Fortinet white logo
Fortinet white logo

CLI Reference

config firewall access-proxy

config firewall access-proxy

Configure IPv4 access proxy.

config firewall access-proxy
    Description: Configure IPv4 access proxy.
    edit <name>
        set vip {string}
        set client-cert [disable|enable]
        set user-agent-detect [disable|enable]
        set auth-portal [disable|enable]
        set auth-virtual-host {string}
        set empty-cert-action [accept|block|...]
        set log-blocked-traffic [enable|disable]
        set add-vhost-domain-to-dnsdb [enable|disable]
        set svr-pool-multiplex [enable|disable]
        set svr-pool-ttl {integer}
        set svr-pool-server-max-request {integer}
        set svr-pool-server-max-concurrent-request {integer}
        set decrypted-traffic-mirror {string}
        config api-gateway
            Description: Set IPv4 API Gateway.
            edit <id>
                set url-map {string}
                set service [http|https|...]
                set ldb-method [static|round-robin|...]
                set virtual-host {string}
                set url-map-type [sub-string|wildcard|...]
                set h2-support [enable|disable]
                set h3-support [enable|disable]
                config quic
                    Description: QUIC setting.
                    set max-idle-timeout {integer}
                    set max-udp-payload-size {integer}
                    set active-connection-id-limit {integer}
                    set ack-delay-exponent {integer}
                    set max-ack-delay {integer}
                    set max-datagram-frame-size {integer}
                    set active-migration [enable|disable]
                    set grease-quic-bit [enable|disable]
                end
                config realservers
                    Description: Select the real servers that this Access Proxy will distribute traffic to.
                    edit <id>
                        set addr-type [ip|fqdn]
                        set address {string}
                        set ip {ipv4-address-any}
                        set domain {string}
                        set port {integer}
                        set mappedport {user}
                        set status [active|standby|...]
                        set type [tcp-forwarding|ssh]
                        set external-auth [enable|disable]
                        set tunnel-encryption [enable|disable]
                        set weight {integer}
                        set http-host {string}
                        set health-check [disable|enable]
                        set health-check-proto [ping|http|...]
                        set holddown-interval [enable|disable]
                        set translate-host [enable|disable]
                        set ssh-client-cert {string}
                        set ssh-host-key-validation [disable|enable]
                        set ssh-host-key <name1>, <name2>, ...
                    next
                end
                set application <name1>, <name2>, ...
                set persistence [none|http-cookie]
                set http-cookie-domain-from-host [disable|enable]
                set http-cookie-domain {string}
                set http-cookie-path {string}
                set http-cookie-generation {integer}
                set http-cookie-age {integer}
                set http-cookie-share [disable|same-ip]
                set https-cookie-secure [disable|enable]
                set saml-server {string}
                set saml-redirect [disable|enable]
                set ssl-dh-bits [768|1024|...]
                set ssl-algorithm [high|medium|...]
                config ssl-cipher-suites
                    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
                    edit <priority>
                        set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                        set versions {option1}, {option2}, ...
                    next
                end
                set ssl-min-version [tls-1.0|tls-1.1|...]
                set ssl-max-version [tls-1.0|tls-1.1|...]
                set ssl-renegotiation [enable|disable]
            next
        end
        config api-gateway6
            Description: Set IPv6 API Gateway.
            edit <id>
                set url-map {string}
                set service [http|https|...]
                set ldb-method [static|round-robin|...]
                set virtual-host {string}
                set url-map-type [sub-string|wildcard|...]
                set h2-support [enable|disable]
                set h3-support [enable|disable]
                config quic
                    Description: QUIC setting.
                    set max-idle-timeout {integer}
                    set max-udp-payload-size {integer}
                    set active-connection-id-limit {integer}
                    set ack-delay-exponent {integer}
                    set max-ack-delay {integer}
                    set max-datagram-frame-size {integer}
                    set active-migration [enable|disable]
                    set grease-quic-bit [enable|disable]
                end
                config realservers
                    Description: Select the real servers that this Access Proxy will distribute traffic to.
                    edit <id>
                        set addr-type [ip|fqdn]
                        set address {string}
                        set ip {ipv6-address}
                        set domain {string}
                        set port {integer}
                        set mappedport {user}
                        set status [active|standby|...]
                        set type [tcp-forwarding|ssh]
                        set external-auth [enable|disable]
                        set tunnel-encryption [enable|disable]
                        set weight {integer}
                        set http-host {string}
                        set health-check [disable|enable]
                        set health-check-proto [ping|http|...]
                        set holddown-interval [enable|disable]
                        set translate-host [enable|disable]
                        set ssh-client-cert {string}
                        set ssh-host-key-validation [disable|enable]
                        set ssh-host-key <name1>, <name2>, ...
                    next
                end
                set application <name1>, <name2>, ...
                set persistence [none|http-cookie]
                set http-cookie-domain-from-host [disable|enable]
                set http-cookie-domain {string}
                set http-cookie-path {string}
                set http-cookie-generation {integer}
                set http-cookie-age {integer}
                set http-cookie-share [disable|same-ip]
                set https-cookie-secure [disable|enable]
                set saml-server {string}
                set saml-redirect [disable|enable]
                set ssl-dh-bits [768|1024|...]
                set ssl-algorithm [high|medium|...]
                config ssl-cipher-suites
                    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
                    edit <priority>
                        set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                        set versions {option1}, {option2}, ...
                    next
                end
                set ssl-min-version [tls-1.0|tls-1.1|...]
                set ssl-max-version [tls-1.0|tls-1.1|...]
                set ssl-renegotiation [enable|disable]
            next
        end
    next
end

config firewall access-proxy

Parameter

Description

Type

Size

Default

name

Access Proxy name.

string

Maximum length: 79

vip

Virtual IP name.

string

Maximum length: 79

client-cert

Enable/disable to request client certificate.

option

-

enable

Option

Description

disable

Disable client certificate request.

enable

Enable client certificate request.

user-agent-detect

Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

option

-

enable

Option

Description

disable

Disable to detect unknown device by HTTP user-agent if no client certificate provided.

enable

Enable to detect unknown device by HTTP user-agent if no client certificate provided.

auth-portal

Enable/disable authentication portal.

option

-

disable

Option

Description

disable

Disable authentication portal.

enable

Enable authentication portal.

auth-virtual-host

Virtual host for authentication portal.

string

Maximum length: 79

empty-cert-action

Action of an empty client certificate.

option

-

block

Option

Description

accept

Accept the SSL handshake if the client certificate is empty.

block

Block the SSL handshake if the client certificate is empty.

accept-unmanageable

Accept the SSL handshake only if the end-point is unmanageable.

log-blocked-traffic

Enable/disable logging of blocked traffic.

option

-

enable

Option

Description

enable

Log all traffic denied by this access proxy.

disable

Do not log all traffic denied by this access proxy.

add-vhost-domain-to-dnsdb

Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel.

option

-

disable

Option

Description

enable

add dns entry for all vhosts used by access proxy.

disable

Do not add dns entry for all vhosts used by access proxy.

svr-pool-multiplex

Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway.

option

-

enable

Option

Description

enable

Enable server pool multiplexing. Share connected server.

disable

Disable server pool multiplexing. Do not share connected server.

svr-pool-ttl

Time-to-live in the server pool for idle connections to servers.

integer

Minimum value: 0 Maximum value: 2147483647

15

svr-pool-server-max-request

Maximum number of requests that servers in server pool handle before disconnecting.

integer

Minimum value: 0 Maximum value: 2147483647

0

svr-pool-server-max-concurrent-request

Maximum number of concurrent requests that servers in server pool could handle.

integer

Minimum value: 0 Maximum value: 2147483647

0

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

config api-gateway

Parameter

Description

Type

Size

Default

id

API Gateway ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

url-map

URL pattern to match.

string

Maximum length: 511

/

service

Service.

option

-

https

Option

Description

http

HTTP.

https

HTTPS.

tcp-forwarding

TCP-FORWARDING.

samlsp

SAML-SP.

saas

SAAS.

ldb-method

Method used to distribute sessions to real servers.

option

-

static

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

virtual-host

Virtual host.

string

Maximum length: 79

url-map-type

Type of url-map.

option

-

sub-string

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

h2-support

HTTP2 support, default=Enable.

option

-

enable

Option

Description

enable

Enable HTTP2 support.

disable

Disable HTTP2 support.

h3-support

HTTP3/QUIC support, default=Disable.

option

-

disable

Option

Description

enable

Enable HTTP3/QUIC support.

disable

Disable HTTP3/QUIC support.

application <name>

SaaS application controlled by this Access Proxy.

SaaS application name.

string

Maximum length: 79

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

Option

Description

none

None.

http-cookie

HTTP cookie.

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-share

Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

saml-server

SAML service provider configuration for VIP authentication.

string

Maximum length: 35

saml-redirect

Enable/disable SAML redirection after successful authentication.

option

-

enable

Option

Description

disable

Do not support redirection after successful SAML authentication.

enable

Support redirection after successful SAML authentication.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min-version

Lowest SSL/TLS version acceptable from a server.

option

-

tls-1.1

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a server.

option

-

tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

-

enable

Option

Description

enable

Enable secure renegotiation.

disable

Disable secure renegotiation.

config quic

Parameter

Description

Type

Size

Default

max-idle-timeout

Maximum idle timeout milliseconds.

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes.

integer

Minimum value: 1200 Maximum value: 1500

1500

active-connection-id-limit

Active connection ID limit.

integer

Minimum value: 1 Maximum value: 8

2

ack-delay-exponent

ACK delay exponent.

integer

Minimum value: 1 Maximum value: 20

3

max-ack-delay

Maximum ACK delay in milliseconds.

integer

Minimum value: 1 Maximum value: 16383

25

max-datagram-frame-size

Maximum datagram frame size in bytes.

integer

Minimum value: 1 Maximum value: 1500

1500

active-migration

Enable/disable active migration.

option

-

disable

Option

Description

enable

Enable active migration.

disable

Disable active migration.

grease-quic-bit

Enable/disable grease QUIC bit.

option

-

enable

Option

Description

enable

Enable grease QUIC bit.

disable

Disable grease QUIC bit.

config realservers

Parameter

Description

Type

Size

Default

id

Real server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

addr-type

Type of address.

option

-

ip

Option

Description

ip

Standard IPv4 address.

fqdn

Non-wildcard FQDN address object.

address

Address or address group of the real server.

string

Maximum length: 79

ip

IPv6 address of the real server.

ipv6-address

Not Specified

::

domain

Wildcard domain name of the real server.

string

Maximum length: 255

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

443

mappedport

Port for communicating with the real server.

user

Not Specified

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

type

TCP forwarding server type.

option

-

tcp-forwarding

Option

Description

tcp-forwarding

TCP forwarding.

ssh

SSH.

external-auth

Enable/disable use of external browser as user-agent for SAML user authentication.

option

-

disable

Option

Description

enable

Enable use of external browser as user-agent for SAML user authentication.

disable

Disable use of external browser as user-agent for SAML user authentication.

tunnel-encryption

Tunnel encryption.

option

-

disable

Option

Description

enable

Enable tcp forwarding tunnel encryption.

disable

Disable tcp forwarding tunnel encryption.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

health-check

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

disable

Option

Description

disable

Disable per server health check.

enable

Enable per server health check.

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

Option

Description

ping

Use PING to test the link with the server.

http

Use HTTP-GET to test the link with the server.

tcp-connect

Use a full TCP connection to test the link with the server.

holddown-interval

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

option

-

enable

Option

Description

enable

Enable per server holddown.

disable

Disable per server holddown.

translate-host

Enable/disable translation of hostname/IP from virtual server to real server.

option

-

enable

Option

Description

enable

Enable virtual hostname/IP translation.

disable

Disable virtual hostname/IP translation.

ssh-client-cert

Set access-proxy SSH client certificate profile.

string

Maximum length: 79

ssh-host-key-validation

Enable/disable SSH real server host key validation.

option

-

disable

Option

Description

disable

Disable SSH real server host key validation.

enable

Enable SSH real server host key validation.

ssh-host-key <name>

One or more server host key.

Server host key name.

string

Maximum length: 79

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

TLS-DHE-DSS-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

TLS-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

TLS-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config api-gateway6

Parameter

Description

Type

Size

Default

id

API Gateway ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

url-map

URL pattern to match.

string

Maximum length: 511

/

service

Service.

option

-

https

Option

Description

http

HTTP.

https

HTTPS.

tcp-forwarding

TCP-FORWARDING.

samlsp

SAML-SP.

saas

SAAS.

ldb-method

Method used to distribute sessions to real servers.

option

-

static

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

virtual-host

Virtual host.

string

Maximum length: 79

url-map-type

Type of url-map.

option

-

sub-string

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

h2-support

HTTP2 support, default=Enable.

option

-

enable

Option

Description

enable

Enable HTTP2 support.

disable

Disable HTTP2 support.

h3-support

HTTP3/QUIC support, default=Disable.

option

-

disable

Option

Description

enable

Enable HTTP3/QUIC support.

disable

Disable HTTP3/QUIC support.

application <name>

SaaS application controlled by this Access Proxy.

SaaS application name.

string

Maximum length: 79

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

Option

Description

none

None.

http-cookie

HTTP cookie.

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-share

Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

saml-server

SAML service provider configuration for VIP authentication.

string

Maximum length: 35

saml-redirect

Enable/disable SAML redirection after successful authentication.

option

-

enable

Option

Description

disable

Do not support redirection after successful SAML authentication.

enable

Support redirection after successful SAML authentication.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min-version

Lowest SSL/TLS version acceptable from a server.

option

-

tls-1.1

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a server.

option

-

tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

-

enable

Option

Description

enable

Enable secure renegotiation.

disable

Disable secure renegotiation.

config quic

Parameter

Description

Type

Size

Default

max-idle-timeout

Maximum idle timeout milliseconds.

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes.

integer

Minimum value: 1200 Maximum value: 1500

1500

active-connection-id-limit

Active connection ID limit.

integer

Minimum value: 1 Maximum value: 8

2

ack-delay-exponent

ACK delay exponent.

integer

Minimum value: 1 Maximum value: 20

3

max-ack-delay

Maximum ACK delay in milliseconds.

integer

Minimum value: 1 Maximum value: 16383

25

max-datagram-frame-size

Maximum datagram frame size in bytes.

integer

Minimum value: 1 Maximum value: 1500

1500

active-migration

Enable/disable active migration.

option

-

disable

grease-quic-bit

Enable/disable grease QUIC bit.

option

-

enable

config realservers

Parameter

Description

Type

Size

Default

id

Real server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

addr-type

Type of address.

option

-

ip

address

Address or address group of the real server.

string

Maximum length: 79

ip

IPv6 address of the real server.

ipv6-address

Not Specified

::

domain

Wildcard domain name of the real server.

string

Maximum length: 255

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

443

mappedport

Port for communicating with the real server.

user

Not Specified

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

type

TCP forwarding server type.

option

-

tcp-forwarding

external-auth

Enable/disable use of external browser as user-agent for SAML user authentication.

option

-

disable

tunnel-encryption

Tunnel encryption.

option

-

disable

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

health-check

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

disable

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

holddown-interval

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

option

-

enable

translate-host

Enable/disable translation of hostname/IP from virtual server to real server.

option

-

enable

ssh-client-cert

Set access-proxy SSH client certificate profile.

string

Maximum length: 79

ssh-host-key-validation

Enable/disable SSH real server host key validation.

option

-

disable

ssh-host-key <name>

One or more server host key.

Server host key name.

string

Maximum length: 79

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

cipher

Cipher suite name.

option

-

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

tls-1.0 tls-1.1 tls-1.2 tls-1.3

config firewall access-proxy

config firewall access-proxy

Configure IPv4 access proxy.

config firewall access-proxy
    Description: Configure IPv4 access proxy.
    edit <name>
        set vip {string}
        set client-cert [disable|enable]
        set user-agent-detect [disable|enable]
        set auth-portal [disable|enable]
        set auth-virtual-host {string}
        set empty-cert-action [accept|block|...]
        set log-blocked-traffic [enable|disable]
        set add-vhost-domain-to-dnsdb [enable|disable]
        set svr-pool-multiplex [enable|disable]
        set svr-pool-ttl {integer}
        set svr-pool-server-max-request {integer}
        set svr-pool-server-max-concurrent-request {integer}
        set decrypted-traffic-mirror {string}
        config api-gateway
            Description: Set IPv4 API Gateway.
            edit <id>
                set url-map {string}
                set service [http|https|...]
                set ldb-method [static|round-robin|...]
                set virtual-host {string}
                set url-map-type [sub-string|wildcard|...]
                set h2-support [enable|disable]
                set h3-support [enable|disable]
                config quic
                    Description: QUIC setting.
                    set max-idle-timeout {integer}
                    set max-udp-payload-size {integer}
                    set active-connection-id-limit {integer}
                    set ack-delay-exponent {integer}
                    set max-ack-delay {integer}
                    set max-datagram-frame-size {integer}
                    set active-migration [enable|disable]
                    set grease-quic-bit [enable|disable]
                end
                config realservers
                    Description: Select the real servers that this Access Proxy will distribute traffic to.
                    edit <id>
                        set addr-type [ip|fqdn]
                        set address {string}
                        set ip {ipv4-address-any}
                        set domain {string}
                        set port {integer}
                        set mappedport {user}
                        set status [active|standby|...]
                        set type [tcp-forwarding|ssh]
                        set external-auth [enable|disable]
                        set tunnel-encryption [enable|disable]
                        set weight {integer}
                        set http-host {string}
                        set health-check [disable|enable]
                        set health-check-proto [ping|http|...]
                        set holddown-interval [enable|disable]
                        set translate-host [enable|disable]
                        set ssh-client-cert {string}
                        set ssh-host-key-validation [disable|enable]
                        set ssh-host-key <name1>, <name2>, ...
                    next
                end
                set application <name1>, <name2>, ...
                set persistence [none|http-cookie]
                set http-cookie-domain-from-host [disable|enable]
                set http-cookie-domain {string}
                set http-cookie-path {string}
                set http-cookie-generation {integer}
                set http-cookie-age {integer}
                set http-cookie-share [disable|same-ip]
                set https-cookie-secure [disable|enable]
                set saml-server {string}
                set saml-redirect [disable|enable]
                set ssl-dh-bits [768|1024|...]
                set ssl-algorithm [high|medium|...]
                config ssl-cipher-suites
                    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
                    edit <priority>
                        set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                        set versions {option1}, {option2}, ...
                    next
                end
                set ssl-min-version [tls-1.0|tls-1.1|...]
                set ssl-max-version [tls-1.0|tls-1.1|...]
                set ssl-renegotiation [enable|disable]
            next
        end
        config api-gateway6
            Description: Set IPv6 API Gateway.
            edit <id>
                set url-map {string}
                set service [http|https|...]
                set ldb-method [static|round-robin|...]
                set virtual-host {string}
                set url-map-type [sub-string|wildcard|...]
                set h2-support [enable|disable]
                set h3-support [enable|disable]
                config quic
                    Description: QUIC setting.
                    set max-idle-timeout {integer}
                    set max-udp-payload-size {integer}
                    set active-connection-id-limit {integer}
                    set ack-delay-exponent {integer}
                    set max-ack-delay {integer}
                    set max-datagram-frame-size {integer}
                    set active-migration [enable|disable]
                    set grease-quic-bit [enable|disable]
                end
                config realservers
                    Description: Select the real servers that this Access Proxy will distribute traffic to.
                    edit <id>
                        set addr-type [ip|fqdn]
                        set address {string}
                        set ip {ipv6-address}
                        set domain {string}
                        set port {integer}
                        set mappedport {user}
                        set status [active|standby|...]
                        set type [tcp-forwarding|ssh]
                        set external-auth [enable|disable]
                        set tunnel-encryption [enable|disable]
                        set weight {integer}
                        set http-host {string}
                        set health-check [disable|enable]
                        set health-check-proto [ping|http|...]
                        set holddown-interval [enable|disable]
                        set translate-host [enable|disable]
                        set ssh-client-cert {string}
                        set ssh-host-key-validation [disable|enable]
                        set ssh-host-key <name1>, <name2>, ...
                    next
                end
                set application <name1>, <name2>, ...
                set persistence [none|http-cookie]
                set http-cookie-domain-from-host [disable|enable]
                set http-cookie-domain {string}
                set http-cookie-path {string}
                set http-cookie-generation {integer}
                set http-cookie-age {integer}
                set http-cookie-share [disable|same-ip]
                set https-cookie-secure [disable|enable]
                set saml-server {string}
                set saml-redirect [disable|enable]
                set ssl-dh-bits [768|1024|...]
                set ssl-algorithm [high|medium|...]
                config ssl-cipher-suites
                    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
                    edit <priority>
                        set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                        set versions {option1}, {option2}, ...
                    next
                end
                set ssl-min-version [tls-1.0|tls-1.1|...]
                set ssl-max-version [tls-1.0|tls-1.1|...]
                set ssl-renegotiation [enable|disable]
            next
        end
    next
end

config firewall access-proxy

Parameter

Description

Type

Size

Default

name

Access Proxy name.

string

Maximum length: 79

vip

Virtual IP name.

string

Maximum length: 79

client-cert

Enable/disable to request client certificate.

option

-

enable

Option

Description

disable

Disable client certificate request.

enable

Enable client certificate request.

user-agent-detect

Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

option

-

enable

Option

Description

disable

Disable to detect unknown device by HTTP user-agent if no client certificate provided.

enable

Enable to detect unknown device by HTTP user-agent if no client certificate provided.

auth-portal

Enable/disable authentication portal.

option

-

disable

Option

Description

disable

Disable authentication portal.

enable

Enable authentication portal.

auth-virtual-host

Virtual host for authentication portal.

string

Maximum length: 79

empty-cert-action

Action of an empty client certificate.

option

-

block

Option

Description

accept

Accept the SSL handshake if the client certificate is empty.

block

Block the SSL handshake if the client certificate is empty.

accept-unmanageable

Accept the SSL handshake only if the end-point is unmanageable.

log-blocked-traffic

Enable/disable logging of blocked traffic.

option

-

enable

Option

Description

enable

Log all traffic denied by this access proxy.

disable

Do not log all traffic denied by this access proxy.

add-vhost-domain-to-dnsdb

Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel.

option

-

disable

Option

Description

enable

add dns entry for all vhosts used by access proxy.

disable

Do not add dns entry for all vhosts used by access proxy.

svr-pool-multiplex

Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway.

option

-

enable

Option

Description

enable

Enable server pool multiplexing. Share connected server.

disable

Disable server pool multiplexing. Do not share connected server.

svr-pool-ttl

Time-to-live in the server pool for idle connections to servers.

integer

Minimum value: 0 Maximum value: 2147483647

15

svr-pool-server-max-request

Maximum number of requests that servers in server pool handle before disconnecting.

integer

Minimum value: 0 Maximum value: 2147483647

0

svr-pool-server-max-concurrent-request

Maximum number of concurrent requests that servers in server pool could handle.

integer

Minimum value: 0 Maximum value: 2147483647

0

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

config api-gateway

Parameter

Description

Type

Size

Default

id

API Gateway ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

url-map

URL pattern to match.

string

Maximum length: 511

/

service

Service.

option

-

https

Option

Description

http

HTTP.

https

HTTPS.

tcp-forwarding

TCP-FORWARDING.

samlsp

SAML-SP.

saas

SAAS.

ldb-method

Method used to distribute sessions to real servers.

option

-

static

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

virtual-host

Virtual host.

string

Maximum length: 79

url-map-type

Type of url-map.

option

-

sub-string

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

h2-support

HTTP2 support, default=Enable.

option

-

enable

Option

Description

enable

Enable HTTP2 support.

disable

Disable HTTP2 support.

h3-support

HTTP3/QUIC support, default=Disable.

option

-

disable

Option

Description

enable

Enable HTTP3/QUIC support.

disable

Disable HTTP3/QUIC support.

application <name>

SaaS application controlled by this Access Proxy.

SaaS application name.

string

Maximum length: 79

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

Option

Description

none

None.

http-cookie

HTTP cookie.

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-share

Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

saml-server

SAML service provider configuration for VIP authentication.

string

Maximum length: 35

saml-redirect

Enable/disable SAML redirection after successful authentication.

option

-

enable

Option

Description

disable

Do not support redirection after successful SAML authentication.

enable

Support redirection after successful SAML authentication.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min-version

Lowest SSL/TLS version acceptable from a server.

option

-

tls-1.1

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a server.

option

-

tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

-

enable

Option

Description

enable

Enable secure renegotiation.

disable

Disable secure renegotiation.

config quic

Parameter

Description

Type

Size

Default

max-idle-timeout

Maximum idle timeout milliseconds.

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes.

integer

Minimum value: 1200 Maximum value: 1500

1500

active-connection-id-limit

Active connection ID limit.

integer

Minimum value: 1 Maximum value: 8

2

ack-delay-exponent

ACK delay exponent.

integer

Minimum value: 1 Maximum value: 20

3

max-ack-delay

Maximum ACK delay in milliseconds.

integer

Minimum value: 1 Maximum value: 16383

25

max-datagram-frame-size

Maximum datagram frame size in bytes.

integer

Minimum value: 1 Maximum value: 1500

1500

active-migration

Enable/disable active migration.

option

-

disable

Option

Description

enable

Enable active migration.

disable

Disable active migration.

grease-quic-bit

Enable/disable grease QUIC bit.

option

-

enable

Option

Description

enable

Enable grease QUIC bit.

disable

Disable grease QUIC bit.

config realservers

Parameter

Description

Type

Size

Default

id

Real server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

addr-type

Type of address.

option

-

ip

Option

Description

ip

Standard IPv4 address.

fqdn

Non-wildcard FQDN address object.

address

Address or address group of the real server.

string

Maximum length: 79

ip

IPv6 address of the real server.

ipv6-address

Not Specified

::

domain

Wildcard domain name of the real server.

string

Maximum length: 255

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

443

mappedport

Port for communicating with the real server.

user

Not Specified

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

type

TCP forwarding server type.

option

-

tcp-forwarding

Option

Description

tcp-forwarding

TCP forwarding.

ssh

SSH.

external-auth

Enable/disable use of external browser as user-agent for SAML user authentication.

option

-

disable

Option

Description

enable

Enable use of external browser as user-agent for SAML user authentication.

disable

Disable use of external browser as user-agent for SAML user authentication.

tunnel-encryption

Tunnel encryption.

option

-

disable

Option

Description

enable

Enable tcp forwarding tunnel encryption.

disable

Disable tcp forwarding tunnel encryption.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

health-check

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

disable

Option

Description

disable

Disable per server health check.

enable

Enable per server health check.

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

Option

Description

ping

Use PING to test the link with the server.

http

Use HTTP-GET to test the link with the server.

tcp-connect

Use a full TCP connection to test the link with the server.

holddown-interval

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

option

-

enable

Option

Description

enable

Enable per server holddown.

disable

Disable per server holddown.

translate-host

Enable/disable translation of hostname/IP from virtual server to real server.

option

-

enable

Option

Description

enable

Enable virtual hostname/IP translation.

disable

Disable virtual hostname/IP translation.

ssh-client-cert

Set access-proxy SSH client certificate profile.

string

Maximum length: 79

ssh-host-key-validation

Enable/disable SSH real server host key validation.

option

-

disable

Option

Description

disable

Disable SSH real server host key validation.

enable

Enable SSH real server host key validation.

ssh-host-key <name>

One or more server host key.

Server host key name.

string

Maximum length: 79

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

TLS-DHE-DSS-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

TLS-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

TLS-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config api-gateway6

Parameter

Description

Type

Size

Default

id

API Gateway ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

url-map

URL pattern to match.

string

Maximum length: 511

/

service

Service.

option

-

https

Option

Description

http

HTTP.

https

HTTPS.

tcp-forwarding

TCP-FORWARDING.

samlsp

SAML-SP.

saas

SAAS.

ldb-method

Method used to distribute sessions to real servers.

option

-

static

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

virtual-host

Virtual host.

string

Maximum length: 79

url-map-type

Type of url-map.

option

-

sub-string

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

h2-support

HTTP2 support, default=Enable.

option

-

enable

Option

Description

enable

Enable HTTP2 support.

disable

Disable HTTP2 support.

h3-support

HTTP3/QUIC support, default=Disable.

option

-

disable

Option

Description

enable

Enable HTTP3/QUIC support.

disable

Disable HTTP3/QUIC support.

application <name>

SaaS application controlled by this Access Proxy.

SaaS application name.

string

Maximum length: 79

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

Option

Description

none

None.

http-cookie

HTTP cookie.

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-share

Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

saml-server

SAML service provider configuration for VIP authentication.

string

Maximum length: 35

saml-redirect

Enable/disable SAML redirection after successful authentication.

option

-

enable

Option

Description

disable

Do not support redirection after successful SAML authentication.

enable

Support redirection after successful SAML authentication.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-min-version

Lowest SSL/TLS version acceptable from a server.

option

-

tls-1.1

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a server.

option

-

tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

-

enable

Option

Description

enable

Enable secure renegotiation.

disable

Disable secure renegotiation.

config quic

Parameter

Description

Type

Size

Default

max-idle-timeout

Maximum idle timeout milliseconds.

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes.

integer

Minimum value: 1200 Maximum value: 1500

1500

active-connection-id-limit

Active connection ID limit.

integer

Minimum value: 1 Maximum value: 8

2

ack-delay-exponent

ACK delay exponent.

integer

Minimum value: 1 Maximum value: 20

3

max-ack-delay

Maximum ACK delay in milliseconds.

integer

Minimum value: 1 Maximum value: 16383

25

max-datagram-frame-size

Maximum datagram frame size in bytes.

integer

Minimum value: 1 Maximum value: 1500

1500

active-migration

Enable/disable active migration.

option

-

disable

grease-quic-bit

Enable/disable grease QUIC bit.

option

-

enable

config realservers

Parameter

Description

Type

Size

Default

id

Real server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

addr-type

Type of address.

option

-

ip

address

Address or address group of the real server.

string

Maximum length: 79

ip

IPv6 address of the real server.

ipv6-address

Not Specified

::

domain

Wildcard domain name of the real server.

string

Maximum length: 255

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

443

mappedport

Port for communicating with the real server.

user

Not Specified

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

type

TCP forwarding server type.

option

-

tcp-forwarding

external-auth

Enable/disable use of external browser as user-agent for SAML user authentication.

option

-

disable

tunnel-encryption

Tunnel encryption.

option

-

disable

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

health-check

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

disable

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

holddown-interval

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

option

-

enable

translate-host

Enable/disable translation of hostname/IP from virtual server to real server.

option

-

enable

ssh-client-cert

Set access-proxy SSH client certificate profile.

string

Maximum length: 79

ssh-host-key-validation

Enable/disable SSH real server host key validation.

option

-

disable

ssh-host-key <name>

One or more server host key.

Server host key name.

string

Maximum length: 79

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

cipher

Cipher suite name.

option

-

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

tls-1.0 tls-1.1 tls-1.2 tls-1.3