Fortinet white logo
Fortinet white logo

CLI Reference

profile tls

profile tls

Use this command to configure TLS profiles that can be used by receive rules (also called access control rules) and delivery rules. Note that many subcommands are only available when level is set to either preferred or secure.

Syntax

config profile tls

edit <profile_name>

set level {none | preferred | secure}

set action {fail | tempfail}

set ca-name <string>

set cert-subject <string>

set check-ca-name {enable | disable}

set check-ca-type {match | substring | wildcard}

set check-cert-subject {enable | disable}

set check-cert-type {match | substring | wildcard}

set check-encryption-strength {enable | disable}

set check-ssl-version {enable | disable}

set dane-support {mandatory | none | opportunistic}

set encryption-strength <integer>

set min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

set mtasts-status {enable | monitor | none}

end

Variable

Description

Default

<profile_name>

Enter the name of the TLS profile.

level {none | preferred | secure}

Enter the security level of the TLS connection.

  • none: Disables TLS. Requests for a TLS connection will be ignored.

  • preferred: Allow a simple TLS connection, but do not require it. Data is not encrypted, nor is the identity of the server validated with a certificate.

  • secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections. For information on installing CA certificates, see the FortiMail Administration Guide.

none

action {fail | tempfail}

Select the action the FortiMail unit takes when a TLS connection cannot be established.

This option does not apply for profiles whose level is preferred.

tempfail

ca-name <string>

Enter the name of the CA issuer.

This option is only available when level is set to secure.

cert-subject <string>

Enter the certification subject.

This option is only available when level is set to secure.

check-ca-name {enable | disable}

Enable to check the CA issuer name.

This option is only available when level is set to secure.

disable

check-ca-type {match | substring | wildcard}

Select a CA issuer check type.

This option is only available when level is set to secure.

match

check-cert-subject {enable | disable}

Enable to check the certificate subject name.

This option is only available when level is set to secure.

disable

check-cert-type {match | substring | wildcard}

Select a certificate check type.

This option is only available when level is set to secure.

match

check-encryption-strength {enable | disable}

Enable to check encryption key length.

disable

check-ssl-version {enable | disable}

Enable to check the SSL/TLS version.

disable

dane-support {mandatory | none | opportunistic}

Assign a DNS-based Authentication of Named Entities (DANE) support level.

Note that mandatory is only applicable when level is set to secure.

For more information, see RFC 7929.

none

encryption-strength <integer>

Enter the encryption key length.

256

min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

Enter the minimum required SSL/TLS version.

This option is only available when check-ssl-version is set to enable.

tls1_1

mtasts-status {enable | monitor | none}

Note: The MTA-STS status may only be set when smtp-mtasts-status is enabled under system mailserver.

Enable MTA Strict Transport Security (MTA-STS) domain checking.

This option is only available when level is set to either preferred or secure.

none

Related topics

cloud-api profile antivirus

profile tls

profile tls

Use this command to configure TLS profiles that can be used by receive rules (also called access control rules) and delivery rules. Note that many subcommands are only available when level is set to either preferred or secure.

Syntax

config profile tls

edit <profile_name>

set level {none | preferred | secure}

set action {fail | tempfail}

set ca-name <string>

set cert-subject <string>

set check-ca-name {enable | disable}

set check-ca-type {match | substring | wildcard}

set check-cert-subject {enable | disable}

set check-cert-type {match | substring | wildcard}

set check-encryption-strength {enable | disable}

set check-ssl-version {enable | disable}

set dane-support {mandatory | none | opportunistic}

set encryption-strength <integer>

set min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

set mtasts-status {enable | monitor | none}

end

Variable

Description

Default

<profile_name>

Enter the name of the TLS profile.

level {none | preferred | secure}

Enter the security level of the TLS connection.

  • none: Disables TLS. Requests for a TLS connection will be ignored.

  • preferred: Allow a simple TLS connection, but do not require it. Data is not encrypted, nor is the identity of the server validated with a certificate.

  • secure: Requires a certificate-authenticated TLS connection. CA certificates must be installed on the FortiMail unit before they can be used for secure TLS connections. For information on installing CA certificates, see the FortiMail Administration Guide.

none

action {fail | tempfail}

Select the action the FortiMail unit takes when a TLS connection cannot be established.

This option does not apply for profiles whose level is preferred.

tempfail

ca-name <string>

Enter the name of the CA issuer.

This option is only available when level is set to secure.

cert-subject <string>

Enter the certification subject.

This option is only available when level is set to secure.

check-ca-name {enable | disable}

Enable to check the CA issuer name.

This option is only available when level is set to secure.

disable

check-ca-type {match | substring | wildcard}

Select a CA issuer check type.

This option is only available when level is set to secure.

match

check-cert-subject {enable | disable}

Enable to check the certificate subject name.

This option is only available when level is set to secure.

disable

check-cert-type {match | substring | wildcard}

Select a certificate check type.

This option is only available when level is set to secure.

match

check-encryption-strength {enable | disable}

Enable to check encryption key length.

disable

check-ssl-version {enable | disable}

Enable to check the SSL/TLS version.

disable

dane-support {mandatory | none | opportunistic}

Assign a DNS-based Authentication of Named Entities (DANE) support level.

Note that mandatory is only applicable when level is set to secure.

For more information, see RFC 7929.

none

encryption-strength <integer>

Enter the encryption key length.

256

min-ssl-version {ssl3 | tls1_0 | tls1_1 | tls1_2 | tls1_3}

Enter the minimum required SSL/TLS version.

This option is only available when check-ssl-version is set to enable.

tls1_1

mtasts-status {enable | monitor | none}

Note: The MTA-STS status may only be set when smtp-mtasts-status is enabled under system mailserver.

Enable MTA Strict Transport Security (MTA-STS) domain checking.

This option is only available when level is set to either preferred or secure.

none

Related topics

cloud-api profile antivirus