Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.0.7 Administration Guide
    7.0.7
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Central DNAT

    Central DNAT

    The FortiGate unit checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the FortiGate device. DNAT means the actual address of the internal network is hidden from the Internet. This step determines whether a route to the destination address actually exists.

    DNAT must take place before routing so that the unit can route packets to the correct destination.

    DNAT policies can be created, or imported from Virtual IP (VIP) objects. Virtual servers can also be imported from ADOM objects to DNAT policies. DNAT policies are automatically added to the VIP object table (Object Configurations > Firewall Objects > Virtual IPs) when they are created.

    VIPs can be edited from either the DNAT or VIP object tables by double-clicking on the VIP, right-clicking on the VIP and selected Edit, or selecting the VIP and clicking Edit in the toolbar. The network type cannot be changed. DNAT policies can also be copied, pasted, cloned, and moved from the right-click or Edit menus.

    Deleting a DNAT policy does not delete the corresponding VIP object, and a VIP object cannot be deleted if it is in the DNAT table.

    DNAT policies support overlapping IP address ranges; VIPs do not. DNAT policies do not support VIP groups.

    Central DNAT does not support Section View.

    Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages.

    Central DNAT must be enabled in Tools > Display Options as well for the option to be visible in the tree menu. See Display options.
    To create a new central DNAT entry:
    1. Ensure you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package, click Central DNAT.
    4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Virtual IP pane opens.
    5. Configure the following settings, then click OK to create the VIP:

      Name

      Enter a unique name for the DNAT.

      Comments

      Optionally, enter comments about the DNAT, such as its purpose, or the changes that have been made to it.

      Color

      Select a color.

      Interface

      Select an interface.

      Network Type

      Select the network type: Static NAT, DNS Translation, or FQDN.

      External IP Address/Range

      Enter the start and end external IP addresses in the fields. If there is only one address, enter it in both fields.

      This option is not available when the network type is FQDN.

      Mapped IP Address/Range

      Enter the mapped IP address.

      This option is not available when the network type is FQDN.

      External IP Address

      Enter the external IP address.

      This option is only available when the network type is FQDN.

      Mapped Address

      Select the mapped address.

      This option is only available when the network type is FQDN.

      Source Interface Filter

      Select a source interface filter.

      Optional Filters

      Enable or disable optional filters.

      Source Address

      Add source IP, range, or subnet filters. Multiple filters can be added using the Add icon.

      Services

      Enable and add services.

      Port Forwarding

      Enable or disable port forwarding.

      Protocol

      Select the protocol: TCP, UDP, SCTP, or ICMP.

      External Service Port

      Enter the external service port.

      This option is not available when Protocol is ICMP.

      Map to Port

      Enter the map to port.

      This option is not available when Protocol is ICMP.

      Enable ARP Reply

      Select to enable ARP reply.

      Add To Groups

      Optionally, select groups to add the virtual IP to from the list.

      Advanced Options

      Configure advanced options, see Advanced options.

      For more information on advanced option, see the FortiOS CLI Reference.

      Per-Device Mapping

      Enable or disable per-device mapping.

      If multiple imported VIP objects have the same name but different details, the object type will become Dynamic Virtual IP, and the per-device mappings will be listed here.

      Mappings can also be manually added, edited, and deleted as needed.

    To import VIPs from the Virtual IP object table:
    1. Ensure you are in the correct ADOM.
    2. Go to Policy &Objects > Policy Packages.
    3. In the tree menu for the policy package, click Central DNAT.
    4. Click Import in the toolbar. The Import dialog box will open.
    5. Select the VIP object or objects that need to be imported. If necessary, use the search box to locate specific objects.
    6. Click OK to import the VIPs to the Central DNAT table.
    Advanced options

    Option

    Description

    Default

    dns-mapping-ttl

    Enter time-to-live for DNS response, from 0 to 604 800. 0 means use the DNS server's response time.

    0

    extaddr

    Select an address.

    None

    gratuitous-arp-interval

    Set the time interval between sending of gratuitous ARP packets by a virtual IP. 0 disables this feature.

    0

    http-cookie-age

    Set how long the browser caches cooking, from 0 to 525600 seconds.

    60

    http-cookie-domain

    Enter the domain name to restrict the cookie to.

    none

    http-cookie-domain-from-host

    If enabled, when the unit adds a SetCookie to the HTTP(S) response, the Domain attribute in the SetCookie is set to the value of the Host: header, if there is one.

    disable

    http-cookie-generation

    The exact value of the generation is not important, only that it is different from any generation that has already been used.

    0

    http-cookie-path

    Limit the cookies to a particular path.

    none

    http-cookie-share

    Configure HTTP cookie persistence to control the sharing of cookies across more than one virtual server.

    The default setting means that any cookie generated by one virtual server can be used by another virtual server in the same virtual domain.

    Disable to make sure that a cookie generated for a virtual server cannot be used by other virtual servers.

    same-ip

    http-ip-header-name

    Enter a name for the custom HTTP header that the original client IP address is added to.

    none

    https-cookie-secure

    Enable or disable using secure cookies for HTTPS sessions.

    disable

    id

    Custom defined ID.

    0

    max-embryonic-connections

    The maximum number of partially established SSL or HTTP connections, from 0 to 100000.

    1000

    nat-source-vip

    Enable to prevent unintended servers from using a virtual IP. Disable to use the actual IP address of the server (or the destination interface if using NAT) as the source address of connections from the server that pass through the device.

    disable

    outlook-web-access

    If enabled, the Front-End-Https: on header is inserted into the HTTP headers, and added to all HTTP requests.

    disable

    ssl-algorithm

    Set the permitted encryption algorithms for SSL sessions according to encryption strength:

    • high: permit only high encryption algorithms: AES or 3DES.
    • medium: permit high or medium (RC4) algorithms.
    • low: permit high, medium, or low (DES) algorithms.
    • custom: only allow some preselected cipher suites to be used.

    high

    ssl-client-fallback

    Enable to prevent Downgrade Attacks on client connections.

    enable

    ssl-client-renegotiation

    Select the SSL secure renegotiation policy.

    • allow: allow, but do not require secure renegotiation.
    • deny: do not allow renegotiation.
    • secure: require secure renegotiation.

    allow

    ssl-client-session-state-max

    The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the unit, from 0 to 100000.

    1000

    ssl-client-session-state-timeout

    The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the unit, from 1 to 14400.

    30

    ssl-client-session-state-type

    The method to use to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

    • both: expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
    • count: expire SSL session states when ssl-client-session-state-max is exceeded.
    • disable: expire all SSL session states.
    • time: expire SSL session states when ssl-client-session-state-timeout is exceeded.

    both

    ssl-dh-bits

    The number of bits used in the Diffie-Hellman exchange for RSA encryption of the SSL connection: 768, 1024, 1536, 2048, 3072, or 4096.

    2048

    ssl-hpkp

    Enable or disable including HPKP header in response.

    disable

    ssl-hpkp-age

    The number of seconds that the client should honor the HPKP setting (60 - 157680000).

    5184000

    ssl-hpkp-backup

    Certificate to generate the backup HPKP pin from (size = 35, datasource(s) = vpn.certificate.local.name,vpn.certificate.ca.name).

    None

    ssl-hpkp-include-subdomains

    Enable or disable indicating that the HPKP header applies to all subdomains.

    disable

    ssl-hpkp-primary

    Certificate to generate the primary HPKP pin from (size = 35, datasource(s) = vpn.certificate.local.name,vpn.certificate.ca.name).

    None

    ssl-hpkp-report-uri

    URL to report HPKP violations to (size = 255).

    ssl-hsts

    Enable or disable including HSTS header in response.

    disable

    ssl-hsts-age

    The number of seconds that the client should honour the HSTS setting (60 - 157680000).

    5184000

    ssl-hsts-include-subdomains

    Enable or disable indicating that the HSTS header applies to all subdomains.

    disable

    ssl-http-location-conversion

    Enable to replace http with https in the reply’s Location HTTP header field.

    disable

    ssl-http-match-host

    Enable to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field or, if the Host field does not exist, the host name portion of the request’s URI.

    disable

    ssl-max-version

    The highest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

    tls-1.2

    ssl-min-version

    The lowest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

    tls-1.0

    ssl-pfs

    Select the handling of Perfect Forward Secrecy (PFS) by controlling the cipher suites that can be selected.

    • allow: allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
    • deny: allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
    • require: allow only Diffie-Hellman cipher-suites, so PFS is applied.

    allow

    ssl-send-empty-frags

    Enable to precede the record with empty fragments to thwart attacks on CBC IV.

    Disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments.

    enable

    ssl-server-algorithm

    Set the permitted encryption algorithms for SSL server sessions according to encryption strength:

    • high: permit only high encryption algorithms: AES or 3DES.
    • medium: permit high or medium (RC4) algorithms.
    • low: permit high, medium, or low (DES) algorithms.
    • custom: only allow some preselected cipher suites to be used.

    client

    ssl-server-max-version

    The highest version of SSL/TLS to allow in SSL server sessions: client, ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

    client

    ssl-server-min-version

    The lowest version of SSL/TLS to allow in SSL server sessions: client, ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

    client

    ssl-server-session-state-max

    The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the unit, from 0 to 100000.

    100

    ssl-server-session-state-timeout

    The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the unit, from 1 to 14400.

    60

    ssl-server-session-state-type

    The method to use to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

    • both: expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
    • count: expire SSL session states when ssl-client-session-state-max is exceeded.
    • disable: expire all SSL session states.
    • time: expire SSL session states when ssl-client-session-state-timeout is exceeded.

    both

    weblogic-server

    Enable or disable adding an HTTP header to indicate SSL offloading for a WebLogic server.

    disable

    websphere-server

    Enable or disable adding an HTTP header to indicate SSL offloading for a WebSphere server.

    disable
    Previous
    Next

    Central DNAT

    Central DNAT

    The FortiGate unit checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the FortiGate device. DNAT means the actual address of the internal network is hidden from the Internet. This step determines whether a route to the destination address actually exists.

    DNAT must take place before routing so that the unit can route packets to the correct destination.

    DNAT policies can be created, or imported from Virtual IP (VIP) objects. Virtual servers can also be imported from ADOM objects to DNAT policies. DNAT policies are automatically added to the VIP object table (Object Configurations > Firewall Objects > Virtual IPs) when they are created.

    VIPs can be edited from either the DNAT or VIP object tables by double-clicking on the VIP, right-clicking on the VIP and selected Edit, or selecting the VIP and clicking Edit in the toolbar. The network type cannot be changed. DNAT policies can also be copied, pasted, cloned, and moved from the right-click or Edit menus.

    Deleting a DNAT policy does not delete the corresponding VIP object, and a VIP object cannot be deleted if it is in the DNAT table.

    DNAT policies support overlapping IP address ranges; VIPs do not. DNAT policies do not support VIP groups.

    Central DNAT does not support Section View.

    Central NAT must be enabled when creating or editing the policy package for this option to be available in the tree menu. See Create new policy packages.

    Central DNAT must be enabled in Tools > Display Options as well for the option to be visible in the tree menu. See Display options.
    To create a new central DNAT entry:
    1. Ensure you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package, click Central DNAT.
    4. Click Create New, or, from the Create New menu, select Insert Above or Insert Below. By default, policies will be added to the bottom of the list. The Create New Virtual IP pane opens.
    5. Configure the following settings, then click OK to create the VIP:

      Name

      Enter a unique name for the DNAT.

      Comments

      Optionally, enter comments about the DNAT, such as its purpose, or the changes that have been made to it.

      Color

      Select a color.

      Interface

      Select an interface.

      Network Type

      Select the network type: Static NAT, DNS Translation, or FQDN.

      External IP Address/Range

      Enter the start and end external IP addresses in the fields. If there is only one address, enter it in both fields.

      This option is not available when the network type is FQDN.

      Mapped IP Address/Range

      Enter the mapped IP address.

      This option is not available when the network type is FQDN.

      External IP Address

      Enter the external IP address.

      This option is only available when the network type is FQDN.

      Mapped Address

      Select the mapped address.

      This option is only available when the network type is FQDN.

      Source Interface Filter

      Select a source interface filter.

      Optional Filters

      Enable or disable optional filters.

      Source Address

      Add source IP, range, or subnet filters. Multiple filters can be added using the Add icon.

      Services

      Enable and add services.

      Port Forwarding

      Enable or disable port forwarding.

      Protocol

      Select the protocol: TCP, UDP, SCTP, or ICMP.

      External Service Port

      Enter the external service port.

      This option is not available when Protocol is ICMP.

      Map to Port

      Enter the map to port.

      This option is not available when Protocol is ICMP.

      Enable ARP Reply

      Select to enable ARP reply.

      Add To Groups

      Optionally, select groups to add the virtual IP to from the list.

      Advanced Options

      Configure advanced options, see Advanced options.

      For more information on advanced option, see the FortiOS CLI Reference.

      Per-Device Mapping

      Enable or disable per-device mapping.

      If multiple imported VIP objects have the same name but different details, the object type will become Dynamic Virtual IP, and the per-device mappings will be listed here.

      Mappings can also be manually added, edited, and deleted as needed.

    To import VIPs from the Virtual IP object table:
    1. Ensure you are in the correct ADOM.
    2. Go to Policy &Objects > Policy Packages.
    3. In the tree menu for the policy package, click Central DNAT.
    4. Click Import in the toolbar. The Import dialog box will open.
    5. Select the VIP object or objects that need to be imported. If necessary, use the search box to locate specific objects.
    6. Click OK to import the VIPs to the Central DNAT table.
    Advanced options

    Option

    Description

    Default

    dns-mapping-ttl

    Enter time-to-live for DNS response, from 0 to 604 800. 0 means use the DNS server's response time.

    0

    extaddr

    Select an address.

    None

    gratuitous-arp-interval

    Set the time interval between sending of gratuitous ARP packets by a virtual IP. 0 disables this feature.

    0

    http-cookie-age

    Set how long the browser caches cooking, from 0 to 525600 seconds.

    60

    http-cookie-domain

    Enter the domain name to restrict the cookie to.

    none

    http-cookie-domain-from-host

    If enabled, when the unit adds a SetCookie to the HTTP(S) response, the Domain attribute in the SetCookie is set to the value of the Host: header, if there is one.

    disable

    http-cookie-generation

    The exact value of the generation is not important, only that it is different from any generation that has already been used.

    0

    http-cookie-path

    Limit the cookies to a particular path.

    none

    http-cookie-share

    Configure HTTP cookie persistence to control the sharing of cookies across more than one virtual server.

    The default setting means that any cookie generated by one virtual server can be used by another virtual server in the same virtual domain.

    Disable to make sure that a cookie generated for a virtual server cannot be used by other virtual servers.

    same-ip

    http-ip-header-name

    Enter a name for the custom HTTP header that the original client IP address is added to.

    none

    https-cookie-secure

    Enable or disable using secure cookies for HTTPS sessions.

    disable

    id

    Custom defined ID.

    0

    max-embryonic-connections

    The maximum number of partially established SSL or HTTP connections, from 0 to 100000.

    1000

    nat-source-vip

    Enable to prevent unintended servers from using a virtual IP. Disable to use the actual IP address of the server (or the destination interface if using NAT) as the source address of connections from the server that pass through the device.

    disable

    outlook-web-access

    If enabled, the Front-End-Https: on header is inserted into the HTTP headers, and added to all HTTP requests.

    disable

    ssl-algorithm

    Set the permitted encryption algorithms for SSL sessions according to encryption strength:

    • high: permit only high encryption algorithms: AES or 3DES.
    • medium: permit high or medium (RC4) algorithms.
    • low: permit high, medium, or low (DES) algorithms.
    • custom: only allow some preselected cipher suites to be used.

    high

    ssl-client-fallback

    Enable to prevent Downgrade Attacks on client connections.

    enable

    ssl-client-renegotiation

    Select the SSL secure renegotiation policy.

    • allow: allow, but do not require secure renegotiation.
    • deny: do not allow renegotiation.
    • secure: require secure renegotiation.

    allow

    ssl-client-session-state-max

    The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the unit, from 0 to 100000.

    1000

    ssl-client-session-state-timeout

    The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the unit, from 1 to 14400.

    30

    ssl-client-session-state-type

    The method to use to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

    • both: expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
    • count: expire SSL session states when ssl-client-session-state-max is exceeded.
    • disable: expire all SSL session states.
    • time: expire SSL session states when ssl-client-session-state-timeout is exceeded.

    both

    ssl-dh-bits

    The number of bits used in the Diffie-Hellman exchange for RSA encryption of the SSL connection: 768, 1024, 1536, 2048, 3072, or 4096.

    2048

    ssl-hpkp

    Enable or disable including HPKP header in response.

    disable

    ssl-hpkp-age

    The number of seconds that the client should honor the HPKP setting (60 - 157680000).

    5184000

    ssl-hpkp-backup

    Certificate to generate the backup HPKP pin from (size = 35, datasource(s) = vpn.certificate.local.name,vpn.certificate.ca.name).

    None

    ssl-hpkp-include-subdomains

    Enable or disable indicating that the HPKP header applies to all subdomains.

    disable

    ssl-hpkp-primary

    Certificate to generate the primary HPKP pin from (size = 35, datasource(s) = vpn.certificate.local.name,vpn.certificate.ca.name).

    None

    ssl-hpkp-report-uri

    URL to report HPKP violations to (size = 255).

    ssl-hsts

    Enable or disable including HSTS header in response.

    disable

    ssl-hsts-age

    The number of seconds that the client should honour the HSTS setting (60 - 157680000).

    5184000

    ssl-hsts-include-subdomains

    Enable or disable indicating that the HSTS header applies to all subdomains.

    disable

    ssl-http-location-conversion

    Enable to replace http with https in the reply’s Location HTTP header field.

    disable

    ssl-http-match-host

    Enable to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field or, if the Host field does not exist, the host name portion of the request’s URI.

    disable

    ssl-max-version

    The highest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

    tls-1.2

    ssl-min-version

    The lowest version of SSL/TLS to allow in SSL sessions: ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

    tls-1.0

    ssl-pfs

    Select the handling of Perfect Forward Secrecy (PFS) by controlling the cipher suites that can be selected.

    • allow: allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.
    • deny: allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
    • require: allow only Diffie-Hellman cipher-suites, so PFS is applied.

    allow

    ssl-send-empty-frags

    Enable to precede the record with empty fragments to thwart attacks on CBC IV.

    Disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments.

    enable

    ssl-server-algorithm

    Set the permitted encryption algorithms for SSL server sessions according to encryption strength:

    • high: permit only high encryption algorithms: AES or 3DES.
    • medium: permit high or medium (RC4) algorithms.
    • low: permit high, medium, or low (DES) algorithms.
    • custom: only allow some preselected cipher suites to be used.

    client

    ssl-server-max-version

    The highest version of SSL/TLS to allow in SSL server sessions: client, ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

    client

    ssl-server-min-version

    The lowest version of SSL/TLS to allow in SSL server sessions: client, ssl-3.0, tls-1.0, tls-1.1, or tls-1.2.

    client

    ssl-server-session-state-max

    The maximum number of SSL session states to keep for the segment of the SSL connection between the client and the unit, from 0 to 100000.

    100

    ssl-server-session-state-timeout

    The number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the unit, from 1 to 14400.

    60

    ssl-server-session-state-type

    The method to use to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

    • both: expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
    • count: expire SSL session states when ssl-client-session-state-max is exceeded.
    • disable: expire all SSL session states.
    • time: expire SSL session states when ssl-client-session-state-timeout is exceeded.

    both

    weblogic-server

    Enable or disable adding an HTTP header to indicate SSL offloading for a WebLogic server.

    disable

    websphere-server

    Enable or disable adding an HTTP header to indicate SSL offloading for a WebSphere server.

    disable
    Previous
    Next