Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config load-balance real-server-ssl-profile

Use this command to configure real server profiles. A real server profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.

Table 12 provides a summary of the predefined profiles. You can select predefined profiles in the real server configuration, or you can create user-defined profiles.

Predefined real server profiles

Profile Defaults
LB_RS_SSL_PROF_DEFAULT
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: custom
LB_RS_SSL_PROF_ECDSA
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
LB_RS_SSL_PROF_ECDSA_SSLV3
  • Allow version: SSLv3
  • Cipher suite list: ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
LB_RS_SSL_PROF_ECDSA_TLS12
  • Allow version: TLSv1.2
  • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256
LB_RS_SSL_PROF_ENULL
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list:  eNull

Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed.

LB_RS_SSL_PROF_HIGH
  • Allow version TLSv1.2
  • Cipher suite list:  ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 AES256-GCM-SHA384 AES256-SHA256
LB_RS_SSL_PROF_LOW_SSLV3
  • Allow version SSLv3
  • Cipher suite list:  DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
LB_RS_SSL_PROF_MEDIUM
  • Allow version: TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list:  ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
LB_RS_SSL_PROF_NONE SSL is disabled.

Before you begin:

  • You must have read-write permission for load balance settings.

Syntax

config load-balance real-sever-ssl-profile

edit <name>

set ssl {enable|disable}

set allow-ssl-versions {sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3}

set server-cert-verify <datasource>

set ssl-ciphers {ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA eNULL }

set ssl-customize-ciphers-flag {enable|disable}

set ssl-customized-ciphers <string>

set ssl-session-reuse {enable|disable}

set ssl-session-reuse-limit <integer>

set ssl-sni-forward {enable|disable}

set ssl-tls-ticket-reuse {enable|disable}

next

end

ssl

Enable/disable SSL for the connection between the FortiADC and the real server.

allow-ssl-versions

Specify a space-separated list of allowed SSL versions.

server-cert-verify

Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and can include OCSP and CRL checks.

ssl-ciphers

Specify a space-separated, ordered list of supported SSL ciphers.

ssl-customize-ciphers-flag

Enable/disable use of user-specified cipher suites.

ssl-customized-ciphers

If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

An empty string is allowed. If empty, the default cipher suite list is used.

ssl-session-reuse

Enable/disable SSL session reuse.

ssl-session-reuse-limit

The default is 0 (disabled). The valid range is 0-1048576.

ssl-sni-forward

Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded.

ssl-tls-ticket-reuse

Enable/disable TLS ticket-based session reuse.

server-OCSP-stapling-support

Enable/disable server ocsp_stapling. The default is disable.

Note: Only when verify is enabled does this command take effect.

Example

FortiADC-VM # config load-balance real-server-ssl-profile

FortiADC-VM (real-server-ss~-) # get

== [ LB_RS_SSL_PROF_NONE ]

== [ LB_RS_SSL_PROF_LOW_SSLV2 ]

== [ LB_RS_SSL_PROF_LOW_SSLV3 ]

== [ LB_RS_SSL_PROF_MEDIUM ]

== [ LB_RS_SSL_PROF_HIGH ]

== [ LB_RS_SSL_PROF_ECDSA ]

== [ LB_RS_SSL_PROF_ECDSA_SSLV3 ]

== [ LB_RS_SSL_PROF_ECDSA_TLS12 ]

== [ LB_RS_SSL_PROF_ENULL ]

== [ LB_RS_SSL_PROF_DEFAULT ]

FortiADC-VM (real-server-ss~-) # edit RS-SSL-PROFILE-USER-DEFINED

Add new entry 'RS-SSL-PROFILE-USER-DEFINED' for node 3862

FortiADC-VM (RS-SSL-PROFILE~U) # set ssl enable

FortiADC-VM (RS-SSL-PROFILE~U) # get

ssl : enable

server-cert-verify :

ssl-sni-forward : disable

ssl-session-reuse : disable

ssl-customize-ciphers-flag : disable

ssl-ciphers : DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2

FortiADC-VM (RS-SSL-PROFILE~U) # set ssl-session-reuse enable

FortiADC-VM (RS-SSL-PROFILE~U) # set allow-ssl-versions tlsv1.2

FortiADC-VM (RS-SSL-PROFILE~U) # end

FortiADC-VM #

config load-balance real-server-ssl-profile

Use this command to configure real server profiles. A real server profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.

Table 12 provides a summary of the predefined profiles. You can select predefined profiles in the real server configuration, or you can create user-defined profiles.

Predefined real server profiles

Profile Defaults
LB_RS_SSL_PROF_DEFAULT
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: custom
LB_RS_SSL_PROF_ECDSA
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
LB_RS_SSL_PROF_ECDSA_SSLV3
  • Allow version: SSLv3
  • Cipher suite list: ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
LB_RS_SSL_PROF_ECDSA_TLS12
  • Allow version: TLSv1.2
  • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256
LB_RS_SSL_PROF_ENULL
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list:  eNull

Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed.

LB_RS_SSL_PROF_HIGH
  • Allow version TLSv1.2
  • Cipher suite list:  ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 AES256-GCM-SHA384 AES256-SHA256
LB_RS_SSL_PROF_LOW_SSLV3
  • Allow version SSLv3
  • Cipher suite list:  DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
LB_RS_SSL_PROF_MEDIUM
  • Allow version: TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list:  ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
LB_RS_SSL_PROF_NONE SSL is disabled.

Before you begin:

  • You must have read-write permission for load balance settings.

Syntax

config load-balance real-sever-ssl-profile

edit <name>

set ssl {enable|disable}

set allow-ssl-versions {sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3}

set server-cert-verify <datasource>

set ssl-ciphers {ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA eNULL }

set ssl-customize-ciphers-flag {enable|disable}

set ssl-customized-ciphers <string>

set ssl-session-reuse {enable|disable}

set ssl-session-reuse-limit <integer>

set ssl-sni-forward {enable|disable}

set ssl-tls-ticket-reuse {enable|disable}

next

end

ssl

Enable/disable SSL for the connection between the FortiADC and the real server.

allow-ssl-versions

Specify a space-separated list of allowed SSL versions.

server-cert-verify

Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and can include OCSP and CRL checks.

ssl-ciphers

Specify a space-separated, ordered list of supported SSL ciphers.

ssl-customize-ciphers-flag

Enable/disable use of user-specified cipher suites.

ssl-customized-ciphers

If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

An empty string is allowed. If empty, the default cipher suite list is used.

ssl-session-reuse

Enable/disable SSL session reuse.

ssl-session-reuse-limit

The default is 0 (disabled). The valid range is 0-1048576.

ssl-sni-forward

Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded.

ssl-tls-ticket-reuse

Enable/disable TLS ticket-based session reuse.

server-OCSP-stapling-support

Enable/disable server ocsp_stapling. The default is disable.

Note: Only when verify is enabled does this command take effect.

Example

FortiADC-VM # config load-balance real-server-ssl-profile

FortiADC-VM (real-server-ss~-) # get

== [ LB_RS_SSL_PROF_NONE ]

== [ LB_RS_SSL_PROF_LOW_SSLV2 ]

== [ LB_RS_SSL_PROF_LOW_SSLV3 ]

== [ LB_RS_SSL_PROF_MEDIUM ]

== [ LB_RS_SSL_PROF_HIGH ]

== [ LB_RS_SSL_PROF_ECDSA ]

== [ LB_RS_SSL_PROF_ECDSA_SSLV3 ]

== [ LB_RS_SSL_PROF_ECDSA_TLS12 ]

== [ LB_RS_SSL_PROF_ENULL ]

== [ LB_RS_SSL_PROF_DEFAULT ]

FortiADC-VM (real-server-ss~-) # edit RS-SSL-PROFILE-USER-DEFINED

Add new entry 'RS-SSL-PROFILE-USER-DEFINED' for node 3862

FortiADC-VM (RS-SSL-PROFILE~U) # set ssl enable

FortiADC-VM (RS-SSL-PROFILE~U) # get

ssl : enable

server-cert-verify :

ssl-sni-forward : disable

ssl-session-reuse : disable

ssl-customize-ciphers-flag : disable

ssl-ciphers : DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2

FortiADC-VM (RS-SSL-PROFILE~U) # set ssl-session-reuse enable

FortiADC-VM (RS-SSL-PROFILE~U) # set allow-ssl-versions tlsv1.2

FortiADC-VM (RS-SSL-PROFILE~U) # end

FortiADC-VM #