firewall ssl-server
Use this command set up connections to SSL servers.
History
The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.
Command | Description |
---|---|
set ssl-min-version ssl-3.0 |
The |
config firewall ssl-server edit {name} # Configure SSL servers. set name {string} Server name. size[35] set ip {ipv4 address any} IPv4 address of the SSL server. set port {integer} Server service port (1 - 65535, default = 443). range[1-65535] set ssl-mode {half | full} SSL/TLS mode for encryption and decryption of traffic. half Client to FortiGate SSL. full Client to FortiGate and FortiGate to Server SSL. set add-header-x-forwarded-proto {enable | disable} Enable/disable adding an X-Forwarded-Proto header to forwarded requests. set mapped-port {integer} Mapped server service port (1 - 65535, default = 80). range[1-65535] set ssl-cert {string} Name of certificate for SSL connections to this server (default = "Fortinet_CA_SSL"). size[35] - datasource(s): vpn.certificate.local.name set ssl-dh-bits {768 | 1024 | 1536 | 2048} Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048). 768 768-bit Diffie-Hellman prime. 1024 1024-bit Diffie-Hellman prime. 1536 1536-bit Diffie-Hellman prime. 2048 2048-bit Diffie-Hellman prime. set ssl-algorithm {high | medium | low} Relative strength of encryption algorithms accepted in negotiation. high High encryption. Allow only AES and ChaCha medium Medium encryption. Allow AES, ChaCha, 3DES, and RC4. low Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES. set ssl-client-renegotiation {allow | deny | secure} Allow or block client renegotiation by server. allow Allow a SSL client to renegotiate. deny Abort any SSL connection that attempts to renegotiate. secure Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication. set ssl-min-version {tls-1.0 | tls-1.1 | tls-1.2} Lowest SSL/TLS version to negotiate. tls-1.0 TLS 1.0. tls-1.1 TLS 1.1. tls-1.2 TLS 1.2. set ssl-max-version {tls-1.0 | tls-1.1 | tls-1.2} Highest SSL/TLS version to negotiate. tls-1.0 TLS 1.0. tls-1.1 TLS 1.1. tls-1.2 TLS 1.2. set ssl-send-empty-frags {enable | disable} Enable/disable sending empty fragments to avoid attack on CBC IV. set url-rewrite {enable | disable} Enable/disable rewriting the URL. next end
Additional information
The following section is for those options that require additional explanation.
edit <ssl-server-name>
Enter a name for the SSL server. It can be any name and this name is not used by other FortiGate configurations.
add-header-x-forwarded-proto
Optionally add X-Forwarded-Proto header. This is available when ssl-mode
is half
.
Default Value: enable
ip
Enter an IP address for the SSL server. This IP address should be the same as the IP address of the HTTP server that this SSL server will be offloading for. When a session is accepted by a WAN optimization rule with SSL offloading enabled, the destination IP address of the session is matched with this IP address to select the SSL server configuration to use.
port
Enter a port number to be used by the SSL server. Usually this would be port 443 for an HTTPS server. When a session is accepted by a WAN optimization rule with SSL offloading enabled, the destination port of the session is matched with this port to select the SSL server configuration to use.
ssl-mode
Default Value: full
ssl-cert
Select the certificate to be used for this SSL server. The certificate should be the HTTP server CA used by the HTTP server that this SSL server configuration will be offloading for.
The certificate must be a local certificate added to the FortiGate unit using the config vpn certificate local command. For more information, see vpn certificate local.
The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
Default Value: 1024
ssl-dh-bits
Select the size of the Diffie-Hellman prime used in DHE_RSA negotiation. Larger primes may cause a performance reduction but are more secure.
ssl-min-version
Select the lowest or oldest SSL/TLS version to offer when negotiating.
ssl-max-version
Select the highest or newest SSL/TLS version to offer when negotiating.
ssl-send-empty-frags
Enable or disable sending empty fragments before sending the actual payload. Sending empty fragments is a technique used to avoid cipher-block chaining (CBC) plaintext attacks if the initiation vector (IV) is known. Also called the CBC IV. Some SSL implementations are not compatible with sending empty fragments. Change ssl-sendempty- frags
to disable
if required by your SSL implementation.
Default Value: enable
url-rewrite
Enable to rewrite Location header of HTTP redirection response(3XX response). This is available when ssl-mode is half.
Default Value: disable