Fortinet white logo
Fortinet white logo

CLI Reference

config firewall vip6

config firewall vip6

Configure virtual IP for IPv6.

config firewall vip6
    Description: Configure virtual IP for IPv6.
    edit <name>
        set add-nat64-route [disable|enable]
        set color {integer}
        set comment {var-string}
        set embedded-ipv4-address [disable|enable]
        set extip {user}
        set extport {user}
        set h2-support [enable|disable]
        set h3-support [enable|disable]
        set http-cookie-age {integer}
        set http-cookie-domain {string}
        set http-cookie-domain-from-host [disable|enable]
        set http-cookie-generation {integer}
        set http-cookie-path {string}
        set http-cookie-share [disable|same-ip]
        set http-ip-header [enable|disable]
        set http-ip-header-name {string}
        set http-multiplex [enable|disable]
        set http-redirect [enable|disable]
        set https-cookie-secure [disable|enable]
        set id {integer}
        set ipv4-mappedip {user}
        set ipv4-mappedport {user}
        set ldb-method [static|round-robin|...]
        set mappedip {user}
        set mappedport {user}
        set max-embryonic-connections {integer}
        set monitor <name1>, <name2>, ...
        set nat-source-vip [disable|enable]
        set nat64 [disable|enable]
        set nat66 [disable|enable]
        set ndp-reply [disable|enable]
        set outlook-web-access [disable|enable]
        set persistence [none|http-cookie|...]
        set portforward [disable|enable]
        set protocol [tcp|udp|...]
        config quic
            Description: QUIC setting.
            set ack-delay-exponent {integer}
            set active-connection-id-limit {integer}
            set active-migration [enable|disable]
            set grease-quic-bit [enable|disable]
            set max-ack-delay {integer}
            set max-datagram-frame-size {integer}
            set max-idle-timeout {integer}
            set max-udp-payload-size {integer}
        end
        config realservers
            Description: Select the real servers that this server load balancing VIP will distribute traffic to.
            edit <id>
                set client-ip {user}
                set healthcheck [disable|enable|...]
                set holddown-interval {integer}
                set http-host {string}
                set ip {user}
                set max-connections {integer}
                set monitor <name1>, <name2>, ...
                set port {integer}
                set status [active|standby|...]
                set translate-host [enable|disable]
                set weight {integer}
            next
        end
        set server-type [http|https|...]
        set src-filter <range1>, <range2>, ...
        set src-vip-filter [disable|enable]
        set ssl-accept-ffdhe-groups [enable|disable]
        set ssl-algorithm [high|medium|...]
        set ssl-certificate <name1>, <name2>, ...
        config ssl-cipher-suites
            Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-client-fallback [disable|enable]
        set ssl-client-rekey-count {integer}
        set ssl-client-renegotiation [allow|deny|...]
        set ssl-client-session-state-max {integer}
        set ssl-client-session-state-timeout {integer}
        set ssl-client-session-state-type [disable|time|...]
        set ssl-dh-bits [768|1024|...]
        set ssl-hpkp [disable|enable|...]
        set ssl-hpkp-age {integer}
        set ssl-hpkp-backup {string}
        set ssl-hpkp-include-subdomains [disable|enable]
        set ssl-hpkp-primary {string}
        set ssl-hpkp-report-uri {var-string}
        set ssl-hsts [disable|enable]
        set ssl-hsts-age {integer}
        set ssl-hsts-include-subdomains [disable|enable]
        set ssl-http-location-conversion [enable|disable]
        set ssl-http-match-host [enable|disable]
        set ssl-max-version [ssl-3.0|tls-1.0|...]
        set ssl-min-version [ssl-3.0|tls-1.0|...]
        set ssl-mode [half|full]
        set ssl-pfs [require|deny|...]
        set ssl-send-empty-frags [enable|disable]
        set ssl-server-algorithm [high|medium|...]
        config ssl-server-cipher-suites
            Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-server-max-version [ssl-3.0|tls-1.0|...]
        set ssl-server-min-version [ssl-3.0|tls-1.0|...]
        set ssl-server-renegotiation [enable|disable]
        set ssl-server-session-state-max {integer}
        set ssl-server-session-state-timeout {integer}
        set ssl-server-session-state-type [disable|time|...]
        set type [static-nat|server-load-balance|...]
        set uuid {uuid}
        set weblogic-server [disable|enable]
        set websphere-server [disable|enable]
    next
end

config firewall vip6

Parameter

Description

Type

Size

Default

add-nat64-route

Enable/disable adding NAT64 route.

option

-

enable

Option

Description

disable

Disable adding NAT64 route.

enable

Enable adding NAT64 route.

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

0

comment

Comment.

var-string

Maximum length: 255

embedded-ipv4-address

Enable/disable use of the lower 32 bits of the external IPv6 address as mapped IPv4 address.

option

-

disable

Option

Description

disable

Disable use of the lower 32 bits of the external IPv6 address as mapped IPv4 address.

enable

Enable use of the lower 32 bits of the external IPv6 address as mapped IPv4 address.

extip

IPv6 address or address range on the external interface that you want to map to an address or address range on the destination network.

user

Not Specified

extport

Incoming port number range that you want to map to a port number range on the destination network.

user

Not Specified

h2-support

Enable/disable HTTP2 support.

option

-

enable

Option

Description

enable

Enable HTTP2 support.

disable

Disable HTTP2 support.

h3-support

Enable/disable HTTP3/QUIC support.

option

-

disable

Option

Description

enable

Enable HTTP3/QUIC support.

disable

Disable HTTP3/QUIC support.

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-share

Control sharing of cookies across virtual servers. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

Option

Description

disable

Only allow HTTP cookie to match this virtual server.

same-ip

Allow HTTP cookie to match any virtual server with same IP.

http-ip-header

For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.

option

-

disable

Option

Description

enable

Enable adding HTTP header.

disable

Disable adding HTTP header.

http-ip-header-name

For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.

string

Maximum length: 35

http-multiplex

Enable/disable HTTP multiplexing.

option

-

disable

Option

Description

enable

Enable HTTP session multiplexing.

disable

Disable HTTP session multiplexing.

http-redirect

Enable/disable redirection of HTTP to HTTPS.

option

-

disable

Option

Description

enable

Enable redirection of HTTP to HTTPS.

disable

Disable redirection of HTTP to HTTPS.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

id

Custom defined ID.

integer

Minimum value: 0 Maximum value: 65535

0

ipv4-mappedip

Range of mapped IP addresses. Specify the start IP address followed by a space and the end IP address.

user

Not Specified

ipv4-mappedport

IPv4 port number range on the destination network to which the external port number range is mapped.

user

Not Specified

ldb-method

Method used to distribute sessions to real servers.

option

-

static

Option

Description

static

Distribute sessions based on source IP.

round-robin

Distribute sessions based round robin order.

weighted

Distribute sessions based on weight.

least-session

Sends new sessions to the server with the lowest session count.

least-rtt

Distribute new sessions to the server with lowest Round-Trip-Time.

first-alive

Distribute sessions to the first server that is alive.

http-host

Distribute sessions to servers based on host field in HTTP header.

mappedip

Mapped IPv6 address range in the format startIP-endIP.

user

Not Specified

mappedport

Port number range on the destination network to which the external port number range is mapped.

user

Not Specified

max-embryonic-connections

Maximum number of incomplete connections.

integer

Minimum value: 0 Maximum value: 100000

1000

monitor <name>

Name of the health check monitor to use when polling to determine a virtual server's connectivity status.

Health monitor name.

string

Maximum length: 79

name

Virtual ip6 name.

string

Maximum length: 79

nat-source-vip

Enable to perform SNAT on traffic from mappedip to the extip for all egress interfaces.

option

-

disable

Option

Description

disable

Disable nat-source-vip.

enable

Perform SNAT on traffic from mappedip to the extip for all egress interfaces.

nat64

Enable/disable DNAT64.

option

-

disable

Option

Description

disable

Disable DNAT64.

enable

Enable DNAT64.

nat66

Enable/disable DNAT66.

option

-

enable

Option

Description

disable

Disable DNAT66.

enable

Enable DNAT66.

ndp-reply

Enable/disable this FortiGate unit's ability to respond to NDP requests for this virtual IP address.

option

-

enable

Option

Description

disable

Disable this FortiGate unit's ability to respond to NDP requests for this virtual IP address.

enable

Enable this FortiGate unit's ability to respond to NDP requests for this virtual IP address.

outlook-web-access

Enable to add the Front-End-Https header for Microsoft Outlook Web Access.

option

-

disable

Option

Description

disable

Disable Outlook Web Access support.

enable

Enable Outlook Web Access support.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

Option

Description

none

None.

http-cookie

HTTP cookie.

ssl-session-id

SSL session ID.

portforward

Enable port forwarding.

option

-

disable

Option

Description

disable

Disable port forward.

enable

Enable/disable port forwarding.

protocol

Protocol to use when forwarding packets.

option

-

tcp

Option

Description

tcp

TCP.

udp

UDP.

sctp

SCTP.

server-type

Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).

option

-

Option

Description

http

HTTP.

https

HTTPS.

imaps

IMAPS.

pop3s

POP3S.

smtps

SMTPS.

ssl

SSL.

tcp

TCP.

udp

UDP.

ip

IP.

src-filter <range>

Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces.

Source-filter range.

string

Maximum length: 79

src-vip-filter

Enable/disable use of 'src-filter' to match destinations for the reverse SNAT rule.

option

-

disable

Option

Description

disable

Match any destination for the reverse SNAT rule.

enable

Match only destinations in 'src-filter' for the reverse SNAT rule.

ssl-accept-ffdhe-groups

Enable/disable FFDHE cipher suite for SSL key exchange.

option

-

enable

Option

Description

enable

Accept FFDHE groups.

disable

Do not accept FFDHE groups.

ssl-algorithm

Permitted encryption algorithms for SSL sessions according to encryption strength.

option

-

high

Option

Description

high

Use AES.

medium

Use AES, 3DES, or RC4.

low

Use AES, 3DES, RC4, or DES.

custom

Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-certificate <name>

Name of the certificate to use for SSL handshake.

Certificate list.

string

Maximum length: 79

ssl-client-fallback

Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).

option

-

enable

Option

Description

disable

Disable.

enable

Enable.

ssl-client-rekey-count

Maximum length of data in MB before triggering a client rekey (0 = disable).

integer

Minimum value: 200 Maximum value: 1048576

0

ssl-client-renegotiation

Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.

option

-

secure

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-client-session-state-max

Maximum number of client to FortiGate SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

1000

ssl-client-session-state-timeout

Number of minutes to keep client to FortiGate SSL session state.

integer

Minimum value: 1 Maximum value: 14400

30

ssl-client-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

option

-

both

Option

Description

disable

Do not keep session states.

time

Expire session states after this many minutes.

count

Expire session states when this maximum is reached.

both

Expire session states based on time or count, whichever occurs first.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-hpkp

Enable/disable including HPKP header in response.

option

-

disable

Option

Description

disable

Do not add a HPKP header to each HTTP response.

enable

Add a HPKP header to each a HTTP response.

report-only

Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp-age

Number of minutes the web browser should keep HPKP.

integer

Minimum value: 60 Maximum value: 157680000

5184000

ssl-hpkp-backup

Certificate to generate backup HPKP pin from.

string

Maximum length: 79

ssl-hpkp-include-subdomains

Indicate that HPKP header applies to all subdomains.

option

-

disable

Option

Description

disable

HPKP header does not apply to subdomains.

enable

HPKP header applies to subdomains.

ssl-hpkp-primary

Certificate to generate primary HPKP pin from.

string

Maximum length: 79

ssl-hpkp-report-uri

URL to report HPKP violations to.

var-string

Maximum length: 255

ssl-hsts

Enable/disable including HSTS header in response.

option

-

disable

Option

Description

disable

Do not add a HSTS header to each a HTTP response.

enable

Add a HSTS header to each HTTP response.

ssl-hsts-age

Number of seconds the client should honor the HSTS setting.

integer

Minimum value: 60 Maximum value: 157680000

5184000

ssl-hsts-include-subdomains

Indicate that HSTS header applies to all subdomains.

option

-

disable

Option

Description

disable

HSTS header does not apply to subdomains.

enable

HSTS header applies to subdomains.

ssl-http-location-conversion

Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.

option

-

disable

Option

Description

enable

Enable HTTP location conversion.

disable

Disable HTTP location conversion.

ssl-http-match-host

Enable/disable HTTP host matching for location conversion.

option

-

enable

Option

Description

enable

Match HTTP host in response header.

disable

Do not match HTTP host.

ssl-max-version

Highest SSL/TLS version acceptable from a client.

option

-

tls-1.3

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-min-version

Lowest SSL/TLS version acceptable from a client.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-mode

Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).

option

-

half

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-pfs

Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

option

-

require

Option

Description

require

Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny

Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow

Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

ssl-server-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

client

Option

Description

high

Use AES.

medium

Use AES, 3DES, or RC4.

low

Use AES, 3DES, RC4, or DES.

custom

Use config ssl-server-cipher-suites to select the cipher suites that are allowed.

client

Use the same encryption algorithms for client and server sessions.

ssl-server-max-version

Highest SSL/TLS version acceptable from a server. Use the client setting by default.

option

-

client

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

client

Use same value as client configuration.

ssl-server-min-version

Lowest SSL/TLS version acceptable from a server. Use the client setting by default.

option

-

client

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

client

Use same value as client configuration.

ssl-server-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

-

enable

Option

Description

enable

Enable secure renegotiation.

disable

Disable secure renegotiation.

ssl-server-session-state-max

Maximum number of FortiGate to Server SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

100

ssl-server-session-state-timeout

Number of minutes to keep FortiGate to Server SSL session state.

integer

Minimum value: 1 Maximum value: 14400

60

ssl-server-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

option

-

both

Option

Description

disable

Do not keep session states.

time

Expire session states after this many minutes.

count

Expire session states when this maximum is reached.

both

Expire session states based on time or count, whichever occurs first.

type

Configure a static NAT server load balance VIP or access proxy.

option

-

static-nat

Option

Description

static-nat

Static NAT.

server-load-balance

Server load balance.

access-proxy

Access proxy.

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

weblogic-server

Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.

option

-

disable

Option

Description

disable

Do not add HTTP header indicating SSL offload for WebLogic server.

enable

Add HTTP header indicating SSL offload for WebLogic server.

websphere-server

Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.

option

-

disable

Option

Description

disable

Do not add HTTP header indicating SSL offload for WebSphere server.

enable

Add HTTP header indicating SSL offload for WebSphere server.

config quic

Parameter

Description

Type

Size

Default

ack-delay-exponent

ACK delay exponent.

integer

Minimum value: 1 Maximum value: 20

3

active-connection-id-limit

Active connection ID limit.

integer

Minimum value: 1 Maximum value: 8

2

active-migration

Enable/disable active migration.

option

-

disable

Option

Description

enable

Enable active migration.

disable

Disable active migration.

grease-quic-bit

Enable/disable grease QUIC bit.

option

-

enable

Option

Description

enable

Enable grease QUIC bit.

disable

Disable grease QUIC bit.

max-ack-delay

Maximum ACK delay in milliseconds.

integer

Minimum value: 1 Maximum value: 16383

25

max-datagram-frame-size

Maximum datagram frame size in bytes.

integer

Minimum value: 1 Maximum value: 1500

1500

max-idle-timeout

Maximum idle timeout milliseconds.

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes.

integer

Minimum value: 1200 Maximum value: 1500

1500

config realservers

Parameter

Description

Type

Size

Default

client-ip

Only clients in this IP range can connect to this real server.

user

Not Specified

healthcheck

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

vip

Option

Description

disable

Disable per server health check.

enable

Enable per server health check.

vip

Use health check defined in VIP.

holddown-interval

Time in seconds that the system waits before re-activating a previously down active server in the active-standby mode. This is to prevent any flapping issues.

integer

Minimum value: 30 Maximum value: 65535

300

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

id

Real server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

IP address of the real server.

user

Not Specified

max-connections

Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers.

integer

Minimum value: 0 Maximum value: 2147483647

0

monitor <name>

Name of the health check monitor to use when polling to determine a virtual server's connectivity status.

Health monitor name.

string

Maximum length: 79

port

Port for communicating with the real server. Required if port forwarding is enabled.

integer

Minimum value: 1 Maximum value: 65535

0

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

translate-host

Enable/disable translation of hostname/IP from virtual server to real server.

option

-

enable

Option

Description

enable

Enable virtual hostname/IP translation.

disable

Disable virtual hostname/IP translation.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

TLS-DHE-DSS-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

TLS-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

TLS-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config ssl-server-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

TLS-DHE-DSS-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

TLS-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

TLS-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config firewall vip6

config firewall vip6

Configure virtual IP for IPv6.

config firewall vip6
    Description: Configure virtual IP for IPv6.
    edit <name>
        set add-nat64-route [disable|enable]
        set color {integer}
        set comment {var-string}
        set embedded-ipv4-address [disable|enable]
        set extip {user}
        set extport {user}
        set h2-support [enable|disable]
        set h3-support [enable|disable]
        set http-cookie-age {integer}
        set http-cookie-domain {string}
        set http-cookie-domain-from-host [disable|enable]
        set http-cookie-generation {integer}
        set http-cookie-path {string}
        set http-cookie-share [disable|same-ip]
        set http-ip-header [enable|disable]
        set http-ip-header-name {string}
        set http-multiplex [enable|disable]
        set http-redirect [enable|disable]
        set https-cookie-secure [disable|enable]
        set id {integer}
        set ipv4-mappedip {user}
        set ipv4-mappedport {user}
        set ldb-method [static|round-robin|...]
        set mappedip {user}
        set mappedport {user}
        set max-embryonic-connections {integer}
        set monitor <name1>, <name2>, ...
        set nat-source-vip [disable|enable]
        set nat64 [disable|enable]
        set nat66 [disable|enable]
        set ndp-reply [disable|enable]
        set outlook-web-access [disable|enable]
        set persistence [none|http-cookie|...]
        set portforward [disable|enable]
        set protocol [tcp|udp|...]
        config quic
            Description: QUIC setting.
            set ack-delay-exponent {integer}
            set active-connection-id-limit {integer}
            set active-migration [enable|disable]
            set grease-quic-bit [enable|disable]
            set max-ack-delay {integer}
            set max-datagram-frame-size {integer}
            set max-idle-timeout {integer}
            set max-udp-payload-size {integer}
        end
        config realservers
            Description: Select the real servers that this server load balancing VIP will distribute traffic to.
            edit <id>
                set client-ip {user}
                set healthcheck [disable|enable|...]
                set holddown-interval {integer}
                set http-host {string}
                set ip {user}
                set max-connections {integer}
                set monitor <name1>, <name2>, ...
                set port {integer}
                set status [active|standby|...]
                set translate-host [enable|disable]
                set weight {integer}
            next
        end
        set server-type [http|https|...]
        set src-filter <range1>, <range2>, ...
        set src-vip-filter [disable|enable]
        set ssl-accept-ffdhe-groups [enable|disable]
        set ssl-algorithm [high|medium|...]
        set ssl-certificate <name1>, <name2>, ...
        config ssl-cipher-suites
            Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-client-fallback [disable|enable]
        set ssl-client-rekey-count {integer}
        set ssl-client-renegotiation [allow|deny|...]
        set ssl-client-session-state-max {integer}
        set ssl-client-session-state-timeout {integer}
        set ssl-client-session-state-type [disable|time|...]
        set ssl-dh-bits [768|1024|...]
        set ssl-hpkp [disable|enable|...]
        set ssl-hpkp-age {integer}
        set ssl-hpkp-backup {string}
        set ssl-hpkp-include-subdomains [disable|enable]
        set ssl-hpkp-primary {string}
        set ssl-hpkp-report-uri {var-string}
        set ssl-hsts [disable|enable]
        set ssl-hsts-age {integer}
        set ssl-hsts-include-subdomains [disable|enable]
        set ssl-http-location-conversion [enable|disable]
        set ssl-http-match-host [enable|disable]
        set ssl-max-version [ssl-3.0|tls-1.0|...]
        set ssl-min-version [ssl-3.0|tls-1.0|...]
        set ssl-mode [half|full]
        set ssl-pfs [require|deny|...]
        set ssl-send-empty-frags [enable|disable]
        set ssl-server-algorithm [high|medium|...]
        config ssl-server-cipher-suites
            Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-server-max-version [ssl-3.0|tls-1.0|...]
        set ssl-server-min-version [ssl-3.0|tls-1.0|...]
        set ssl-server-renegotiation [enable|disable]
        set ssl-server-session-state-max {integer}
        set ssl-server-session-state-timeout {integer}
        set ssl-server-session-state-type [disable|time|...]
        set type [static-nat|server-load-balance|...]
        set uuid {uuid}
        set weblogic-server [disable|enable]
        set websphere-server [disable|enable]
    next
end

config firewall vip6

Parameter

Description

Type

Size

Default

add-nat64-route

Enable/disable adding NAT64 route.

option

-

enable

Option

Description

disable

Disable adding NAT64 route.

enable

Enable adding NAT64 route.

color

Color of icon on the GUI.

integer

Minimum value: 0 Maximum value: 32

0

comment

Comment.

var-string

Maximum length: 255

embedded-ipv4-address

Enable/disable use of the lower 32 bits of the external IPv6 address as mapped IPv4 address.

option

-

disable

Option

Description

disable

Disable use of the lower 32 bits of the external IPv6 address as mapped IPv4 address.

enable

Enable use of the lower 32 bits of the external IPv6 address as mapped IPv4 address.

extip

IPv6 address or address range on the external interface that you want to map to an address or address range on the destination network.

user

Not Specified

extport

Incoming port number range that you want to map to a port number range on the destination network.

user

Not Specified

h2-support

Enable/disable HTTP2 support.

option

-

enable

Option

Description

enable

Enable HTTP2 support.

disable

Disable HTTP2 support.

h3-support

Enable/disable HTTP3/QUIC support.

option

-

disable

Option

Description

enable

Enable HTTP3/QUIC support.

disable

Disable HTTP3/QUIC support.

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-share

Control sharing of cookies across virtual servers. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

Option

Description

disable

Only allow HTTP cookie to match this virtual server.

same-ip

Allow HTTP cookie to match any virtual server with same IP.

http-ip-header

For HTTP multiplexing, enable to add the original client IP address in the XForwarded-For HTTP header.

option

-

disable

Option

Description

enable

Enable adding HTTP header.

disable

Disable adding HTTP header.

http-ip-header-name

For HTTP multiplexing, enter a custom HTTPS header name. The original client IP address is added to this header. If empty, X-Forwarded-For is used.

string

Maximum length: 35

http-multiplex

Enable/disable HTTP multiplexing.

option

-

disable

Option

Description

enable

Enable HTTP session multiplexing.

disable

Disable HTTP session multiplexing.

http-redirect

Enable/disable redirection of HTTP to HTTPS.

option

-

disable

Option

Description

enable

Enable redirection of HTTP to HTTPS.

disable

Disable redirection of HTTP to HTTPS.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

id

Custom defined ID.

integer

Minimum value: 0 Maximum value: 65535

0

ipv4-mappedip

Range of mapped IP addresses. Specify the start IP address followed by a space and the end IP address.

user

Not Specified

ipv4-mappedport

IPv4 port number range on the destination network to which the external port number range is mapped.

user

Not Specified

ldb-method

Method used to distribute sessions to real servers.

option

-

static

Option

Description

static

Distribute sessions based on source IP.

round-robin

Distribute sessions based round robin order.

weighted

Distribute sessions based on weight.

least-session

Sends new sessions to the server with the lowest session count.

least-rtt

Distribute new sessions to the server with lowest Round-Trip-Time.

first-alive

Distribute sessions to the first server that is alive.

http-host

Distribute sessions to servers based on host field in HTTP header.

mappedip

Mapped IPv6 address range in the format startIP-endIP.

user

Not Specified

mappedport

Port number range on the destination network to which the external port number range is mapped.

user

Not Specified

max-embryonic-connections

Maximum number of incomplete connections.

integer

Minimum value: 0 Maximum value: 100000

1000

monitor <name>

Name of the health check monitor to use when polling to determine a virtual server's connectivity status.

Health monitor name.

string

Maximum length: 79

name

Virtual ip6 name.

string

Maximum length: 79

nat-source-vip

Enable to perform SNAT on traffic from mappedip to the extip for all egress interfaces.

option

-

disable

Option

Description

disable

Disable nat-source-vip.

enable

Perform SNAT on traffic from mappedip to the extip for all egress interfaces.

nat64

Enable/disable DNAT64.

option

-

disable

Option

Description

disable

Disable DNAT64.

enable

Enable DNAT64.

nat66

Enable/disable DNAT66.

option

-

enable

Option

Description

disable

Disable DNAT66.

enable

Enable DNAT66.

ndp-reply

Enable/disable this FortiGate unit's ability to respond to NDP requests for this virtual IP address.

option

-

enable

Option

Description

disable

Disable this FortiGate unit's ability to respond to NDP requests for this virtual IP address.

enable

Enable this FortiGate unit's ability to respond to NDP requests for this virtual IP address.

outlook-web-access

Enable to add the Front-End-Https header for Microsoft Outlook Web Access.

option

-

disable

Option

Description

disable

Disable Outlook Web Access support.

enable

Enable Outlook Web Access support.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

Option

Description

none

None.

http-cookie

HTTP cookie.

ssl-session-id

SSL session ID.

portforward

Enable port forwarding.

option

-

disable

Option

Description

disable

Disable port forward.

enable

Enable/disable port forwarding.

protocol

Protocol to use when forwarding packets.

option

-

tcp

Option

Description

tcp

TCP.

udp

UDP.

sctp

SCTP.

server-type

Protocol to be load balanced by the virtual server (also called the server load balance virtual IP).

option

-

Option

Description

http

HTTP.

https

HTTPS.

imaps

IMAPS.

pop3s

POP3S.

smtps

SMTPS.

ssl

SSL.

tcp

TCP.

udp

UDP.

ip

IP.

src-filter <range>

Source IP6 filter (x:x:x:x:x:x:x:x/x). Separate addresses with spaces.

Source-filter range.

string

Maximum length: 79

src-vip-filter

Enable/disable use of 'src-filter' to match destinations for the reverse SNAT rule.

option

-

disable

Option

Description

disable

Match any destination for the reverse SNAT rule.

enable

Match only destinations in 'src-filter' for the reverse SNAT rule.

ssl-accept-ffdhe-groups

Enable/disable FFDHE cipher suite for SSL key exchange.

option

-

enable

Option

Description

enable

Accept FFDHE groups.

disable

Do not accept FFDHE groups.

ssl-algorithm

Permitted encryption algorithms for SSL sessions according to encryption strength.

option

-

high

Option

Description

high

Use AES.

medium

Use AES, 3DES, or RC4.

low

Use AES, 3DES, RC4, or DES.

custom

Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-certificate <name>

Name of the certificate to use for SSL handshake.

Certificate list.

string

Maximum length: 79

ssl-client-fallback

Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).

option

-

enable

Option

Description

disable

Disable.

enable

Enable.

ssl-client-rekey-count

Maximum length of data in MB before triggering a client rekey (0 = disable).

integer

Minimum value: 200 Maximum value: 1048576

0

ssl-client-renegotiation

Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.

option

-

secure

Option

Description

allow

Allow a SSL client to renegotiate.

deny

Abort any SSL connection that attempts to renegotiate.

secure

Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.

ssl-client-session-state-max

Maximum number of client to FortiGate SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

1000

ssl-client-session-state-timeout

Number of minutes to keep client to FortiGate SSL session state.

integer

Minimum value: 1 Maximum value: 14400

30

ssl-client-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

option

-

both

Option

Description

disable

Do not keep session states.

time

Expire session states after this many minutes.

count

Expire session states when this maximum is reached.

both

Expire session states based on time or count, whichever occurs first.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-hpkp

Enable/disable including HPKP header in response.

option

-

disable

Option

Description

disable

Do not add a HPKP header to each HTTP response.

enable

Add a HPKP header to each a HTTP response.

report-only

Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp-age

Number of minutes the web browser should keep HPKP.

integer

Minimum value: 60 Maximum value: 157680000

5184000

ssl-hpkp-backup

Certificate to generate backup HPKP pin from.

string

Maximum length: 79

ssl-hpkp-include-subdomains

Indicate that HPKP header applies to all subdomains.

option

-

disable

Option

Description

disable

HPKP header does not apply to subdomains.

enable

HPKP header applies to subdomains.

ssl-hpkp-primary

Certificate to generate primary HPKP pin from.

string

Maximum length: 79

ssl-hpkp-report-uri

URL to report HPKP violations to.

var-string

Maximum length: 255

ssl-hsts

Enable/disable including HSTS header in response.

option

-

disable

Option

Description

disable

Do not add a HSTS header to each a HTTP response.

enable

Add a HSTS header to each HTTP response.

ssl-hsts-age

Number of seconds the client should honor the HSTS setting.

integer

Minimum value: 60 Maximum value: 157680000

5184000

ssl-hsts-include-subdomains

Indicate that HSTS header applies to all subdomains.

option

-

disable

Option

Description

disable

HSTS header does not apply to subdomains.

enable

HSTS header applies to subdomains.

ssl-http-location-conversion

Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.

option

-

disable

Option

Description

enable

Enable HTTP location conversion.

disable

Disable HTTP location conversion.

ssl-http-match-host

Enable/disable HTTP host matching for location conversion.

option

-

enable

Option

Description

enable

Match HTTP host in response header.

disable

Do not match HTTP host.

ssl-max-version

Highest SSL/TLS version acceptable from a client.

option

-

tls-1.3

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-min-version

Lowest SSL/TLS version acceptable from a client.

option

-

tls-1.1

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-mode

Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).

option

-

half

Option

Description

half

Client to FortiGate SSL.

full

Client to FortiGate and FortiGate to Server SSL.

ssl-pfs

Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

option

-

require

Option

Description

require

Allow only Diffie-Hellman cipher-suites, so PFS is applied.

deny

Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

allow

Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

ssl-server-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

client

Option

Description

high

Use AES.

medium

Use AES, 3DES, or RC4.

low

Use AES, 3DES, RC4, or DES.

custom

Use config ssl-server-cipher-suites to select the cipher suites that are allowed.

client

Use the same encryption algorithms for client and server sessions.

ssl-server-max-version

Highest SSL/TLS version acceptable from a server. Use the client setting by default.

option

-

client

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

client

Use same value as client configuration.

ssl-server-min-version

Lowest SSL/TLS version acceptable from a server. Use the client setting by default.

option

-

client

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

client

Use same value as client configuration.

ssl-server-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

-

enable

Option

Description

enable

Enable secure renegotiation.

disable

Disable secure renegotiation.

ssl-server-session-state-max

Maximum number of FortiGate to Server SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

100

ssl-server-session-state-timeout

Number of minutes to keep FortiGate to Server SSL session state.

integer

Minimum value: 1 Maximum value: 14400

60

ssl-server-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

option

-

both

Option

Description

disable

Do not keep session states.

time

Expire session states after this many minutes.

count

Expire session states when this maximum is reached.

both

Expire session states based on time or count, whichever occurs first.

type

Configure a static NAT server load balance VIP or access proxy.

option

-

static-nat

Option

Description

static-nat

Static NAT.

server-load-balance

Server load balance.

access-proxy

Access proxy.

uuid

Universally Unique Identifier (UUID; automatically assigned but can be manually reset).

uuid

Not Specified

00000000-0000-0000-0000-000000000000

weblogic-server

Enable to add an HTTP header to indicate SSL offloading for a WebLogic server.

option

-

disable

Option

Description

disable

Do not add HTTP header indicating SSL offload for WebLogic server.

enable

Add HTTP header indicating SSL offload for WebLogic server.

websphere-server

Enable to add an HTTP header to indicate SSL offloading for a WebSphere server.

option

-

disable

Option

Description

disable

Do not add HTTP header indicating SSL offload for WebSphere server.

enable

Add HTTP header indicating SSL offload for WebSphere server.

config quic

Parameter

Description

Type

Size

Default

ack-delay-exponent

ACK delay exponent.

integer

Minimum value: 1 Maximum value: 20

3

active-connection-id-limit

Active connection ID limit.

integer

Minimum value: 1 Maximum value: 8

2

active-migration

Enable/disable active migration.

option

-

disable

Option

Description

enable

Enable active migration.

disable

Disable active migration.

grease-quic-bit

Enable/disable grease QUIC bit.

option

-

enable

Option

Description

enable

Enable grease QUIC bit.

disable

Disable grease QUIC bit.

max-ack-delay

Maximum ACK delay in milliseconds.

integer

Minimum value: 1 Maximum value: 16383

25

max-datagram-frame-size

Maximum datagram frame size in bytes.

integer

Minimum value: 1 Maximum value: 1500

1500

max-idle-timeout

Maximum idle timeout milliseconds.

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes.

integer

Minimum value: 1200 Maximum value: 1500

1500

config realservers

Parameter

Description

Type

Size

Default

client-ip

Only clients in this IP range can connect to this real server.

user

Not Specified

healthcheck

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

vip

Option

Description

disable

Disable per server health check.

enable

Enable per server health check.

vip

Use health check defined in VIP.

holddown-interval

Time in seconds that the system waits before re-activating a previously down active server in the active-standby mode. This is to prevent any flapping issues.

integer

Minimum value: 30 Maximum value: 65535

300

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

id

Real server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

IP address of the real server.

user

Not Specified

max-connections

Max number of active connections that can directed to the real server. When reached, sessions are sent to other real servers.

integer

Minimum value: 0 Maximum value: 2147483647

0

monitor <name>

Name of the health check monitor to use when polling to determine a virtual server's connectivity status.

Health monitor name.

string

Maximum length: 79

port

Port for communicating with the real server. Required if port forwarding is enabled.

integer

Minimum value: 1 Maximum value: 65535

0

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

translate-host

Enable/disable translation of hostname/IP from virtual server to real server.

option

-

enable

Option

Description

enable

Enable virtual hostname/IP translation.

disable

Disable virtual hostname/IP translation.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

TLS-DHE-DSS-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

TLS-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

TLS-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config ssl-server-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

TLS-DHE-DSS-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

TLS-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

TLS-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option

Description

ssl-3.0

SSL 3.0.

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.