Fortinet black logo

CLI Reference

config load-balance real-server-ssl-profile

config load-balance real-server-ssl-profile

Use this command to configure real server profiles. A real server profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.

Table 12 provides a summary of the predefined profiles. You can select predefined profiles in the real server configuration, or you can create user-defined profiles.

Predefined real server profiles

Profile Defaults
LB_RS_SSL_PROF_DEFAULT
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: custom
LB_RS_SSL_PROF_ECDSA
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
LB_RS_SSL_PROF_ECDSA_SSLV3
  • Allow version: SSLv3
  • Cipher suite list: ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
LB_RS_SSL_PROF_ECDSA_TLS12
  • Allow version: TLSv1.2
  • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256
LB_RS_SSL_PROF_ENULL
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: eNull

Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed.

LB_RS_SSL_PROF_HIGH
  • Allow version TLSv1.2
  • Cipher suite list: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 AES256-GCM-SHA384 AES256-SHA256
LB_RS_SSL_PROF_LOW_SSLV3
  • Allow version SSLv3
  • Cipher suite list: DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
LB_RS_SSL_PROF_MEDIUM
  • Allow version: TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
LB_RS_SSL_PROF_NONE SSL is disabled.
Before you begin:
  • You must have read-write permission for load balance settings.

Syntax

config load-balance real-sever-ssl-profile

edit <name>

set ssl {enable|disable}

set allow-ssl-versions {sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3}

set server-cert-verify <datasource>

set ssl-ciphers {ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA eNULL }

set ssl-customize-ciphers-flag {enable|disable}

set ssl-customized-ciphers <string>

set ssl-session-reuse {enable|disable}

set ssl-session-reuse-limit <integer>

set ssl-sni-forward {enable|disable}

set ssl-tls-ticket-reuse {enable|disable}

server-OCSP-stapling-support {enable|disable}

set rfc7919-comply {enable|disable}

set supported-groups {secp256r1 secp384r1 secp521r1 x25519 x448 ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192}

next

end

ssl

Enable/disable SSL for the connection between the FortiADC and the real server.

allow-ssl-versions

Specify a space-separated list of allowed SSL versions.

  • sslv3

  • tlsv1.0

  • tlsv1.1

  • tlsv1.2

  • tlsv1.3

Note:

  • Please make sure that the SSL version is continuous. If not, an error message should be returned.

  • RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If rfc7919-comply is enabled and sslv3 or tlsv1.3 is selected in ssl-allowed-versions, an error message will display.

server-cert-verify

Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and can include OCSP and CRL checks.

ssl-ciphers

Specify a space-separated, ordered list of supported SSL ciphers.

ssl-customize-ciphers-flag

Enable/disable use of user-specified cipher suites.

ssl-customized-ciphers

If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

An empty string is allowed. If empty, the default cipher suite list is used.

ssl-session-reuse

Enable/disable SSL session reuse.

ssl-session-reuse-limit

The default is 0 (disabled). The valid range is 0-1048576.

ssl-sni-forward

Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded.

ssl-tls-ticket-reuse

Enable/disable TLS ticket-based session reuse.

server-OCSP-stapling-support

Enable/disable server ocsp_stapling. The default is disable.

Note: Only when verify is enabled does this command take effect.

rfc7919-comply

Enable/disable parameters to comply with RFC 7919.

Note:

  • RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If rfc7919-comply is enabled and sslv3 or tlsv1.3 is selected in ssl-allowed-versions, an error message will display.

supported-groups

The supported-groups option is available if rfc7919-comply is enabled.

Specify the supported group objects from the following:

  • secp256r1

  • secp384r1

  • secp521r1

  • x25519

  • x448

  • ffdhe2048

  • ffdhe3072

  • ffdhe4096

  • ffdhe6144

  • ffdhe8192

At least one item from the FFDHE group must be selected.

Note:

The RFC 7919 Comply feature requires certain cipher selections to correspond with the Supported Group selection.

  • If a FFDHE group is selected (for example, ffdhe2048), then at least one cipher must be DHE-RSA (for example, DHE-RSA-AES256-SHA256).

  • If the Supported Group includes groups other than FFDHE (such as a SECP group, secp256r1), then at least one cipher must be ECDHE (for example, ECDHE-ECDSA-AES256-GCM-SHA384).

  • If a ECDHE cipher is selected (for example, ECDHE-ECDSA-AES256-GCM-SHA384), then the Supported Group must include at least one group that is not FFDHE (such as a SECP group, secp256r1).

Example

FortiADC-VM # config load-balance real-server-ssl-profile

FortiADC-VM (real-server-ss~-) # get

== [ LB_RS_SSL_PROF_NONE ]

== [ LB_RS_SSL_PROF_LOW_SSLV2 ]

== [ LB_RS_SSL_PROF_LOW_SSLV3 ]

== [ LB_RS_SSL_PROF_MEDIUM ]

== [ LB_RS_SSL_PROF_HIGH ]

== [ LB_RS_SSL_PROF_ECDSA ]

== [ LB_RS_SSL_PROF_ECDSA_SSLV3 ]

== [ LB_RS_SSL_PROF_ECDSA_TLS12 ]

== [ LB_RS_SSL_PROF_ENULL ]

== [ LB_RS_SSL_PROF_DEFAULT ]

FortiADC-VM (real-server-ss~-) # edit RS-SSL-PROFILE-USER-DEFINED

Add new entry 'RS-SSL-PROFILE-USER-DEFINED' for node 3862

FortiADC-VM (RS-SSL-PROFILE~U) # set ssl enable

FortiADC-VM (RS-SSL-PROFILE~U) # get

ssl : enable

server-cert-verify :

ssl-sni-forward : disable

ssl-session-reuse : disable

ssl-customize-ciphers-flag : disable

ssl-ciphers : DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2

FortiADC-VM (RS-SSL-PROFILE~U) # set ssl-session-reuse enable

FortiADC-VM (RS-SSL-PROFILE~U) # set allow-ssl-versions tlsv1.2

FortiADC-VM (RS-SSL-PROFILE~U) # end

FortiADC-VM #

config load-balance real-server-ssl-profile

Use this command to configure real server profiles. A real server profile determines settings used in network communication on the FortiADC-server segment, in contrast to a virtual server profile, which determines the settings used in network communication on the client-FortiADC segment.

Table 12 provides a summary of the predefined profiles. You can select predefined profiles in the real server configuration, or you can create user-defined profiles.

Predefined real server profiles

Profile Defaults
LB_RS_SSL_PROF_DEFAULT
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: custom
LB_RS_SSL_PROF_ECDSA
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
LB_RS_SSL_PROF_ECDSA_SSLV3
  • Allow version: SSLv3
  • Cipher suite list: ECDHE-ECDSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA,ECDHE-ECDSA-RC4-SHA,ECDHE-ECDSA-DES-CBC3-SHA
LB_RS_SSL_PROF_ECDSA_TLS12
  • Allow version: TLSv1.2
  • Cipher suite list: ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA256
LB_RS_SSL_PROF_ENULL
  • Allow version: SSLv3, TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: eNull

Recommended for Microsoft Direct Access servers where the application data is already encrypted and no more encryption is needed.

LB_RS_SSL_PROF_HIGH
  • Allow version TLSv1.2
  • Cipher suite list: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 AES256-GCM-SHA384 AES256-SHA256
LB_RS_SSL_PROF_LOW_SSLV3
  • Allow version SSLv3
  • Cipher suite list: DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA
LB_RS_SSL_PROF_MEDIUM
  • Allow version: TLSv1.0, TLSv1.1, and TLSv1.2
  • Cipher suite list: ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA
LB_RS_SSL_PROF_NONE SSL is disabled.
Before you begin:
  • You must have read-write permission for load balance settings.

Syntax

config load-balance real-sever-ssl-profile

edit <name>

set ssl {enable|disable}

set allow-ssl-versions {sslv3 tlsv1.0 tlsv1.1 tlsv1.2 tlsv1.3}

set server-cert-verify <datasource>

set ssl-ciphers {ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA ECDHE-RSA-RC4-SHA RC4-SHA RC4-MD5 ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA eNULL }

set ssl-customize-ciphers-flag {enable|disable}

set ssl-customized-ciphers <string>

set ssl-session-reuse {enable|disable}

set ssl-session-reuse-limit <integer>

set ssl-sni-forward {enable|disable}

set ssl-tls-ticket-reuse {enable|disable}

server-OCSP-stapling-support {enable|disable}

set rfc7919-comply {enable|disable}

set supported-groups {secp256r1 secp384r1 secp521r1 x25519 x448 ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192}

next

end

ssl

Enable/disable SSL for the connection between the FortiADC and the real server.

allow-ssl-versions

Specify a space-separated list of allowed SSL versions.

  • sslv3

  • tlsv1.0

  • tlsv1.1

  • tlsv1.2

  • tlsv1.3

Note:

  • Please make sure that the SSL version is continuous. If not, an error message should be returned.

  • RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If rfc7919-comply is enabled and sslv3 or tlsv1.3 is selected in ssl-allowed-versions, an error message will display.

server-cert-verify

Specify a Certificate Verify configuration object to validate server certificates. This Certificate Verify object must include a CA group and can include OCSP and CRL checks.

ssl-ciphers

Specify a space-separated, ordered list of supported SSL ciphers.

ssl-customize-ciphers-flag

Enable/disable use of user-specified cipher suites.

ssl-customized-ciphers

If the customize cipher flag is enabled, specify a colon-separated, ordered list of cipher suites.

An empty string is allowed. If empty, the default cipher suite list is used.

ssl-session-reuse

Enable/disable SSL session reuse.

ssl-session-reuse-limit

The default is 0 (disabled). The valid range is 0-1048576.

ssl-sni-forward

Enable/disable forwarding the client SNI value to the server. The SNI value will be forwarded to the real server only when the client-side ClientHello message contains a valid SNI value; otherwise, nothing is forwarded.

ssl-tls-ticket-reuse

Enable/disable TLS ticket-based session reuse.

server-OCSP-stapling-support

Enable/disable server ocsp_stapling. The default is disable.

Note: Only when verify is enabled does this command take effect.

rfc7919-comply

Enable/disable parameters to comply with RFC 7919.

Note:

  • RFC 7919 Comply cannot support SSLv3 and TLS 1.3. If rfc7919-comply is enabled and sslv3 or tlsv1.3 is selected in ssl-allowed-versions, an error message will display.

supported-groups

The supported-groups option is available if rfc7919-comply is enabled.

Specify the supported group objects from the following:

  • secp256r1

  • secp384r1

  • secp521r1

  • x25519

  • x448

  • ffdhe2048

  • ffdhe3072

  • ffdhe4096

  • ffdhe6144

  • ffdhe8192

At least one item from the FFDHE group must be selected.

Note:

The RFC 7919 Comply feature requires certain cipher selections to correspond with the Supported Group selection.

  • If a FFDHE group is selected (for example, ffdhe2048), then at least one cipher must be DHE-RSA (for example, DHE-RSA-AES256-SHA256).

  • If the Supported Group includes groups other than FFDHE (such as a SECP group, secp256r1), then at least one cipher must be ECDHE (for example, ECDHE-ECDSA-AES256-GCM-SHA384).

  • If a ECDHE cipher is selected (for example, ECDHE-ECDSA-AES256-GCM-SHA384), then the Supported Group must include at least one group that is not FFDHE (such as a SECP group, secp256r1).

Example

FortiADC-VM # config load-balance real-server-ssl-profile

FortiADC-VM (real-server-ss~-) # get

== [ LB_RS_SSL_PROF_NONE ]

== [ LB_RS_SSL_PROF_LOW_SSLV2 ]

== [ LB_RS_SSL_PROF_LOW_SSLV3 ]

== [ LB_RS_SSL_PROF_MEDIUM ]

== [ LB_RS_SSL_PROF_HIGH ]

== [ LB_RS_SSL_PROF_ECDSA ]

== [ LB_RS_SSL_PROF_ECDSA_SSLV3 ]

== [ LB_RS_SSL_PROF_ECDSA_TLS12 ]

== [ LB_RS_SSL_PROF_ENULL ]

== [ LB_RS_SSL_PROF_DEFAULT ]

FortiADC-VM (real-server-ss~-) # edit RS-SSL-PROFILE-USER-DEFINED

Add new entry 'RS-SSL-PROFILE-USER-DEFINED' for node 3862

FortiADC-VM (RS-SSL-PROFILE~U) # set ssl enable

FortiADC-VM (RS-SSL-PROFILE~U) # get

ssl : enable

server-cert-verify :

ssl-sni-forward : disable

ssl-session-reuse : disable

ssl-customize-ciphers-flag : disable

ssl-ciphers : DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA EDH-RSA-DES-CBC-SHA DES-CBC-SHA

allow-ssl-versions : sslv3 tlsv1.0 tlsv1.1 tlsv1.2

FortiADC-VM (RS-SSL-PROFILE~U) # set ssl-session-reuse enable

FortiADC-VM (RS-SSL-PROFILE~U) # set allow-ssl-versions tlsv1.2

FortiADC-VM (RS-SSL-PROFILE~U) # end

FortiADC-VM #