G, FortiGateRugged 70F, FortiGateRugged 70G 5G Dual, FortiGateRugged 70G, FortiWiFi 30G, FortiWiFi 31G, FortiWiFi 40F 3G4G, FortiWiFi 40F, FortiWiFi 50G 5G, FortiWiFi 50G DSL, FortiWiFi 50G SFP, FortiWiFi 50G, FortiWiFi 51G, FortiWiFi 60F, FortiWiFi 61F, FortiWiFi 70G-POE, FortiWiFi 70G, FortiWiFi 71G, FortiWiFi 80F 2R 3G4G DSL, FortiWiFi 80F 2R, FortiWiFi 81F 2R 3G4G DSL, FortiWiFi 81F 2R 3G4G-POE, FortiWiFi 81F 2R-POE, FortiWiFi 81F 2R.
Configure IPv4 access proxy.
config firewall access-proxy
Description: Configure IPv4 access proxy.
edit <name>
set add-vhost-domain-to-dnsdb [enable|disable]
config api-gateway
Description: Set IPv4 API Gateway.
edit <id>
set application <name1>, <name2>, ...
set h2-support [enable|disable]
set h3-support [enable|disable]
set http-cookie-age {integer}
set http-cookie-domain {string}
set http-cookie-domain-from-host [disable|enable]
set http-cookie-generation {integer}
set http-cookie-path {string}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set ldb-method [static|round-robin|...]
set persistence [none|http-cookie]
config quic
Description: QUIC setting.
set ack-delay-exponent {integer}
set active-connection-id-limit {integer}
set active-migration [enable|disable]
set grease-quic-bit [enable|disable]
set max-ack-delay {integer}
set max-datagram-frame-size {integer}
set max-idle-timeout {integer}
set max-udp-payload-size {integer}
end
config realservers
Description: Select the real servers that this Access Proxy will distribute traffic to.
edit <id>
set addr-type [ip|fqdn]
set address {string}
set domain {string}
set external-auth [enable|disable]
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set http-host {string}
set ip {ipv4-address-any}
set mappedport {user}
set port {integer}
set ssh-client-cert {string}
set ssh-host-key <name1>, <name2>, ...
set ssh-host-key-validation [disable|enable]
set status [active|standby|...]
set translate-host [enable|disable]
set tunnel-encryption [enable|disable]
set type [tcp-forwarding|ssh]
set verify-cert [enable|disable]
set weight {integer}
next
end
set saml-redirect [disable|enable]
set saml-server {string}
set service [http|https|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-dh-bits [768|1024|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-renegotiation [enable|disable]
set ssl-vpn-web-portal {string}
set url-map {string}
set url-map-type [sub-string|wildcard|...]
set virtual-host {string}
next
end
config api-gateway6
Description: Set IPv6 API Gateway.
edit <id>
set application <name1>, <name2>, ...
set h2-support [enable|disable]
set h3-support [enable|disable]
set http-cookie-age {integer}
set http-cookie-domain {string}
set http-cookie-domain-from-host [disable|enable]
set http-cookie-generation {integer}
set http-cookie-path {string}
set http-cookie-share [disable|same-ip]
set https-cookie-secure [disable|enable]
set ldb-method [static|round-robin|...]
set persistence [none|http-cookie]
config quic
Description: QUIC setting.
set ack-delay-exponent {integer}
set active-connection-id-limit {integer}
set active-migration [enable|disable]
set grease-quic-bit [enable|disable]
set max-ack-delay {integer}
set max-datagram-frame-size {integer}
set max-idle-timeout {integer}
set max-udp-payload-size {integer}
end
config realservers
Description: Select the real servers that this Access Proxy will distribute traffic to.
edit <id>
set addr-type [ip|fqdn]
set address {string}
set domain {string}
set external-auth [enable|disable]
set health-check [disable|enable]
set health-check-proto [ping|http|...]
set holddown-interval [enable|disable]
set http-host {string}
set ip {ipv6-address}
set mappedport {user}
set port {integer}
set ssh-client-cert {string}
set ssh-host-key <name1>, <name2>, ...
set ssh-host-key-validation [disable|enable]
set status [active|standby|...]
set translate-host [enable|disable]
set tunnel-encryption [enable|disable]
set type [tcp-forwarding|ssh]
set verify-cert [enable|disable]
set weight {integer}
next
end
set saml-redirect [disable|enable]
set saml-server {string}
set service [http|https|...]
set ssl-algorithm [high|medium|...]
config ssl-cipher-suites
Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
edit <priority>
set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
set versions {option1}, {option2}, ...
next
end
set ssl-dh-bits [768|1024|...]
set ssl-max-version [tls-1.0|tls-1.1|...]
set ssl-min-version [tls-1.0|tls-1.1|...]
set ssl-renegotiation [enable|disable]
set ssl-vpn-web-portal {string}
set url-map {string}
set url-map-type [sub-string|wildcard|...]
set virtual-host {string}
next
end
set auth-portal [disable|enable]
set auth-virtual-host {string}
set decrypted-traffic-mirror {string}
set log-blocked-traffic [enable|disable]
set svr-pool-multiplex [enable|disable]
set svr-pool-server-max-concurrent-request {integer}
set svr-pool-server-max-request {integer}
set svr-pool-ttl {integer}
set vip {string}
next
end
config firewall access-proxy
|
Parameter |
Description |
Type |
Size |
Default |
||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
add-vhost-domain-to-dnsdb |
Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
auth-portal |
Enable/disable authentication portal. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
auth-virtual-host |
Virtual host for authentication portal. |
string |
Maximum length: 79 |
|
||||||
|
decrypted-traffic-mirror |
Decrypted traffic mirror. |
string |
Maximum length: 35 |
|
||||||
|
log-blocked-traffic |
Enable/disable logging of blocked traffic. |
option |
- |
enable |
||||||
|
|
|
|||||||||
|
name |
Access Proxy name. |
string |
Maximum length: 79 |
|
||||||
|
svr-pool-multiplex |
Enable/disable server pool multiplexing (default = disable). Share connected server in HTTP, HTTPS, and web-portal api-gateway. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
svr-pool-server-max-concurrent-request |
Maximum number of concurrent requests that servers in server pool could handle (default = unlimited). |
integer |
Minimum value: 0 Maximum value: 2147483647 |
0 |
||||||
|
svr-pool-server-max-request |
Maximum number of requests that servers in server pool handle before disconnecting (default = unlimited). |
integer |
Minimum value: 0 Maximum value: 2147483647 |
0 |
||||||
|
svr-pool-ttl |
Time-to-live in the server pool for idle connections to servers. |
integer |
Minimum value: 0 Maximum value: 2147483647 |
15 |
||||||
|
vip |
Virtual IP name. |
string |
Maximum length: 79 |
|
||||||
config api-gateway
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
application |
SaaS application controlled by this Access Proxy. SaaS application name. |
string |
Maximum length: 79 |
|
||||||||||||||
|
h2-support |
HTTP2 support, default=Enable. |
option |
- |
enable |
||||||||||||||
|
|
|
|||||||||||||||||
|
h3-support |
HTTP3/QUIC support, default=Disable. |
option |
- |
disable |
||||||||||||||
|
|
|
|||||||||||||||||
|
http-cookie-age |
Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. |
integer |
Minimum value: 0 Maximum value: 525600 |
60 |
||||||||||||||
|
http-cookie-domain |
Domain that HTTP cookie persistence should apply to. |
string |
Maximum length: 35 |
|
||||||||||||||
|
http-cookie-domain-from-host |
Enable/disable use of HTTP cookie domain from host field in HTTP. |
option |
- |
disable |
||||||||||||||
|
|
|
|||||||||||||||||
|
http-cookie-generation |
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||
|
http-cookie-path |
Limit HTTP cookie persistence to the specified path. |
string |
Maximum length: 35 |
|
||||||||||||||
|
http-cookie-share |
Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. |
option |
- |
same-ip |
||||||||||||||
|
|
|
|||||||||||||||||
|
https-cookie-secure |
Enable/disable verification that inserted HTTPS cookies are secure. |
option |
- |
disable |
||||||||||||||
|
|
|
|||||||||||||||||
|
id |
API Gateway ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||
|
ldb-method |
Method used to distribute sessions to real servers. |
option |
- |
static |
||||||||||||||
|
|
|
|||||||||||||||||
|
persistence |
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. |
option |
- |
none |
||||||||||||||
|
|
|
|||||||||||||||||
|
saml-redirect |
Enable/disable SAML redirection after successful authentication. |
option |
- |
enable |
||||||||||||||
|
|
|
|||||||||||||||||
|
saml-server |
SAML service provider configuration for VIP authentication. |
string |
Maximum length: 35 |
|
||||||||||||||
|
service |
Service. |
option |
- |
https |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-algorithm |
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. |
option |
- |
high |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-dh-bits |
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. |
option |
- |
2048 |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-max-version |
Highest SSL/TLS version acceptable from a server. |
option |
- |
tls-1.3 |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-min-version |
Lowest SSL/TLS version acceptable from a server. |
option |
- |
tls-1.1 |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-renegotiation |
Enable/disable secure renegotiation to comply with RFC 5746. |
option |
- |
enable |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-vpn-web-portal |
Agentless VPN web portal. |
string |
Maximum length: 35 |
|
||||||||||||||
|
url-map |
URL pattern to match. |
string |
Maximum length: 511 |
/ |
||||||||||||||
|
url-map-type |
Type of url-map. |
option |
- |
sub-string |
||||||||||||||
|
|
|
|||||||||||||||||
|
virtual-host |
Virtual host. |
string |
Maximum length: 79 |
|
||||||||||||||
config quic
|
Parameter |
Description |
Type |
Size |
Default |
||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
ack-delay-exponent |
ACK delay exponent (1 - 20, default = 3). |
integer |
Minimum value: 1 Maximum value: 20 |
3 |
||||||
|
active-connection-id-limit |
Active connection ID limit (1 - 8, default = 2). |
integer |
Minimum value: 1 Maximum value: 8 |
2 |
||||||
|
active-migration |
Enable/disable active migration (default = disable). |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
grease-quic-bit |
Enable/disable grease QUIC bit (default = enable). |
option |
- |
enable |
||||||
|
|
|
|||||||||
|
max-ack-delay |
Maximum ACK delay in milliseconds (1 - 16383, default = 25). |
integer |
Minimum value: 1 Maximum value: 16383 |
25 |
||||||
|
max-datagram-frame-size |
Maximum datagram frame size in bytes (1 - 1500, default = 1500). |
integer |
Minimum value: 1 Maximum value: 1500 |
1500 |
||||||
|
max-idle-timeout |
Maximum idle timeout milliseconds (1 - 60000, default = 30000). |
integer |
Minimum value: 1 Maximum value: 60000 |
30000 |
||||||
|
max-udp-payload-size |
Maximum UDP payload size in bytes (1200 - 1500, default = 1500). |
integer |
Minimum value: 1200 Maximum value: 1500 |
1500 |
||||||
config realservers
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
addr-type |
Type of address. |
option |
- |
ip |
||||||||
|
|
|
|||||||||||
|
address |
Address or address group of the real server. |
string |
Maximum length: 79 |
|
||||||||
|
domain |
Wildcard domain name of the real server. |
string |
Maximum length: 255 |
|
||||||||
|
external-auth |
Enable/disable use of external browser as user-agent for SAML user authentication. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
health-check |
Enable to check the responsiveness of the real server before forwarding traffic. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
health-check-proto |
Protocol of the health check monitor to use when polling to determine server's connectivity status. |
option |
- |
ping |
||||||||
|
|
|
|||||||||||
|
holddown-interval |
Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds). |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
http-host |
HTTP server domain name in HTTP header. |
string |
Maximum length: 63 |
|
||||||||
|
id |
Real server ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||
|
ip |
IP address of the real server. |
ipv4-address-any |
Not Specified |
0.0.0.0 |
||||||||
|
mappedport |
Port for communicating with the real server. |
user |
Not Specified |
|
||||||||
|
port |
Port for communicating with the real server. |
integer |
Minimum value: 1 Maximum value: 65535 |
443 |
||||||||
|
ssh-client-cert |
Set access-proxy SSH client certificate profile. |
string |
Maximum length: 79 |
|
||||||||
|
ssh-host-key |
One or more server host key. Server host key name. |
string |
Maximum length: 79 |
|
||||||||
|
ssh-host-key-validation |
Enable/disable SSH real server host key validation. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
status |
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. |
option |
- |
active |
||||||||
|
|
|
|||||||||||
|
translate-host |
Enable/disable translation of hostname/IP from virtual server to real server. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
tunnel-encryption |
Tunnel encryption. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
type |
TCP forwarding server type. |
option |
- |
tcp-forwarding |
||||||||
|
|
|
|||||||||||
|
verify-cert |
Enable/disable certificate verification of the real server. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
weight |
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
integer |
Minimum value: 1 Maximum value: 255 |
1 |
||||||||
config ssl-cipher-suites
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
cipher |
Cipher suite name. |
option |
- |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
priority |
SSL/TLS cipher suites priority. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
versions |
SSL/TLS versions that the cipher suite can be used with. |
option |
- |
tls-1.0 tls-1.1 tls-1.2 tls-1.3 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
config api-gateway6
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
application |
SaaS application controlled by this Access Proxy. SaaS application name. |
string |
Maximum length: 79 |
|
||||||||||||||
|
h2-support |
HTTP2 support, default=Enable. |
option |
- |
enable |
||||||||||||||
|
|
|
|||||||||||||||||
|
h3-support |
HTTP3/QUIC support, default=Disable. |
option |
- |
disable |
||||||||||||||
|
|
|
|||||||||||||||||
|
http-cookie-age |
Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit. |
integer |
Minimum value: 0 Maximum value: 525600 |
60 |
||||||||||||||
|
http-cookie-domain |
Domain that HTTP cookie persistence should apply to. |
string |
Maximum length: 35 |
|
||||||||||||||
|
http-cookie-domain-from-host |
Enable/disable use of HTTP cookie domain from host field in HTTP. |
option |
- |
disable |
||||||||||||||
|
|
|
|||||||||||||||||
|
http-cookie-generation |
Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||
|
http-cookie-path |
Limit HTTP cookie persistence to the specified path. |
string |
Maximum length: 35 |
|
||||||||||||||
|
http-cookie-share |
Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing. |
option |
- |
same-ip |
||||||||||||||
|
|
|
|||||||||||||||||
|
https-cookie-secure |
Enable/disable verification that inserted HTTPS cookies are secure. |
option |
- |
disable |
||||||||||||||
|
|
|
|||||||||||||||||
|
id |
API Gateway ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||
|
ldb-method |
Method used to distribute sessions to real servers. |
option |
- |
static |
||||||||||||||
|
|
|
|||||||||||||||||
|
persistence |
Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session. |
option |
- |
none |
||||||||||||||
|
|
|
|||||||||||||||||
|
saml-redirect |
Enable/disable SAML redirection after successful authentication. |
option |
- |
enable |
||||||||||||||
|
|
|
|||||||||||||||||
|
saml-server |
SAML service provider configuration for VIP authentication. |
string |
Maximum length: 35 |
|
||||||||||||||
|
service |
Service. |
option |
- |
https |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-algorithm |
Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength. |
option |
- |
high |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-dh-bits |
Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions. |
option |
- |
2048 |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-max-version |
Highest SSL/TLS version acceptable from a server. |
option |
- |
tls-1.3 |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-min-version |
Lowest SSL/TLS version acceptable from a server. |
option |
- |
tls-1.1 |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-renegotiation |
Enable/disable secure renegotiation to comply with RFC 5746. |
option |
- |
enable |
||||||||||||||
|
|
|
|||||||||||||||||
|
ssl-vpn-web-portal |
Agentless VPN web portal. |
string |
Maximum length: 35 |
|
||||||||||||||
|
url-map |
URL pattern to match. |
string |
Maximum length: 511 |
/ |
||||||||||||||
|
url-map-type |
Type of url-map. |
option |
- |
sub-string |
||||||||||||||
|
|
|
|||||||||||||||||
|
virtual-host |
Virtual host. |
string |
Maximum length: 79 |
|
||||||||||||||
config quic
|
Parameter |
Description |
Type |
Size |
Default |
||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
ack-delay-exponent |
ACK delay exponent (1 - 20, default = 3). |
integer |
Minimum value: 1 Maximum value: 20 |
3 |
||||||
|
active-connection-id-limit |
Active connection ID limit (1 - 8, default = 2). |
integer |
Minimum value: 1 Maximum value: 8 |
2 |
||||||
|
active-migration |
Enable/disable active migration (default = disable). |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
grease-quic-bit |
Enable/disable grease QUIC bit (default = enable). |
option |
- |
enable |
||||||
|
|
|
|||||||||
|
max-ack-delay |
Maximum ACK delay in milliseconds (1 - 16383, default = 25). |
integer |
Minimum value: 1 Maximum value: 16383 |
25 |
||||||
|
max-datagram-frame-size |
Maximum datagram frame size in bytes (1 - 1500, default = 1500). |
integer |
Minimum value: 1 Maximum value: 1500 |
1500 |
||||||
|
max-idle-timeout |
Maximum idle timeout milliseconds (1 - 60000, default = 30000). |
integer |
Minimum value: 1 Maximum value: 60000 |
30000 |
||||||
|
max-udp-payload-size |
Maximum UDP payload size in bytes (1200 - 1500, default = 1500). |
integer |
Minimum value: 1200 Maximum value: 1500 |
1500 |
||||||
config realservers
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
addr-type |
Type of address. |
option |
- |
ip |
||||||||
|
|
|
|||||||||||
|
address |
Address or address group of the real server. |
string |
Maximum length: 79 |
|
||||||||
|
domain |
Wildcard domain name of the real server. |
string |
Maximum length: 255 |
|
||||||||
|
external-auth |
Enable/disable use of external browser as user-agent for SAML user authentication. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
health-check |
Enable to check the responsiveness of the real server before forwarding traffic. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
health-check-proto |
Protocol of the health check monitor to use when polling to determine server's connectivity status. |
option |
- |
ping |
||||||||
|
|
|
|||||||||||
|
holddown-interval |
Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds). |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
http-host |
HTTP server domain name in HTTP header. |
string |
Maximum length: 63 |
|
||||||||
|
id |
Real server ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||
|
ip |
IPv6 address of the real server. |
ipv6-address |
Not Specified |
:: |
||||||||
|
mappedport |
Port for communicating with the real server. |
user |
Not Specified |
|
||||||||
|
port |
Port for communicating with the real server. |
integer |
Minimum value: 1 Maximum value: 65535 |
443 |
||||||||
|
ssh-client-cert |
Set access-proxy SSH client certificate profile. |
string |
Maximum length: 79 |
|
||||||||
|
ssh-host-key |
One or more server host key. Server host key name. |
string |
Maximum length: 79 |
|
||||||||
|
ssh-host-key-validation |
Enable/disable SSH real server host key validation. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
status |
Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent. |
option |
- |
active |
||||||||
|
|
|
|||||||||||
|
translate-host |
Enable/disable translation of hostname/IP from virtual server to real server. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
tunnel-encryption |
Tunnel encryption. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
type |
TCP forwarding server type. |
option |
- |
tcp-forwarding |
||||||||
|
|
|
|||||||||||
|
verify-cert |
Enable/disable certificate verification of the real server. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
|
weight |
Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections. |
integer |
Minimum value: 1 Maximum value: 255 |
1 |
||||||||
config ssl-cipher-suites
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
cipher |
Cipher suite name. |
option |
- |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
priority |
SSL/TLS cipher suites priority. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
versions |
SSL/TLS versions that the cipher suite can be used with. |
option |
- |
tls-1.0 tls-1.1 tls-1.2 tls-1.3 |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||