Fortinet white logo
Fortinet white logo

CLI Reference

config firewall vip

config firewall vip

Configure virtual IP for IPv4.

config firewall vip

Description: Configure virtual IP for IPv4.

edit <name>

set id {integer}

set uuid {uuid}

set comment {var-string}

set type [static-nat|load-balance|...]

set dns-mapping-ttl {integer}

set ldb-method [static|round-robin|...]

set src-filter <range1>, <range2>, ...

set service <name1>, <name2>, ...

set extip {user}

set extaddr <name1>, <name2>, ...

set mappedip <range1>, <range2>, ...

set mapped-addr {string}

set extintf {string}

set arp-reply [disable|enable]

set server-type [http|https|...]

set http-redirect [enable|disable]

set persistence [none|http-cookie|...]

set nat-source-vip [disable|enable]

set portforward [disable|enable]

set protocol [tcp|udp|...]

set extport {user}

set mappedport {user}

set gratuitous-arp-interval {integer}

set srcintf-filter <interface-name1>, <interface-name2>, ...

set portmapping-type [1-to-1|m-to-n]

config realservers

Description: Select the real servers that this server load balancing VIP will distribute traffic to.

edit <id>

set ip {ipv4-address-any}

set port {integer}

set status [active|standby|...]

set weight {integer}

set holddown-interval {integer}

set healthcheck [disable|enable|...]

set http-host {string}

set max-connections {integer}

set monitor {string}

set client-ip {user}

next

end

set http-cookie-domain-from-host [disable|enable]

set http-cookie-domain {string}

set http-cookie-path {string}

set http-cookie-generation {integer}

set http-cookie-age {integer}

set http-cookie-share [disable|same-ip]

set https-cookie-secure [disable|enable]

set http-multiplex [enable|disable]

set http-ip-header [enable|disable]

set http-ip-header-name {string}

set outlook-web-access [disable|enable]

set weblogic-server [disable|enable]

set websphere-server [disable|enable]

set ssl-mode [half|full]

set ssl-certificate {string}

set ssl-dh-bits [768|1024|...]

set ssl-algorithm [high|medium|...]

config ssl-cipher-suites

Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.

edit <priority>

set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

set versions {option1}, {option2}, ...

next

end

set ssl-server-algorithm [high|medium|...]

config ssl-server-cipher-suites

Description: SSL/TLS cipher suites to offer to a server, ordered by priority.

edit <priority>

set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

set versions {option1}, {option2}, ...

next

end

set ssl-pfs [require|deny|...]

set ssl-min-version [ssl-3.0|tls-1.0|...]

set ssl-max-version [ssl-3.0|tls-1.0|...]

set ssl-server-min-version [ssl-3.0|tls-1.0|...]

set ssl-server-max-version [ssl-3.0|tls-1.0|...]

set ssl-send-empty-frags [enable|disable]

set ssl-client-fallback [disable|enable]

set ssl-client-renegotiation [allow|deny|...]

set ssl-client-session-state-type [disable|time|...]

set ssl-client-session-state-timeout {integer}

set ssl-client-session-state-max {integer}

set ssl-client-rekey-count {integer}

set ssl-server-session-state-type [disable|time|...]

set ssl-server-session-state-timeout {integer}

set ssl-server-session-state-max {integer}

set ssl-http-location-conversion [enable|disable]

set ssl-http-match-host [enable|disable]

set ssl-hpkp [disable|enable|...]

set ssl-hpkp-primary {string}

set ssl-hpkp-backup {string}

set ssl-hpkp-age {integer}

set ssl-hpkp-report-uri {var-string}

set ssl-hpkp-include-subdomains [disable|enable]

set ssl-hsts [disable|enable]

set ssl-hsts-age {integer}

set ssl-hsts-include-subdomains [disable|enable]

set monitor <name1>, <name2>, ...

set max-embryonic-connections {integer}

set color {integer}

next

end

config firewall vip

Parameter

Description

Type

Size

id

Custom defined ID.

integer

Minimum value: 0 Maximum value: 65535

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

comment

Comment.

var-string

Not Specified

type

Configure a static NAT, load balance, server load balance, DNS translation, or FQDN VIP.

option

-

Option

Description

static-nat

Static NAT.

load-balance

Load balance.

server-load-balance

Server load balance.

dns-translation

DNS translation.

fqdn

Fully qualified domain name.

dns-mapping-ttl

DNS mapping TTL .

integer

Minimum value: 0 Maximum value: 604800

ldb-method

Method used to distribute sessions to real servers.

option

-

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

least-session

Distribute to server with lowest session count.

least-rtt

Distribute to server with lowest Round-Trip-Time.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

src-filter <range>

Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces.

Source-filter range.

string

Maximum length: 79

service <name>

Service name.

Service name.

string

Maximum length: 79

extip

IP address or address range on the external interface that you want to map to an address or address range on the destination network.

user

Not Specified

extaddr <name>

External FQDN address name.

Address name.

string

Maximum length: 79

mappedip <range>

IP address or address range on the destination network to which the external IP address is mapped.

Mapped IP range.

string

Maximum length: 79

mapped-addr

Mapped FQDN address name.

string

Not Specified

extintf

Interface connected to the source network that receives the packets that will be forwarded to the destination network.

string

Not Specified

arp-reply

Enable to respond to ARP requests for this virtual IP address. Enabled by default.

option

-

Option

Description

disable

Disable ARP reply.

enable

Enable ARP reply.

server-type

Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).

option

-

Option

Description

http

HTTP

https

HTTPS

imaps

IMAPS

pop3s

POP3S

smtps

SMTPS

ssl

SSL

tcp

TCP

udp

UDP

ip

IP

http-redirect

Enable/disable redirection of HTTP to HTTPS

option

-

Option

Description

enable

Enable redirection of HTTP to HTTPS.

disable

Disable redirection of HTTP to HTTPS.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

Option

Description

none

None.

http-cookie

HTTP cookie.

ssl-session-id

SSL session ID.

nat-source-vip

Enable/disable forcing the source NAT mapped IP to the external IP for all traffic.

option

-

Option

Description

disable

Force only the source NAT mapped IP to the external IP for traffic egressing the external interface of the VIP.

enable

Force the source NAT mapped IP to the external IP for all traffic.

portforward

Enable/disable port forwarding.

option

-

Option

Description

disable

Disable port forward.

enable

Enable port forward.

protocol

Protocol to use when forwarding packets.

option

-

Option

Description

tcp

TCP.

udp

UDP.

sctp

SCTP.

icmp

ICMP.

extport

Incoming port number range that you want to map to a port number range on the destination network.

user

Not Specified

mappedport

Port number range on the destination network to which the external port number range is mapped.

user

Not Specified

gratuitous-arp-interval

Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable.

integer

Minimum value: 5 Maximum value: 8640000

srcintf-filter <interface-name>

Interfaces to which the VIP applies. Separate the names with spaces.

Interface name.

string

Maximum length: 79

portmapping-type

Port mapping type.

option

-

Option

Description

1-to-1

One to one.

m-to-n

Many to many.

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Not Specified

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Not Specified

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

http-cookie-share

Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

Option

Description

disable

Only allow HTTP cookie to match this virtual server.

same-ip

Allow HTTP cookie to match any virtual server with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

http-multiplex

Enable/disable HTTP multiplexing.

option

-

Option

Description

enable

Enable HTTP session multiplexing.

disable

Disable HTTP session multiplexing.

http-ip-header

For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.

option

-

Option

Description

enable

Enable adding HTTP header.

disable

Disable adding HTTP header.

http-ip-header-name

For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.

string

Not Specified

outlook-web-access

Enable to add the Front-End-Https header for Microsoft Outlook Web Access.

option

-

Option

Description

disable

Disable Outlook Web Access support.

enable

Enable Outlook Web Access support.

weblogic-server

Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.

option

-

Option

Description

disable

Do not add HTTP header indicating SSL offload for WebLogic server.

enable

Add HTTP header indicating SSL offload for WebLogic server.

websphere-server

Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.

option

-

Option

Description

disable

Do not add HTTP header indicating SSL offload for WebSphere server.

enable

Add HTTP header indicating SSL offload for WebSphere server.

ssl-mode

Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).

option

-

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-certificate

The name of the SSL certificate to use for SSL acceleration.

string

Not Specified

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for SSL sessions according to encryption strength.

option

-

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom

Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-server-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom

Custom encryption. Use ssl-server-cipher-suites to select the cipher suites that are allowed.

client

Use the same encryption algorithms for both client and server sessions.

ssl-pfs

Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

option

-

Option

Description

require

Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny

Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow

Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

ssl-min-version

Lowest SSL/TLS version acceptable from a client.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a client.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-server-min-version

Lowest SSL/TLS version acceptable from a server. Use the client setting by default.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

client

Use same value as client configuration.

ssl-server-max-version

Highest SSL/TLS version acceptable from a server. Use the client setting by default.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

client

Use same value as client configuration.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.

option

-

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

ssl-client-fallback

Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).

option

-

Option

Description

disable

Disable.

enable

Enable.

ssl-client-renegotiation

Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.

option

-

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any client initiated SSL re-negotiation attempt.

secure

Abort any client initiated SSL re-negotiation attempt that does not use RFC 5746 Secure Renegotiation.

ssl-client-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

option

-

Option

Description

disable

Do not keep session states.

time

Expire session states after this many minutes.

count

Expire session states when this maximum is reached.

both

Expire session states based on time or count, whichever occurs first.

ssl-client-session-state-timeout

Number of minutes to keep client to FortiGate SSL session state.

integer

Minimum value: 1 Maximum value: 14400

ssl-client-session-state-max

Maximum number of client to FortiGate SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

ssl-client-rekey-count

Maximum length of data in MB before triggering a client rekey (0 = disable).

integer

Minimum value: 200 Maximum value: 1048576

ssl-server-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

option

-

Option

Description

disable

Do not keep session states.

time

Expire session states after this many minutes.

count

Expire session states when this maximum is reached.

both

Expire session states based on time or count, whichever occurs first.

ssl-server-session-state-timeout

Number of minutes to keep FortiGate to Server SSL session state.

integer

Minimum value: 1 Maximum value: 14400

ssl-server-session-state-max

Maximum number of FortiGate to Server SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

ssl-http-location-conversion

Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.

option

-

Option

Description

enable

Enable HTTP location conversion.

disable

Disable HTTP location conversion.

ssl-http-match-host

Enable/disable HTTP host matching for location conversion.

option

-

Option

Description

enable

Match HTTP host in response header.

disable

Do not match HTTP host.

ssl-hpkp

Enable/disable including HPKP header in response.

option

-

Option

Description

disable

Do not add a HPKP header to each HTTP response.

enable

Add a HPKP header to each a HTTP response.

report-only

Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp-primary

Certificate to generate primary HPKP pin from.

string

Not Specified

ssl-hpkp-backup

Certificate to generate backup HPKP pin from.

string

Not Specified

ssl-hpkp-age

Number of seconds the client should honour the HPKP setting.

integer

Minimum value: 60 Maximum value: 157680000

ssl-hpkp-report-uri

URL to report HPKP violations to.

var-string

Not Specified

ssl-hpkp-include-subdomains

Indicate that HPKP header applies to all subdomains.

option

-

Option

Description

disable

HPKP header does not apply to subdomains.

enable

HPKP header applies to subdomains.

ssl-hsts

Enable/disable including HSTS header in response.

option

-

Option

Description

disable

Do not add a HSTS header to each a HTTP response.

enable

Add a HSTS header to each HTTP response.

ssl-hsts-age

Number of seconds the client should honour the HSTS setting.

integer

Minimum value: 60 Maximum value: 157680000

ssl-hsts-include-subdomains

Indicate that HSTS header applies to all subdomains.

option

-

Option

Description

disable

HSTS header does not apply to subdomains.

enable

HSTS header applies to subdomains.

monitor <name>

Name of the health check monitor to use when polling to determine a virtual server's connectivity status.

Health monitor name.

string

Maximum length: 79

max-embryonic-connections

Maximum number of incomplete connections.

integer

Minimum value: 0 Maximum value: 100000

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

config realservers

Parameter

Description

Type

Size

ip

IP address of the real server.

ipv4-address-any

Not Specified

port

Port for communicating with the real server. Required if port forwarding is enabled.

integer

Minimum value: 1 Maximum value: 65535

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

holddown-interval

Time in seconds that the health check monitor continues to monitor and unresponsive server that should be active.

integer

Minimum value: 30 Maximum value: 65535

healthcheck

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

Option

Description

disable

Disable per server health check.

enable

Enable per server health check.

vip

Use health check defined in VIP.

http-host

HTTP server domain name in HTTP header.

string

Not Specified

max-connections

Max number of active connections that can be directed to the real server. When reached, sessions are sent to other real servers.

integer

Minimum value: 0 Maximum value: 2147483647

monitor

Name of the health check monitor to use when polling to determine a virtual server's connectivity status.

string

Not Specified

client-ip

Only clients in this IP range can connect to this real server.

user

Not Specified

config ssl-cipher-suites

Parameter

Description

Type

Size

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config ssl-server-cipher-suites

Parameter

Description

Type

Size

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config firewall vip

config firewall vip

Configure virtual IP for IPv4.

config firewall vip

Description: Configure virtual IP for IPv4.

edit <name>

set id {integer}

set uuid {uuid}

set comment {var-string}

set type [static-nat|load-balance|...]

set dns-mapping-ttl {integer}

set ldb-method [static|round-robin|...]

set src-filter <range1>, <range2>, ...

set service <name1>, <name2>, ...

set extip {user}

set extaddr <name1>, <name2>, ...

set mappedip <range1>, <range2>, ...

set mapped-addr {string}

set extintf {string}

set arp-reply [disable|enable]

set server-type [http|https|...]

set http-redirect [enable|disable]

set persistence [none|http-cookie|...]

set nat-source-vip [disable|enable]

set portforward [disable|enable]

set protocol [tcp|udp|...]

set extport {user}

set mappedport {user}

set gratuitous-arp-interval {integer}

set srcintf-filter <interface-name1>, <interface-name2>, ...

set portmapping-type [1-to-1|m-to-n]

config realservers

Description: Select the real servers that this server load balancing VIP will distribute traffic to.

edit <id>

set ip {ipv4-address-any}

set port {integer}

set status [active|standby|...]

set weight {integer}

set holddown-interval {integer}

set healthcheck [disable|enable|...]

set http-host {string}

set max-connections {integer}

set monitor {string}

set client-ip {user}

next

end

set http-cookie-domain-from-host [disable|enable]

set http-cookie-domain {string}

set http-cookie-path {string}

set http-cookie-generation {integer}

set http-cookie-age {integer}

set http-cookie-share [disable|same-ip]

set https-cookie-secure [disable|enable]

set http-multiplex [enable|disable]

set http-ip-header [enable|disable]

set http-ip-header-name {string}

set outlook-web-access [disable|enable]

set weblogic-server [disable|enable]

set websphere-server [disable|enable]

set ssl-mode [half|full]

set ssl-certificate {string}

set ssl-dh-bits [768|1024|...]

set ssl-algorithm [high|medium|...]

config ssl-cipher-suites

Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.

edit <priority>

set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

set versions {option1}, {option2}, ...

next

end

set ssl-server-algorithm [high|medium|...]

config ssl-server-cipher-suites

Description: SSL/TLS cipher suites to offer to a server, ordered by priority.

edit <priority>

set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

set versions {option1}, {option2}, ...

next

end

set ssl-pfs [require|deny|...]

set ssl-min-version [ssl-3.0|tls-1.0|...]

set ssl-max-version [ssl-3.0|tls-1.0|...]

set ssl-server-min-version [ssl-3.0|tls-1.0|...]

set ssl-server-max-version [ssl-3.0|tls-1.0|...]

set ssl-send-empty-frags [enable|disable]

set ssl-client-fallback [disable|enable]

set ssl-client-renegotiation [allow|deny|...]

set ssl-client-session-state-type [disable|time|...]

set ssl-client-session-state-timeout {integer}

set ssl-client-session-state-max {integer}

set ssl-client-rekey-count {integer}

set ssl-server-session-state-type [disable|time|...]

set ssl-server-session-state-timeout {integer}

set ssl-server-session-state-max {integer}

set ssl-http-location-conversion [enable|disable]

set ssl-http-match-host [enable|disable]

set ssl-hpkp [disable|enable|...]

set ssl-hpkp-primary {string}

set ssl-hpkp-backup {string}

set ssl-hpkp-age {integer}

set ssl-hpkp-report-uri {var-string}

set ssl-hpkp-include-subdomains [disable|enable]

set ssl-hsts [disable|enable]

set ssl-hsts-age {integer}

set ssl-hsts-include-subdomains [disable|enable]

set monitor <name1>, <name2>, ...

set max-embryonic-connections {integer}

set color {integer}

next

end

config firewall vip

Parameter

Description

Type

Size

id

Custom defined ID.

integer

Minimum value: 0 Maximum value: 65535

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

comment

Comment.

var-string

Not Specified

type

Configure a static NAT, load balance, server load balance, DNS translation, or FQDN VIP.

option

-

Option

Description

static-nat

Static NAT.

load-balance

Load balance.

server-load-balance

Server load balance.

dns-translation

DNS translation.

fqdn

Fully qualified domain name.

dns-mapping-ttl

DNS mapping TTL .

integer

Minimum value: 0 Maximum value: 604800

ldb-method

Method used to distribute sessions to real servers.

option

-

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

least-session

Distribute to server with lowest session count.

least-rtt

Distribute to server with lowest Round-Trip-Time.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

src-filter <range>

Source address filter. Each address must be either an IP/subnet (x.x.x.x/n) or a range (x.x.x.x-y.y.y.y). Separate addresses with spaces.

Source-filter range.

string

Maximum length: 79

service <name>

Service name.

Service name.

string

Maximum length: 79

extip

IP address or address range on the external interface that you want to map to an address or address range on the destination network.

user

Not Specified

extaddr <name>

External FQDN address name.

Address name.

string

Maximum length: 79

mappedip <range>

IP address or address range on the destination network to which the external IP address is mapped.

Mapped IP range.

string

Maximum length: 79

mapped-addr

Mapped FQDN address name.

string

Not Specified

extintf

Interface connected to the source network that receives the packets that will be forwarded to the destination network.

string

Not Specified

arp-reply

Enable to respond to ARP requests for this virtual IP address. Enabled by default.

option

-

Option

Description

disable

Disable ARP reply.

enable

Enable ARP reply.

server-type

Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).

option

-

Option

Description

http

HTTP

https

HTTPS

imaps

IMAPS

pop3s

POP3S

smtps

SMTPS

ssl

SSL

tcp

TCP

udp

UDP

ip

IP

http-redirect

Enable/disable redirection of HTTP to HTTPS

option

-

Option

Description

enable

Enable redirection of HTTP to HTTPS.

disable

Disable redirection of HTTP to HTTPS.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

Option

Description

none

None.

http-cookie

HTTP cookie.

ssl-session-id

SSL session ID.

nat-source-vip

Enable/disable forcing the source NAT mapped IP to the external IP for all traffic.

option

-

Option

Description

disable

Force only the source NAT mapped IP to the external IP for traffic egressing the external interface of the VIP.

enable

Force the source NAT mapped IP to the external IP for all traffic.

portforward

Enable/disable port forwarding.

option

-

Option

Description

disable

Disable port forward.

enable

Enable port forward.

protocol

Protocol to use when forwarding packets.

option

-

Option

Description

tcp

TCP.

udp

UDP.

sctp

SCTP.

icmp

ICMP.

extport

Incoming port number range that you want to map to a port number range on the destination network.

user

Not Specified

mappedport

Port number range on the destination network to which the external port number range is mapped.

user

Not Specified

gratuitous-arp-interval

Enable to have the VIP send gratuitous ARPs. 0=disabled. Set from 5 up to 8640000 seconds to enable.

integer

Minimum value: 5 Maximum value: 8640000

srcintf-filter <interface-name>

Interfaces to which the VIP applies. Separate the names with spaces.

Interface name.

string

Maximum length: 79

portmapping-type

Port mapping type.

option

-

Option

Description

1-to-1

One to one.

m-to-n

Many to many.

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Not Specified

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Not Specified

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 seconds. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

http-cookie-share

Control sharing of cookies across virtual servers. same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

Option

Description

disable

Only allow HTTP cookie to match this virtual server.

same-ip

Allow HTTP cookie to match any virtual server with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

http-multiplex

Enable/disable HTTP multiplexing.

option

-

Option

Description

enable

Enable HTTP session multiplexing.

disable

Disable HTTP session multiplexing.

http-ip-header

For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.

option

-

Option

Description

enable

Enable adding HTTP header.

disable

Disable adding HTTP header.

http-ip-header-name

For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.

string

Not Specified

outlook-web-access

Enable to add the Front-End-Https header for Microsoft Outlook Web Access.

option

-

Option

Description

disable

Disable Outlook Web Access support.

enable

Enable Outlook Web Access support.

weblogic-server

Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.

option

-

Option

Description

disable

Do not add HTTP header indicating SSL offload for WebLogic server.

enable

Add HTTP header indicating SSL offload for WebLogic server.

websphere-server

Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.

option

-

Option

Description

disable

Do not add HTTP header indicating SSL offload for WebSphere server.

enable

Add HTTP header indicating SSL offload for WebSphere server.

ssl-mode

Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).

option

-

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-certificate

The name of the SSL certificate to use for SSL acceleration.

string

Not Specified

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-algorithm

Permitted encryption algorithms for SSL sessions according to encryption strength.

option

-

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom

Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-server-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

custom

Custom encryption. Use ssl-server-cipher-suites to select the cipher suites that are allowed.

client

Use the same encryption algorithms for both client and server sessions.

ssl-pfs

Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

option

-

Option

Description

require

Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny

Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow

Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

ssl-min-version

Lowest SSL/TLS version acceptable from a client.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-max-version

Highest SSL/TLS version acceptable from a client.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-server-min-version

Lowest SSL/TLS version acceptable from a server. Use the client setting by default.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

client

Use same value as client configuration.

ssl-server-max-version

Highest SSL/TLS version acceptable from a server. Use the client setting by default.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

client

Use same value as client configuration.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.

option

-

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

ssl-client-fallback

Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).

option

-

Option

Description

disable

Disable.

enable

Enable.

ssl-client-renegotiation

Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.

option

-

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any client initiated SSL re-negotiation attempt.

secure

Abort any client initiated SSL re-negotiation attempt that does not use RFC 5746 Secure Renegotiation.

ssl-client-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

option

-

Option

Description

disable

Do not keep session states.

time

Expire session states after this many minutes.

count

Expire session states when this maximum is reached.

both

Expire session states based on time or count, whichever occurs first.

ssl-client-session-state-timeout

Number of minutes to keep client to FortiGate SSL session state.

integer

Minimum value: 1 Maximum value: 14400

ssl-client-session-state-max

Maximum number of client to FortiGate SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

ssl-client-rekey-count

Maximum length of data in MB before triggering a client rekey (0 = disable).

integer

Minimum value: 200 Maximum value: 1048576

ssl-server-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

option

-

Option

Description

disable

Do not keep session states.

time

Expire session states after this many minutes.

count

Expire session states when this maximum is reached.

both

Expire session states based on time or count, whichever occurs first.

ssl-server-session-state-timeout

Number of minutes to keep FortiGate to Server SSL session state.

integer

Minimum value: 1 Maximum value: 14400

ssl-server-session-state-max

Maximum number of FortiGate to Server SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

ssl-http-location-conversion

Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.

option

-

Option

Description

enable

Enable HTTP location conversion.

disable

Disable HTTP location conversion.

ssl-http-match-host

Enable/disable HTTP host matching for location conversion.

option

-

Option

Description

enable

Match HTTP host in response header.

disable

Do not match HTTP host.

ssl-hpkp

Enable/disable including HPKP header in response.

option

-

Option

Description

disable

Do not add a HPKP header to each HTTP response.

enable

Add a HPKP header to each a HTTP response.

report-only

Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp-primary

Certificate to generate primary HPKP pin from.

string

Not Specified

ssl-hpkp-backup

Certificate to generate backup HPKP pin from.

string

Not Specified

ssl-hpkp-age

Number of seconds the client should honour the HPKP setting.

integer

Minimum value: 60 Maximum value: 157680000

ssl-hpkp-report-uri

URL to report HPKP violations to.

var-string

Not Specified

ssl-hpkp-include-subdomains

Indicate that HPKP header applies to all subdomains.

option

-

Option

Description

disable

HPKP header does not apply to subdomains.

enable

HPKP header applies to subdomains.

ssl-hsts

Enable/disable including HSTS header in response.

option

-

Option

Description

disable

Do not add a HSTS header to each a HTTP response.

enable

Add a HSTS header to each HTTP response.

ssl-hsts-age

Number of seconds the client should honour the HSTS setting.

integer

Minimum value: 60 Maximum value: 157680000

ssl-hsts-include-subdomains

Indicate that HSTS header applies to all subdomains.

option

-

Option

Description

disable

HSTS header does not apply to subdomains.

enable

HSTS header applies to subdomains.

monitor <name>

Name of the health check monitor to use when polling to determine a virtual server's connectivity status.

Health monitor name.

string

Maximum length: 79

max-embryonic-connections

Maximum number of incomplete connections.

integer

Minimum value: 0 Maximum value: 100000

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

config realservers

Parameter

Description

Type

Size

ip

IP address of the real server.

ipv4-address-any

Not Specified

port

Port for communicating with the real server. Required if port forwarding is enabled.

integer

Minimum value: 1 Maximum value: 65535

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

holddown-interval

Time in seconds that the health check monitor continues to monitor and unresponsive server that should be active.

integer

Minimum value: 30 Maximum value: 65535

healthcheck

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

Option

Description

disable

Disable per server health check.

enable

Enable per server health check.

vip

Use health check defined in VIP.

http-host

HTTP server domain name in HTTP header.

string

Not Specified

max-connections

Max number of active connections that can be directed to the real server. When reached, sessions are sent to other real servers.

integer

Minimum value: 0 Maximum value: 2147483647

monitor

Name of the health check monitor to use when polling to determine a virtual server's connectivity status.

string

Not Specified

client-ip

Only clients in this IP range can connect to this real server.

user

Not Specified

config ssl-cipher-suites

Parameter

Description

Type

Size

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config ssl-server-cipher-suites

Parameter

Description

Type

Size

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.