Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config ztna traffic-forward-proxy

    config ztna traffic-forward-proxy

    Configure ZTNA traffic forward proxy.

    config ztna traffic-forward-proxy
    Description: Configure ZTNA traffic forward proxy.
    edit <name>
        set auth-portal [disable|enable]
        set client-cert [disable|enable]
        set comment {var-string}
        set empty-cert-action [accept|block|...]
        set h3-support [enable|disable]
        set interface {string}
        set log-blocked-traffic [enable|disable]
        set port {user}
        config quic
            Description: QUIC setting.
            set ack-delay-exponent {integer}
            set active-connection-id-limit {integer}
            set active-migration [enable|disable]
            set grease-quic-bit [enable|disable]
            set max-ack-delay {integer}
            set max-datagram-frame-size {integer}
            set max-idle-timeout {integer}
            set max-udp-payload-size {integer}
        end
        set ssl-accept-ffdhe-groups [enable|disable]
        set ssl-algorithm [high|medium|...]
        set ssl-certificate <name1>, <name2>, ...
        config ssl-cipher-suites
            Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-client-fallback [disable|enable]
        set ssl-client-rekey-count {integer}
        set ssl-client-renegotiation [allow|deny|...]
        set ssl-client-session-state-max {integer}
        set ssl-client-session-state-timeout {integer}
        set ssl-client-session-state-type [disable|time|...]
        set ssl-dh-bits [768|1024|...]
        set ssl-hpkp [disable|enable|...]
        set ssl-hpkp-age {integer}
        set ssl-hpkp-backup {string}
        set ssl-hpkp-include-subdomains [disable|enable]
        set ssl-hpkp-primary {string}
        set ssl-hpkp-report-uri {var-string}
        set ssl-hsts [disable|enable]
        set ssl-hsts-age {integer}
        set ssl-hsts-include-subdomains [disable|enable]
        set ssl-http-location-conversion [enable|disable]
        set ssl-http-match-host [enable|disable]
        set ssl-max-version [ssl-3.0|tls-1.0|...]
        set ssl-min-version [ssl-3.0|tls-1.0|...]
        set ssl-mode [half|full]
        set ssl-pfs [require|deny|...]
        set ssl-send-empty-frags [enable|disable]
        set ssl-server-algorithm [high|medium|...]
        config ssl-server-cipher-suites
            Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-server-max-version [ssl-3.0|tls-1.0|...]
        set ssl-server-min-version [ssl-3.0|tls-1.0|...]
        set ssl-server-renegotiation [enable|disable]
        set ssl-server-session-state-max {integer}
        set ssl-server-session-state-timeout {integer}
        set ssl-server-session-state-type [disable|time|...]
        set status [enable|disable]
        set svr-pool-multiplex [enable|disable]
        set svr-pool-server-max-concurrent-request {integer}
        set svr-pool-server-max-request {integer}
        set svr-pool-ttl {integer}
        set user-agent-detect [disable|enable]
    next
end

    config ztna traffic-forward-proxy

    Parameter

    Description

    Type

    Size

    Default

    auth-portal

    Enable/disable authentication portal.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication portal.

    enable

    Enable authentication portal.

    client-cert

    Enable/disable to request client certificate.

    option

    -

    enable

    Option

    Description

    disable

    Disable client certificate request.

    enable

    Enable client certificate request.

    comment

    Comment.

    var-string

    Maximum length: 255

    empty-cert-action

    Action of an empty client certificate.

    option

    -

    block

    Option

    Description

    accept

    Accept the SSL handshake if the client certificate is empty.

    block

    Block the SSL handshake if the client certificate is empty.

    accept-unmanageable

    Accept the SSL handshake only if the end-point is unmanageable.

    h3-support

    Enable/disable HTTP3/QUIC support.

    option

    -

    disable

    Option

    Description

    enable

    Enable HTTP3/QUIC support.

    disable

    Disable HTTP3/QUIC support.

    interface

    interface name

    string

    Maximum length: 15

    log-blocked-traffic

    Enable/disable logging of blocked traffic.

    option

    -

    enable

    Option

    Description

    enable

    Log all traffic denied by this access proxy.

    disable

    Do not log all traffic denied by this access proxy.

    name

    Traffic forward proxy name

    string

    Maximum length: 79

    port

    Accept incoming traffic on one or more ports.

    user

    Not Specified

    ssl-accept-ffdhe-groups

    Enable/disable FFDHE cipher suite for SSL key exchange.

    option

    -

    enable

    Option

    Description

    enable

    Accept FFDHE groups.

    disable

    Do not accept FFDHE groups.

    ssl-algorithm

    Permitted encryption algorithms for SSL sessions according to encryption strength.

    option

    -

    high

    Option

    Description

    high

    High encryption. Allow only AES and ChaCha.

    medium

    Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

    low

    Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

    custom

    Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.

    ssl-certificate <name>

    Name of the certificate to use for SSL handshake.

    Certificate list.

    string

    Maximum length: 79

    ssl-client-fallback

    Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).

    option

    -

    enable

    Option

    Description

    disable

    Disable.

    enable

    Enable.

    ssl-client-rekey-count

    Maximum length of data in MB before triggering a client rekey (0 = disable).

    integer

    Minimum value: 200 Maximum value: 1048576

    0

    ssl-client-renegotiation

    Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.

    option

    -

    secure

    Option

    Description

    allow

    Allow a SSL client to renegotiate.

    deny

    Abort any client initiated SSL re-negotiation attempt.

    secure

    Abort any client initiated SSL re-negotiation attempt that does not use RFC 5746 Secure Renegotiation.

    ssl-client-session-state-max

    Maximum number of client to FortiProxy SSL session states to keep.

    integer

    Minimum value: 1 Maximum value: 10000

    1000

    ssl-client-session-state-timeout

    Number of minutes to keep client to FortiProxy SSL session state.

    integer

    Minimum value: 1 Maximum value: 14400

    30

    ssl-client-session-state-type

    How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

    option

    -

    both

    Option

    Description

    disable

    Do not keep session states.

    time

    Expire session states after this many minutes.

    count

    Expire session states when this maximum is reached.

    both

    Expire session states based on time or count, whichever occurs first.

    ssl-dh-bits

    Bit-size of Diffie-Hellman.

    option

    -

    2048

    Option

    Description

    768

    768-bit Diffie-Hellman prime.

    1024

    1024-bit Diffie-Hellman prime.

    1536

    1536-bit Diffie-Hellman prime.

    2048

    2048-bit Diffie-Hellman prime.

    3072

    3072-bit Diffie-Hellman prime.

    4096

    4096-bit Diffie-Hellman prime.

    ssl-hpkp

    Enable/disable including HPKP header in response.

    option

    -

    disable

    Option

    Description

    disable

    Do not add a HPKP header to each HTTP response.

    enable

    Add a HPKP header to each a HTTP response.

    report-only

    Add a HPKP Report-Only header to each HTTP response.

    ssl-hpkp-age

    Number of seconds the client should honor the HPKP setting.

    integer

    Minimum value: 60 Maximum value: 157680000

    5184000

    ssl-hpkp-backup

    Certificate to generate backup HPKP pin from.

    string

    Maximum length: 79

    ssl-hpkp-include-subdomains

    Indicate that HPKP header applies to all subdomains.

    option

    -

    disable

    Option

    Description

    disable

    HPKP header does not apply to subdomains.

    enable

    HPKP header applies to subdomains.

    ssl-hpkp-primary

    Certificate to generate primary HPKP pin from.

    string

    Maximum length: 79

    ssl-hpkp-report-uri

    URL to report HPKP violations to.

    var-string

    Maximum length: 255

    ssl-hsts

    Enable/disable including HSTS header in response.

    option

    -

    disable

    Option

    Description

    disable

    Do not add a HSTS header to each a HTTP response.

    enable

    Add a HSTS header to each HTTP response.

    ssl-hsts-age

    Number of seconds the client should honor the HSTS setting.

    integer

    Minimum value: 60 Maximum value: 157680000

    5184000

    ssl-hsts-include-subdomains

    Indicate that HSTS header applies to all subdomains.

    option

    -

    disable

    Option

    Description

    disable

    HSTS header does not apply to subdomains.

    enable

    HSTS header applies to subdomains.

    ssl-http-location-conversion

    Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.

    option

    -

    disable

    Option

    Description

    enable

    Enable HTTP location conversion.

    disable

    Disable HTTP location conversion.

    ssl-http-match-host

    Enable/disable HTTP host matching for location conversion.

    option

    -

    enable

    Option

    Description

    enable

    Match HTTP host in response header.

    disable

    Do not match HTTP host.

    ssl-max-version

    Highest SSL/TLS version acceptable from a client.

    option

    -

    tls-1.3

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-min-version

    Lowest SSL/TLS version acceptable from a client.

    option

    -

    tls-1.1

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-mode

    Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).

    option

    -

    half

    Option

    Description

    half

    Client to FortiProxy SSL.

    full

    Client to FortiProxy and FortiProxy to Server SSL.

    ssl-pfs

    Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

    option

    -

    require

    Option

    Description

    require

    Allow only Diffie-Hellman cipher-suites, so PFS is applied.

    deny

    Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

    allow

    Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

    ssl-send-empty-frags

    Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.

    option

    -

    enable

    Option

    Description

    enable

    Send empty fragments.

    disable

    Do not send empty fragments.

    ssl-server-algorithm

    Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

    option

    -

    client

    Option

    Description

    high

    High encryption. Allow only AES and ChaCha.

    medium

    Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

    low

    Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

    custom

    Custom encryption. Use ssl-server-cipher-suites to select the cipher suites that are allowed.

    client

    Use the same encryption algorithms for both client and server sessions.

    ssl-server-max-version

    Highest SSL/TLS version acceptable from a server. Use the client setting by default.

    option

    -

    client

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    client

    Use same value as client configuration.

    ssl-server-min-version

    Lowest SSL/TLS version acceptable from a server. Use the client setting by default.

    option

    -

    client

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    client

    Use same value as client configuration.

    ssl-server-renegotiation

    Enable/disable secure renegotiation to comply with RFC 5746.

    option

    -

    enable

    Option

    Description

    enable

    Enable secure renegotiation.

    disable

    Disable secure renegotiation.

    ssl-server-session-state-max

    Maximum number of FortiGate to Server SSL session states to keep.

    integer

    Minimum value: 1 Maximum value: 10000

    100

    ssl-server-session-state-timeout

    Number of minutes to keep FortiGate to Server SSL session state.

    integer

    Minimum value: 1 Maximum value: 14400

    60

    ssl-server-session-state-type

    How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

    option

    -

    both

    Option

    Description

    disable

    Do not keep session states.

    time

    Expire session states after this many minutes.

    count

    Expire session states when this maximum is reached.

    both

    Expire session states based on time or count, whichever occurs first.

    status

    Enable/disable the traffic forward proxy for ZTNA traffic.

    option

    -

    disable

    Option

    Description

    enable

    Enable the ZTNA traffic forward proxy.

    disable

    Disable the ZTNA traffic forward proxy.

    svr-pool-multiplex

    Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway.

    option

    -

    enable

    Option

    Description

    enable

    Enable server pool multiplexing. Share connected server.

    disable

    Disable server pool multiplexing. Do not share connected server.

    svr-pool-server-max-concurrent-request

    Maximum number of concurrent requests that servers in server pool could handle.

    integer

    Minimum value: 0 Maximum value: 2147483647

    0

    svr-pool-server-max-request

    Maximum number of requests that servers in server pool handle before disconnecting.

    integer

    Minimum value: 0 Maximum value: 2147483647

    0

    svr-pool-ttl

    Time-to-live in the server pool for idle connections to servers.

    integer

    Minimum value: 0 Maximum value: 2147483647

    15

    user-agent-detect

    Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

    option

    -

    enable

    Option

    Description

    disable

    Disable to detect unknown device by HTTP user-agent if no client certificate provided.

    enable

    Enable to detect unknown device by HTTP user-agent if no client certificate provided.

    config quic

    Parameter

    Description

    Type

    Size

    Default

    ack-delay-exponent

    ACK delay exponent.

    integer

    Minimum value: 1 Maximum value: 20

    3

    active-connection-id-limit

    Active connection ID limit.

    integer

    Minimum value: 1 Maximum value: 8

    2

    active-migration

    Enable/disable active migration.

    option

    -

    disable

    Option

    Description

    enable

    Enable active migration.

    disable

    Disable active migration.

    grease-quic-bit

    Enable/disable grease QUIC bit.

    option

    -

    enable

    Option

    Description

    enable

    Enable grease QUIC bit.

    disable

    Disable grease QUIC bit.

    max-ack-delay

    Maximum ACK delay in milliseconds.

    integer

    Minimum value: 1 Maximum value: 16383

    25

    max-datagram-frame-size

    Maximum datagram frame size in bytes.

    integer

    Minimum value: 1 Maximum value: 1500

    1500

    max-idle-timeout

    Maximum idle timeout milliseconds.

    integer

    Minimum value: 1 Maximum value: 60000

    30000

    max-udp-payload-size

    Maximum UDP payload size in bytes.

    integer

    Minimum value: 1200 Maximum value: 1500

    1500

    config ssl-cipher-suites

    Parameter

    Description

    Type

    Size

    Default

    cipher

    Cipher suite name.

    option

    -

    Option

    Description

    TLS-AES-128-GCM-SHA256

    Cipher suite TLS-AES-128-GCM-SHA256.

    TLS-AES-256-GCM-SHA384

    Cipher suite TLS-AES-256-GCM-SHA384.

    TLS-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

    TLS-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

    TLS-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

    TLS-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

    TLS-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

    TLS-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

    TLS-DHE-DSS-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

    TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

    TLS-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

    TLS-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

    TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

    TLS-ECDHE-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

    TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-RC4-128-MD5

    Cipher suite TLS-RSA-WITH-RC4-128-MD5.

    TLS-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-RSA-WITH-RC4-128-SHA.

    TLS-DHE-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

    TLS-DHE-DSS-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

    TLS-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

    priority

    SSL/TLS cipher suites priority.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    versions

    SSL/TLS versions that the cipher suite can be used with.

    option

    -

    ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    config ssl-server-cipher-suites

    Parameter

    Description

    Type

    Size

    Default

    cipher

    Cipher suite name.

    option

    -

    Option

    Description

    TLS-AES-128-GCM-SHA256

    Cipher suite TLS-AES-128-GCM-SHA256.

    TLS-AES-256-GCM-SHA384

    Cipher suite TLS-AES-256-GCM-SHA384.

    TLS-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

    TLS-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

    TLS-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

    TLS-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

    TLS-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

    TLS-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

    TLS-DHE-DSS-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

    TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

    TLS-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

    TLS-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

    TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

    TLS-ECDHE-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

    TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-RC4-128-MD5

    Cipher suite TLS-RSA-WITH-RC4-128-MD5.

    TLS-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-RSA-WITH-RC4-128-SHA.

    TLS-DHE-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

    TLS-DHE-DSS-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

    TLS-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

    priority

    SSL/TLS cipher suites priority.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    versions

    SSL/TLS versions that the cipher suite can be used with.

    option

    -

    ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.
    Previous
    Next

    config ztna traffic-forward-proxy

    config ztna traffic-forward-proxy

    Configure ZTNA traffic forward proxy.

    config ztna traffic-forward-proxy
    Description: Configure ZTNA traffic forward proxy.
    edit <name>
        set auth-portal [disable|enable]
        set client-cert [disable|enable]
        set comment {var-string}
        set empty-cert-action [accept|block|...]
        set h3-support [enable|disable]
        set interface {string}
        set log-blocked-traffic [enable|disable]
        set port {user}
        config quic
            Description: QUIC setting.
            set ack-delay-exponent {integer}
            set active-connection-id-limit {integer}
            set active-migration [enable|disable]
            set grease-quic-bit [enable|disable]
            set max-ack-delay {integer}
            set max-datagram-frame-size {integer}
            set max-idle-timeout {integer}
            set max-udp-payload-size {integer}
        end
        set ssl-accept-ffdhe-groups [enable|disable]
        set ssl-algorithm [high|medium|...]
        set ssl-certificate <name1>, <name2>, ...
        config ssl-cipher-suites
            Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-client-fallback [disable|enable]
        set ssl-client-rekey-count {integer}
        set ssl-client-renegotiation [allow|deny|...]
        set ssl-client-session-state-max {integer}
        set ssl-client-session-state-timeout {integer}
        set ssl-client-session-state-type [disable|time|...]
        set ssl-dh-bits [768|1024|...]
        set ssl-hpkp [disable|enable|...]
        set ssl-hpkp-age {integer}
        set ssl-hpkp-backup {string}
        set ssl-hpkp-include-subdomains [disable|enable]
        set ssl-hpkp-primary {string}
        set ssl-hpkp-report-uri {var-string}
        set ssl-hsts [disable|enable]
        set ssl-hsts-age {integer}
        set ssl-hsts-include-subdomains [disable|enable]
        set ssl-http-location-conversion [enable|disable]
        set ssl-http-match-host [enable|disable]
        set ssl-max-version [ssl-3.0|tls-1.0|...]
        set ssl-min-version [ssl-3.0|tls-1.0|...]
        set ssl-mode [half|full]
        set ssl-pfs [require|deny|...]
        set ssl-send-empty-frags [enable|disable]
        set ssl-server-algorithm [high|medium|...]
        config ssl-server-cipher-suites
            Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-server-max-version [ssl-3.0|tls-1.0|...]
        set ssl-server-min-version [ssl-3.0|tls-1.0|...]
        set ssl-server-renegotiation [enable|disable]
        set ssl-server-session-state-max {integer}
        set ssl-server-session-state-timeout {integer}
        set ssl-server-session-state-type [disable|time|...]
        set status [enable|disable]
        set svr-pool-multiplex [enable|disable]
        set svr-pool-server-max-concurrent-request {integer}
        set svr-pool-server-max-request {integer}
        set svr-pool-ttl {integer}
        set user-agent-detect [disable|enable]
    next
end

    config ztna traffic-forward-proxy

    Parameter

    Description

    Type

    Size

    Default

    auth-portal

    Enable/disable authentication portal.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication portal.

    enable

    Enable authentication portal.

    client-cert

    Enable/disable to request client certificate.

    option

    -

    enable

    Option

    Description

    disable

    Disable client certificate request.

    enable

    Enable client certificate request.

    comment

    Comment.

    var-string

    Maximum length: 255

    empty-cert-action

    Action of an empty client certificate.

    option

    -

    block

    Option

    Description

    accept

    Accept the SSL handshake if the client certificate is empty.

    block

    Block the SSL handshake if the client certificate is empty.

    accept-unmanageable

    Accept the SSL handshake only if the end-point is unmanageable.

    h3-support

    Enable/disable HTTP3/QUIC support.

    option

    -

    disable

    Option

    Description

    enable

    Enable HTTP3/QUIC support.

    disable

    Disable HTTP3/QUIC support.

    interface

    interface name

    string

    Maximum length: 15

    log-blocked-traffic

    Enable/disable logging of blocked traffic.

    option

    -

    enable

    Option

    Description

    enable

    Log all traffic denied by this access proxy.

    disable

    Do not log all traffic denied by this access proxy.

    name

    Traffic forward proxy name

    string

    Maximum length: 79

    port

    Accept incoming traffic on one or more ports.

    user

    Not Specified

    ssl-accept-ffdhe-groups

    Enable/disable FFDHE cipher suite for SSL key exchange.

    option

    -

    enable

    Option

    Description

    enable

    Accept FFDHE groups.

    disable

    Do not accept FFDHE groups.

    ssl-algorithm

    Permitted encryption algorithms for SSL sessions according to encryption strength.

    option

    -

    high

    Option

    Description

    high

    High encryption. Allow only AES and ChaCha.

    medium

    Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

    low

    Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

    custom

    Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.

    ssl-certificate <name>

    Name of the certificate to use for SSL handshake.

    Certificate list.

    string

    Maximum length: 79

    ssl-client-fallback

    Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).

    option

    -

    enable

    Option

    Description

    disable

    Disable.

    enable

    Enable.

    ssl-client-rekey-count

    Maximum length of data in MB before triggering a client rekey (0 = disable).

    integer

    Minimum value: 200 Maximum value: 1048576

    0

    ssl-client-renegotiation

    Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.

    option

    -

    secure

    Option

    Description

    allow

    Allow a SSL client to renegotiate.

    deny

    Abort any client initiated SSL re-negotiation attempt.

    secure

    Abort any client initiated SSL re-negotiation attempt that does not use RFC 5746 Secure Renegotiation.

    ssl-client-session-state-max

    Maximum number of client to FortiProxy SSL session states to keep.

    integer

    Minimum value: 1 Maximum value: 10000

    1000

    ssl-client-session-state-timeout

    Number of minutes to keep client to FortiProxy SSL session state.

    integer

    Minimum value: 1 Maximum value: 14400

    30

    ssl-client-session-state-type

    How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

    option

    -

    both

    Option

    Description

    disable

    Do not keep session states.

    time

    Expire session states after this many minutes.

    count

    Expire session states when this maximum is reached.

    both

    Expire session states based on time or count, whichever occurs first.

    ssl-dh-bits

    Bit-size of Diffie-Hellman.

    option

    -

    2048

    Option

    Description

    768

    768-bit Diffie-Hellman prime.

    1024

    1024-bit Diffie-Hellman prime.

    1536

    1536-bit Diffie-Hellman prime.

    2048

    2048-bit Diffie-Hellman prime.

    3072

    3072-bit Diffie-Hellman prime.

    4096

    4096-bit Diffie-Hellman prime.

    ssl-hpkp

    Enable/disable including HPKP header in response.

    option

    -

    disable

    Option

    Description

    disable

    Do not add a HPKP header to each HTTP response.

    enable

    Add a HPKP header to each a HTTP response.

    report-only

    Add a HPKP Report-Only header to each HTTP response.

    ssl-hpkp-age

    Number of seconds the client should honor the HPKP setting.

    integer

    Minimum value: 60 Maximum value: 157680000

    5184000

    ssl-hpkp-backup

    Certificate to generate backup HPKP pin from.

    string

    Maximum length: 79

    ssl-hpkp-include-subdomains

    Indicate that HPKP header applies to all subdomains.

    option

    -

    disable

    Option

    Description

    disable

    HPKP header does not apply to subdomains.

    enable

    HPKP header applies to subdomains.

    ssl-hpkp-primary

    Certificate to generate primary HPKP pin from.

    string

    Maximum length: 79

    ssl-hpkp-report-uri

    URL to report HPKP violations to.

    var-string

    Maximum length: 255

    ssl-hsts

    Enable/disable including HSTS header in response.

    option

    -

    disable

    Option

    Description

    disable

    Do not add a HSTS header to each a HTTP response.

    enable

    Add a HSTS header to each HTTP response.

    ssl-hsts-age

    Number of seconds the client should honor the HSTS setting.

    integer

    Minimum value: 60 Maximum value: 157680000

    5184000

    ssl-hsts-include-subdomains

    Indicate that HSTS header applies to all subdomains.

    option

    -

    disable

    Option

    Description

    disable

    HSTS header does not apply to subdomains.

    enable

    HSTS header applies to subdomains.

    ssl-http-location-conversion

    Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.

    option

    -

    disable

    Option

    Description

    enable

    Enable HTTP location conversion.

    disable

    Disable HTTP location conversion.

    ssl-http-match-host

    Enable/disable HTTP host matching for location conversion.

    option

    -

    enable

    Option

    Description

    enable

    Match HTTP host in response header.

    disable

    Do not match HTTP host.

    ssl-max-version

    Highest SSL/TLS version acceptable from a client.

    option

    -

    tls-1.3

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-min-version

    Lowest SSL/TLS version acceptable from a client.

    option

    -

    tls-1.1

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-mode

    Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).

    option

    -

    half

    Option

    Description

    half

    Client to FortiProxy SSL.

    full

    Client to FortiProxy and FortiProxy to Server SSL.

    ssl-pfs

    Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

    option

    -

    require

    Option

    Description

    require

    Allow only Diffie-Hellman cipher-suites, so PFS is applied.

    deny

    Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.

    allow

    Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

    ssl-send-empty-frags

    Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.

    option

    -

    enable

    Option

    Description

    enable

    Send empty fragments.

    disable

    Do not send empty fragments.

    ssl-server-algorithm

    Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

    option

    -

    client

    Option

    Description

    high

    High encryption. Allow only AES and ChaCha.

    medium

    Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

    low

    Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

    custom

    Custom encryption. Use ssl-server-cipher-suites to select the cipher suites that are allowed.

    client

    Use the same encryption algorithms for both client and server sessions.

    ssl-server-max-version

    Highest SSL/TLS version acceptable from a server. Use the client setting by default.

    option

    -

    client

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    client

    Use same value as client configuration.

    ssl-server-min-version

    Lowest SSL/TLS version acceptable from a server. Use the client setting by default.

    option

    -

    client

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    client

    Use same value as client configuration.

    ssl-server-renegotiation

    Enable/disable secure renegotiation to comply with RFC 5746.

    option

    -

    enable

    Option

    Description

    enable

    Enable secure renegotiation.

    disable

    Disable secure renegotiation.

    ssl-server-session-state-max

    Maximum number of FortiGate to Server SSL session states to keep.

    integer

    Minimum value: 1 Maximum value: 10000

    100

    ssl-server-session-state-timeout

    Number of minutes to keep FortiGate to Server SSL session state.

    integer

    Minimum value: 1 Maximum value: 14400

    60

    ssl-server-session-state-type

    How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

    option

    -

    both

    Option

    Description

    disable

    Do not keep session states.

    time

    Expire session states after this many minutes.

    count

    Expire session states when this maximum is reached.

    both

    Expire session states based on time or count, whichever occurs first.

    status

    Enable/disable the traffic forward proxy for ZTNA traffic.

    option

    -

    disable

    Option

    Description

    enable

    Enable the ZTNA traffic forward proxy.

    disable

    Disable the ZTNA traffic forward proxy.

    svr-pool-multiplex

    Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway.

    option

    -

    enable

    Option

    Description

    enable

    Enable server pool multiplexing. Share connected server.

    disable

    Disable server pool multiplexing. Do not share connected server.

    svr-pool-server-max-concurrent-request

    Maximum number of concurrent requests that servers in server pool could handle.

    integer

    Minimum value: 0 Maximum value: 2147483647

    0

    svr-pool-server-max-request

    Maximum number of requests that servers in server pool handle before disconnecting.

    integer

    Minimum value: 0 Maximum value: 2147483647

    0

    svr-pool-ttl

    Time-to-live in the server pool for idle connections to servers.

    integer

    Minimum value: 0 Maximum value: 2147483647

    15

    user-agent-detect

    Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

    option

    -

    enable

    Option

    Description

    disable

    Disable to detect unknown device by HTTP user-agent if no client certificate provided.

    enable

    Enable to detect unknown device by HTTP user-agent if no client certificate provided.

    config quic

    Parameter

    Description

    Type

    Size

    Default

    ack-delay-exponent

    ACK delay exponent.

    integer

    Minimum value: 1 Maximum value: 20

    3

    active-connection-id-limit

    Active connection ID limit.

    integer

    Minimum value: 1 Maximum value: 8

    2

    active-migration

    Enable/disable active migration.

    option

    -

    disable

    Option

    Description

    enable

    Enable active migration.

    disable

    Disable active migration.

    grease-quic-bit

    Enable/disable grease QUIC bit.

    option

    -

    enable

    Option

    Description

    enable

    Enable grease QUIC bit.

    disable

    Disable grease QUIC bit.

    max-ack-delay

    Maximum ACK delay in milliseconds.

    integer

    Minimum value: 1 Maximum value: 16383

    25

    max-datagram-frame-size

    Maximum datagram frame size in bytes.

    integer

    Minimum value: 1 Maximum value: 1500

    1500

    max-idle-timeout

    Maximum idle timeout milliseconds.

    integer

    Minimum value: 1 Maximum value: 60000

    30000

    max-udp-payload-size

    Maximum UDP payload size in bytes.

    integer

    Minimum value: 1200 Maximum value: 1500

    1500

    config ssl-cipher-suites

    Parameter

    Description

    Type

    Size

    Default

    cipher

    Cipher suite name.

    option

    -

    Option

    Description

    TLS-AES-128-GCM-SHA256

    Cipher suite TLS-AES-128-GCM-SHA256.

    TLS-AES-256-GCM-SHA384

    Cipher suite TLS-AES-256-GCM-SHA384.

    TLS-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

    TLS-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

    TLS-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

    TLS-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

    TLS-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

    TLS-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

    TLS-DHE-DSS-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

    TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

    TLS-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

    TLS-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

    TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

    TLS-ECDHE-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

    TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-RC4-128-MD5

    Cipher suite TLS-RSA-WITH-RC4-128-MD5.

    TLS-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-RSA-WITH-RC4-128-SHA.

    TLS-DHE-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

    TLS-DHE-DSS-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

    TLS-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

    priority

    SSL/TLS cipher suites priority.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    versions

    SSL/TLS versions that the cipher suite can be used with.

    option

    -

    ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    config ssl-server-cipher-suites

    Parameter

    Description

    Type

    Size

    Default

    cipher

    Cipher suite name.

    option

    -

    Option

    Description

    TLS-AES-128-GCM-SHA256

    Cipher suite TLS-AES-128-GCM-SHA256.

    TLS-AES-256-GCM-SHA384

    Cipher suite TLS-AES-256-GCM-SHA384.

    TLS-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

    TLS-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

    TLS-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

    TLS-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

    TLS-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

    TLS-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

    TLS-DHE-DSS-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

    TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

    TLS-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

    TLS-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

    TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

    TLS-ECDHE-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

    TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-RC4-128-MD5

    Cipher suite TLS-RSA-WITH-RC4-128-MD5.

    TLS-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-RSA-WITH-RC4-128-SHA.

    TLS-DHE-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

    TLS-DHE-DSS-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

    TLS-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

    priority

    SSL/TLS cipher suites priority.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    versions

    SSL/TLS versions that the cipher suite can be used with.

    option

    -

    ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

    Option

    Description

    ssl-3.0

    SSL 3.0.

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.
    Previous
    Next