Fortinet white logo
Fortinet white logo

CLI Reference

config firewall ssl setting

config firewall ssl setting

SSL proxy settings.

config firewall ssl setting
    Description: SSL proxy settings.
    set proxy-connect-timeout {integer}
    set ssl-dh-bits [768|1024|...]
    set ssl-send-empty-frags [enable|disable]
    set no-matching-cipher-action [bypass|drop]
    set cert-manager-cache-timeout {integer}
    set resigned-short-lived-certificate [enable|disable]
    set cert-cache-capacity {integer}
    set cert-cache-timeout {integer}
    set session-cache-capacity {integer}
    set session-cache-timeout {integer}
    set abbreviate-handshake [enable|disable]
end

config firewall ssl setting

Parameter

Description

Type

Size

Default

proxy-connect-timeout

Time limit to make an internal connection to the appropriate proxy process.

integer

Minimum value: 1 Maximum value: 60

30

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

no-matching-cipher-action

Bypass or drop the connection when no matching cipher is found.

option

-

bypass

Option

Description

bypass

Bypass connection.

drop

Drop connection.

cert-manager-cache-timeout

Time limit for cert manager to keep FortiGate re-signed server certificate.

integer

Minimum value: 24 Maximum value: 720

72

resigned-short-lived-certificate

Enable/disable short lived certificate.

option

-

enable

Option

Description

enable

Disable short-lived certificate: resigned certificate will have the same validation period as the origin server ceritificate.

disable

Enable short-lived certificate: resigned certificate will remain valid untill either the origin server ceritificate expires or cache timeouts.

cert-cache-capacity

Maximum capacity of the host certificate cache.

integer

Minimum value: 0 Maximum value: 500

200

cert-cache-timeout

Time limit to keep certificate cache.

integer

Minimum value: 1 Maximum value: 120

10

session-cache-capacity

Capacity of the SSL session cache.

integer

Minimum value: 0 Maximum value: 1000

500

session-cache-timeout

Time limit to keep SSL session state.

integer

Minimum value: 1 Maximum value: 60

20

abbreviate-handshake

Enable/disable use of SSL abbreviated handshake.

option

-

enable

Option

Description

enable

Enable use of SSL abbreviated handshake.

disable

Disable use of SSL abbreviated handshake.

config firewall ssl setting

config firewall ssl setting

SSL proxy settings.

config firewall ssl setting
    Description: SSL proxy settings.
    set proxy-connect-timeout {integer}
    set ssl-dh-bits [768|1024|...]
    set ssl-send-empty-frags [enable|disable]
    set no-matching-cipher-action [bypass|drop]
    set cert-manager-cache-timeout {integer}
    set resigned-short-lived-certificate [enable|disable]
    set cert-cache-capacity {integer}
    set cert-cache-timeout {integer}
    set session-cache-capacity {integer}
    set session-cache-timeout {integer}
    set abbreviate-handshake [enable|disable]
end

config firewall ssl setting

Parameter

Description

Type

Size

Default

proxy-connect-timeout

Time limit to make an internal connection to the appropriate proxy process.

integer

Minimum value: 1 Maximum value: 60

30

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

no-matching-cipher-action

Bypass or drop the connection when no matching cipher is found.

option

-

bypass

Option

Description

bypass

Bypass connection.

drop

Drop connection.

cert-manager-cache-timeout

Time limit for cert manager to keep FortiGate re-signed server certificate.

integer

Minimum value: 24 Maximum value: 720

72

resigned-short-lived-certificate

Enable/disable short lived certificate.

option

-

enable

Option

Description

enable

Disable short-lived certificate: resigned certificate will have the same validation period as the origin server ceritificate.

disable

Enable short-lived certificate: resigned certificate will remain valid untill either the origin server ceritificate expires or cache timeouts.

cert-cache-capacity

Maximum capacity of the host certificate cache.

integer

Minimum value: 0 Maximum value: 500

200

cert-cache-timeout

Time limit to keep certificate cache.

integer

Minimum value: 1 Maximum value: 120

10

session-cache-capacity

Capacity of the SSL session cache.

integer

Minimum value: 0 Maximum value: 1000

500

session-cache-timeout

Time limit to keep SSL session state.

integer

Minimum value: 1 Maximum value: 60

20

abbreviate-handshake

Enable/disable use of SSL abbreviated handshake.

option

-

enable

Option

Description

enable

Enable use of SSL abbreviated handshake.

disable

Disable use of SSL abbreviated handshake.