Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config load-balance client-ssl-profile

Use this command to configure SSL-type real servers using the client-ssl-profile.

Note: This command is related to "config load-balance certificate-caching" on page 1.

Profile Description
LB_CLIENT_SSL_PROF_DEFAULT

This is the default client SSL load-balancing profile. It's a basic profile that can be used for all client SSL load-balancing scenarios.

Recommended SSL versions:

  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
LB_CLIENT_SSL_PROF_FORWARD_PROXY

This profile is used when the SSL Forward Proxy feature is enabled. It works in tandem with Forward Proxy Certificate Caching, i.e., LB_CERT_RAM_CACHING_DEFAULT), and Forward Proxy Local Signing CA, i.e., SSLPROXY_LOCAL_CA.

Recommended SSL versions:

  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
LB_CLIENT_SSL_PROF_HTTP2

This profile applies to HTTP2 protocol only.

Recommended SSL version:

  • TLSv1.2
  • TLSv1.3

Syntax

config load-balance client-ssl-profile

edit <name>

set client-certificate-verify <verify_profile_name>

set client-sni-required <enable/disable>

set forward-proxy <enable/disable>

set local-certificate-group <local_certificate_group_name>

set ssl-allowed-versions <sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3>

set ssl-ciphers <one or more ciphers>

set ssl-customize-ciphers-flag <enable/disable>

set forward-client-certificate <enable/disable>

set forward-client-certificate-header <customized_header_name>

set forward-proxy-certificate-caching <cache_name>

set forward-proxy-local-signing-CA <local_ca>

set forward-proxy-intermediate-ca-group <intermediate_ca>

set backend-ssl-OCSP-stapling-support <enable/disable>

set reject-ocsp-stapling-with-missing-nextupdate <enable/disable>

set reject-revoked-unknown-ocsp-stapling <enable/disable>

set ocsp-stapling-skew-time <integer>

set ssl-auto-chain-flag <enable/disable>

set client-certificate-verify-option required/ optional

set ssl-session-cache-flag enable/disable

set use-tls-tickets enable/disable

set renegotiation <enable/disable>

set ssl-dynamic-record-sizing <enable/disable>

set ssl-dh-param-size <1024bit/2048bit/4096bit>

set ssl-auto-chain-flag <enable/disable>

next

end

client-certificate-verify Specify a certificate validation policy.
client-sni-required If enabled, clients are required to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. This will allow FortiADC to select the appropriate local server certificate to present to the client.
forward-proxy Enable/disable SSL forward proxy.
local-certificate-group

Configure the local certificate group that includes the certificates the virtual server presents to SSL/TLS clients.

Note: This MUST be the backend server's certificate, NOT the appliance’s GUI web server certificate.

ssl-allowed-versions Specify the allowed SSL versions in a space-separated list.
ssl-ciphers Specify the supported SSL ciphers in a space-separated list.
ssl-customize-ciphers-flag Enable/disable the use of user-specified cipher suites.
forward-client-certificate Enable/disable. If enabled, FortiADC will send the whole client certificate encoded in the BASE64 code in the specified HTTP header, which is either the X-Client-Cert or a user-defined header.
forward-client-certificate-header The default is X-Client-Cert, but you can customize it using this command.
forward-proxy-certificate-caching Select cache RAM to store re_signed certificates.
forward-proxy-local-signing-CA Set the CA used to sign the server certificate.
forward-proxy-intermediate-ca-group Set the intermediate CA group used to sign the server certificate.
backend-ssl-sni-forward Enable/disable forwarding the server's SNI.
backend-ssl-customize-ciphers-flag Enable/disable customized ciphers used to connect to the real server.
backend-ssl-customized-ciphers ECDSA Set the cipher used to connect to the real server.
backend-allow-ssl-versions Set the SSL version used to connect to the real server.

backend-ssl-OCSP-stapling-support

Enable or disable. Disabled by default.

Note: This parameter is available only when backend-certificate-verify is configured and forward-proxy is enabled.

reject-ocsp-stapling-with-missing-nextupdate

Enable or disable reject-ocsp-response-with-missing-nextupdate. Disabled by default.

Note: When disabled, FortiADC will accept OCSP responses without the next-update time. If enabled, FortiADC will reject OCSP responses without the next-update time.

reject-revoked-unknown-ocsp-stapling

Enable or disable reject-revoked-unknown-ocsp-stapling. Enabled by default.

Note: When enabled, FortiADC will reject OCSP responses whose status is revoked or unknown.

ocsp-stapling-skew-time

The default is 0 (in seconds). It means the skew time of this updated time and next updated time.

ssl-auto-chain-flag

Enabled by default. It means that when the configured certificate is used in the same client-ssl-profile as the local certificate, and the local certificate is issued by the CA set in the Client Certificate Verify section, ADC will automatically form a certificate chain to the client.

client-certificate-verify-option

Choose either of the following:

  • required—If this option is set as required, then a client certificate is required for verification.
  • optional—If this option is set as optional, then the system needs to work with a script such as OPTIONAL_CLIENT_AUTHENTICATION. In that case, FortiADC will accept SSL handshake for the initial transaction, and then lets the script to control the subsequent actions.
ssl-session-cache-flag

Enable to store SSL session in cache. This option is automatically disabled when the client-certificate-verify-option is set to optional.

use-tls-tickets

Enable to allow reusing SSL tickets. This option is automatically disabled when the client-certificate-verify-option is set to optional.

set client-ssl profile renegotiation

Enable or disable SSL renegotiation from the client side.

Note: The feature is disabled by default.

ssl-dynamic-record-sizing

Allows ADC to dynamically adjust the size of TLS records based on the state of the connection, in order to prevent bottlenecks caused by the buffering of TLS record fragments.

Note: The feature is disabled by default.

ssl-dh-param-size

Specify the pubkey length in Diffie Hellman. Default is 1024.

ssl-auto-chain-flag

Set it to disable to make ADC present only local certificates.

Note: If the CA, when configured in "Client Certificate Verify," happens to accidentally issue the configured local certificates, the ADC will present chain certificates to the client. In this event, set ssl-auto-chain-flag to disable.

Default is enable.

Example 1: Create a new client-SSL profile and quote it in virtual server configuration

Step 1: Configure a client SSL profile

config load-balance client-sssl-profile

edit "csp1"

set ssl-customize-ciphers-flag disable

set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set forward-proxy enable

unset client-certificate-verify

set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT

set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

unset forward-proxy-intermediate-ca-group

unset backend-certificate-verify

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag enable

set backend-ssl-customized-ciphers test

set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set ssl-auto-chain-flag-enable

next

 

Step 2: Quote the client SSL profile in virtual server configuration:

config load-balance virtual-server

edit "https_vS1"

set client-ssl-profile csp1

next

end

Example 2: Create a certificate-caching object and quote it in the client SSL profile

config load-balance certificate-caching

edit "1"

set max-certificate-cache-size 100M

set max-entries 10000

next

config load-balance client-ssl-profile

edit "test"

set forward-proxy-certificate-caching 1

set forward-proxy-local-signing-CA ca1

set forward-proxy-intermediate-ca-group inter_group

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag disable

set backend-ssl-customized-ciphers ECDHE-ECDSA-AES256-GCM-SHA384 (when backend-ssl-customize-ciphers-flag dis enable)

set backend-ssl-customize-ciphers-flag enable/disable

set backend-ssl-ciphers DHE-RSA-AES256-SHA DES-CBC3-SHA

set backend-allow-ssl-versions tlsv1.1 tlsv1.2

End

Example 3: Create a client-certificate-verify object and quote it in the client SSL profile

config load-balance client-sssl-profile

edit "csp1"

set ssl-customize-ciphers-flag disable

set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2 set forward-proxy enable

unset client-certificate-verify

set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

unset forward-proxy-intermediate-ca-group

set client-certificate-verify verify

set client-certificate-verify-option required

set ssl-session-cache-flag enable

set use-tls-tickets enable

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag enable

set backend-ssl-customized-ciphers test

set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set ssl-auto-chain-flag-enable

next

config load-balance client-ssl-profile

Use this command to configure SSL-type real servers using the client-ssl-profile.

Note: This command is related to "config load-balance certificate-caching" on page 1.

Profile Description
LB_CLIENT_SSL_PROF_DEFAULT

This is the default client SSL load-balancing profile. It's a basic profile that can be used for all client SSL load-balancing scenarios.

Recommended SSL versions:

  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
LB_CLIENT_SSL_PROF_FORWARD_PROXY

This profile is used when the SSL Forward Proxy feature is enabled. It works in tandem with Forward Proxy Certificate Caching, i.e., LB_CERT_RAM_CACHING_DEFAULT), and Forward Proxy Local Signing CA, i.e., SSLPROXY_LOCAL_CA.

Recommended SSL versions:

  • SSLv3
  • TLSv1.0
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3
LB_CLIENT_SSL_PROF_HTTP2

This profile applies to HTTP2 protocol only.

Recommended SSL version:

  • TLSv1.2
  • TLSv1.3

Syntax

config load-balance client-ssl-profile

edit <name>

set client-certificate-verify <verify_profile_name>

set client-sni-required <enable/disable>

set forward-proxy <enable/disable>

set local-certificate-group <local_certificate_group_name>

set ssl-allowed-versions <sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3>

set ssl-ciphers <one or more ciphers>

set ssl-customize-ciphers-flag <enable/disable>

set forward-client-certificate <enable/disable>

set forward-client-certificate-header <customized_header_name>

set forward-proxy-certificate-caching <cache_name>

set forward-proxy-local-signing-CA <local_ca>

set forward-proxy-intermediate-ca-group <intermediate_ca>

set backend-ssl-OCSP-stapling-support <enable/disable>

set reject-ocsp-stapling-with-missing-nextupdate <enable/disable>

set reject-revoked-unknown-ocsp-stapling <enable/disable>

set ocsp-stapling-skew-time <integer>

set ssl-auto-chain-flag <enable/disable>

set client-certificate-verify-option required/ optional

set ssl-session-cache-flag enable/disable

set use-tls-tickets enable/disable

set renegotiation <enable/disable>

set ssl-dynamic-record-sizing <enable/disable>

set ssl-dh-param-size <1024bit/2048bit/4096bit>

set ssl-auto-chain-flag <enable/disable>

next

end

client-certificate-verify Specify a certificate validation policy.
client-sni-required If enabled, clients are required to use the TLS server name indication (SNI) extension to include the server hostname in the TLS client hello message. This will allow FortiADC to select the appropriate local server certificate to present to the client.
forward-proxy Enable/disable SSL forward proxy.
local-certificate-group

Configure the local certificate group that includes the certificates the virtual server presents to SSL/TLS clients.

Note: This MUST be the backend server's certificate, NOT the appliance’s GUI web server certificate.

ssl-allowed-versions Specify the allowed SSL versions in a space-separated list.
ssl-ciphers Specify the supported SSL ciphers in a space-separated list.
ssl-customize-ciphers-flag Enable/disable the use of user-specified cipher suites.
forward-client-certificate Enable/disable. If enabled, FortiADC will send the whole client certificate encoded in the BASE64 code in the specified HTTP header, which is either the X-Client-Cert or a user-defined header.
forward-client-certificate-header The default is X-Client-Cert, but you can customize it using this command.
forward-proxy-certificate-caching Select cache RAM to store re_signed certificates.
forward-proxy-local-signing-CA Set the CA used to sign the server certificate.
forward-proxy-intermediate-ca-group Set the intermediate CA group used to sign the server certificate.
backend-ssl-sni-forward Enable/disable forwarding the server's SNI.
backend-ssl-customize-ciphers-flag Enable/disable customized ciphers used to connect to the real server.
backend-ssl-customized-ciphers ECDSA Set the cipher used to connect to the real server.
backend-allow-ssl-versions Set the SSL version used to connect to the real server.

backend-ssl-OCSP-stapling-support

Enable or disable. Disabled by default.

Note: This parameter is available only when backend-certificate-verify is configured and forward-proxy is enabled.

reject-ocsp-stapling-with-missing-nextupdate

Enable or disable reject-ocsp-response-with-missing-nextupdate. Disabled by default.

Note: When disabled, FortiADC will accept OCSP responses without the next-update time. If enabled, FortiADC will reject OCSP responses without the next-update time.

reject-revoked-unknown-ocsp-stapling

Enable or disable reject-revoked-unknown-ocsp-stapling. Enabled by default.

Note: When enabled, FortiADC will reject OCSP responses whose status is revoked or unknown.

ocsp-stapling-skew-time

The default is 0 (in seconds). It means the skew time of this updated time and next updated time.

ssl-auto-chain-flag

Enabled by default. It means that when the configured certificate is used in the same client-ssl-profile as the local certificate, and the local certificate is issued by the CA set in the Client Certificate Verify section, ADC will automatically form a certificate chain to the client.

client-certificate-verify-option

Choose either of the following:

  • required—If this option is set as required, then a client certificate is required for verification.
  • optional—If this option is set as optional, then the system needs to work with a script such as OPTIONAL_CLIENT_AUTHENTICATION. In that case, FortiADC will accept SSL handshake for the initial transaction, and then lets the script to control the subsequent actions.
ssl-session-cache-flag

Enable to store SSL session in cache. This option is automatically disabled when the client-certificate-verify-option is set to optional.

use-tls-tickets

Enable to allow reusing SSL tickets. This option is automatically disabled when the client-certificate-verify-option is set to optional.

set client-ssl profile renegotiation

Enable or disable SSL renegotiation from the client side.

Note: The feature is disabled by default.

ssl-dynamic-record-sizing

Allows ADC to dynamically adjust the size of TLS records based on the state of the connection, in order to prevent bottlenecks caused by the buffering of TLS record fragments.

Note: The feature is disabled by default.

ssl-dh-param-size

Specify the pubkey length in Diffie Hellman. Default is 1024.

ssl-auto-chain-flag

Set it to disable to make ADC present only local certificates.

Note: If the CA, when configured in "Client Certificate Verify," happens to accidentally issue the configured local certificates, the ADC will present chain certificates to the client. In this event, set ssl-auto-chain-flag to disable.

Default is enable.

Example 1: Create a new client-SSL profile and quote it in virtual server configuration

Step 1: Configure a client SSL profile

config load-balance client-sssl-profile

edit "csp1"

set ssl-customize-ciphers-flag disable

set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set forward-proxy enable

unset client-certificate-verify

set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT

set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

unset forward-proxy-intermediate-ca-group

unset backend-certificate-verify

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag enable

set backend-ssl-customized-ciphers test

set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set ssl-auto-chain-flag-enable

next

 

Step 2: Quote the client SSL profile in virtual server configuration:

config load-balance virtual-server

edit "https_vS1"

set client-ssl-profile csp1

next

end

Example 2: Create a certificate-caching object and quote it in the client SSL profile

config load-balance certificate-caching

edit "1"

set max-certificate-cache-size 100M

set max-entries 10000

next

config load-balance client-ssl-profile

edit "test"

set forward-proxy-certificate-caching 1

set forward-proxy-local-signing-CA ca1

set forward-proxy-intermediate-ca-group inter_group

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag disable

set backend-ssl-customized-ciphers ECDHE-ECDSA-AES256-GCM-SHA384 (when backend-ssl-customize-ciphers-flag dis enable)

set backend-ssl-customize-ciphers-flag enable/disable

set backend-ssl-ciphers DHE-RSA-AES256-SHA DES-CBC3-SHA

set backend-allow-ssl-versions tlsv1.1 tlsv1.2

End

Example 3: Create a client-certificate-verify object and quote it in the client SSL profile

config load-balance client-sssl-profile

edit "csp1"

set ssl-customize-ciphers-flag disable

set ssl-ciphers DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

set ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2 set forward-proxy enable

unset client-certificate-verify

set forward-proxy-certificate-caching LB_CERT_RAM_CACHING_DEFAULT set forward-proxy-local-signing-CA SSLPROXY_LOCAL_CA

unset forward-proxy-intermediate-ca-group

set client-certificate-verify verify

set client-certificate-verify-option required

set ssl-session-cache-flag enable

set use-tls-tickets enable

set backend-ssl-sni-forward enable

set backend-ssl-customize-ciphers-flag enable

set backend-ssl-customized-ciphers test

set backend-ssl-allowed-versions sslv3 tlsv1.0 tlsv1.1 tlsv1.2

set ssl-auto-chain-flag-enable

next