config firewall ssl-ssh-profile
Description: Configure SSL/SSH protocol options.
edit <name>
set comment {var-string}
config ssl
Description: Configure SSL options.
set inspect-all [disable|certificate-inspection|...]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config https
Description: Configure HTTPS options.
set ports {integer}
set status [disable|certificate-inspection|...]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ftps
Description: Configure FTPS options.
set ports {integer}
set status [disable|deep-inspection]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config imaps
Description: Configure IMAPS options.
set ports {integer}
set status [disable|deep-inspection]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config pop3s
Description: Configure POP3S options.
set ports {integer}
set status [disable|deep-inspection]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config smtps
Description: Configure SMTPS options.
set ports {integer}
set status [disable|deep-inspection]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ssh
Description: Configure SSH options.
set ports {integer}
set status [disable|deep-inspection]
set inspect-all [disable|deep-inspection]
set unsupported-version [bypass|block]
set ssh-tun-policy-check [disable|enable]
set ssh-algorithm [compatible|high-encryption]
end
set whitelist [enable|disable]
set block-blacklisted-certificates [disable|enable]
config ssl-exempt
Description: Servers to exempt from SSL inspection.
edit <id>
set type [fortiguard-category|address|...]
set fortiguard-category {integer}
set address {string}
set address6 {string}
set wildcard-fqdn {string}
set regex {string}
next
end
set server-cert-mode [re-sign|replace]
set use-ssl-server [disable|enable]
set caname {string}
set untrusted-caname {string}
set server-cert {string}
config ssl-server
Description: SSL servers.
edit <id>
set ip {ipv4-address-any}
set https-client-cert-request [bypass|inspect|...]
set smtps-client-cert-request [bypass|inspect|...]
set pop3s-client-cert-request [bypass|inspect|...]
set imaps-client-cert-request [bypass|inspect|...]
set ftps-client-cert-request [bypass|inspect|...]
set ssl-other-client-cert-request [bypass|inspect|...]
next
end
set ssl-anomalies-log [disable|enable]
set ssl-exemptions-log [disable|enable]
set rpc-over-https [enable|disable]
set mapi-over-https [enable|disable]
next
end
Parameter Name | Description | Type | Size |
---|---|---|---|
comment | Optional comments. | var-string | Maximum length: 255 |
whitelist | Enable/disable exempting servers by FortiGuard whitelist. enable: Enable setting. disable: Disable setting. |
option | - |
block-blacklisted-certificates | Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. disable: Disable FortiGuard certificate blacklist. enable: Enable FortiGuard certificate blacklist. |
option | - |
server-cert-mode | Re-sign or replace the server's certificate. re-sign: Multiple clients connecting to multiple servers. replace: Protect an SSL server. |
option | - |
use-ssl-server | Enable/disable the use of SSL server table for SSL offloading. disable: Don't use SSL server configuration. enable: Use SSL server configuration. |
option | - |
caname | CA certificate used by SSL Inspection. | string | Maximum length: 35 |
untrusted-caname | Untrusted CA certificate used by SSL Inspection. | string | Maximum length: 35 |
server-cert | Certificate used by SSL Inspection to replace server certificate. | string | Maximum length: 35 |
ssl-anomalies-log | Enable/disable logging SSL anomalies. disable: Disable logging SSL anomalies. enable: Enable logging SSL anomalies. |
option | - |
ssl-exemptions-log | Enable/disable logging SSL exemptions. disable: Disable logging SSL exemptions. enable: Enable logging SSL exemptions. |
option | - |
rpc-over-https | Enable/disable inspection of RPC over HTTPS. enable: Enable inspection of RPC over HTTPS. disable: Disable inspection of RPC over HTTPS. |
option | - |
mapi-over-https | Enable/disable inspection of MAPI over HTTPS. enable: Enable inspection of MAPI over HTTPS. disable: Disable inspection of MAPI over HTTPS. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
inspect-all | Level of SSL inspection. disable: Disable. certificate-inspection: Inspect SSL handshake only. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. certificate-inspection: Inspect SSL handshake only. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
inspect-all | Level of SSL inspection. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
unsupported-version | Action based on SSH version being unsupported. bypass: Bypass the session. block: Block the session. |
option | - |
ssh-tun-policy-check | Enable/disable SSH tunnel policy check. disable: Disable SSH tunnel policy check. enable: Enable SSH tunnel policy check. |
option | - |
ssh-algorithm | Relative strength of encryption algorithms accepted during negotiation. compatible: Allow a broader set of encryption algorithms for best compatibility. high-encryption: Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
type | Type of address object (IPv4 or IPv6) or FortiGuard category. fortiguard-category: FortiGuard category. address: Firewall IPv4 address. address6: Firewall IPv6 address. wildcard-fqdn: Fully Qualified Domain Name with wildcard characters. regex: Regular expression FQDN. |
option | - |
fortiguard-category | FortiGuard category ID. | integer | Minimum value: 0 Maximum value: 255 |
address | IPv4 address object. | string | Maximum length: 79 |
address6 | IPv6 address object. | string | Maximum length: 79 |
wildcard-fqdn | Exempt servers by wildcard FQDN. | string | Maximum length: 79 |
regex | Exempt servers by regular expression. | string | Maximum length: 255 |
Parameter Name | Description | Type | Size |
---|---|---|---|
ip | IPv4 address of the SSL server. | ipv4-address-any | Not Specified |
https-client-cert-request | Action based on client certificate request during the HTTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
smtps-client-cert-request | Action based on client certificate request during the SMTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
pop3s-client-cert-request | Action based on client certificate request during the POP3S handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
imaps-client-cert-request | Action based on client certificate request during the IMAPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
ftps-client-cert-request | Action based on client certificate request during the FTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
ssl-other-client-cert-request | Action based on client certificate request during an SSL protocol handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
config firewall ssl-ssh-profile
Description: Configure SSL/SSH protocol options.
edit <name>
set comment {var-string}
config ssl
Description: Configure SSL options.
set inspect-all [disable|certificate-inspection|...]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config https
Description: Configure HTTPS options.
set ports {integer}
set status [disable|certificate-inspection|...]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ftps
Description: Configure FTPS options.
set ports {integer}
set status [disable|deep-inspection]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config imaps
Description: Configure IMAPS options.
set ports {integer}
set status [disable|deep-inspection]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config pop3s
Description: Configure POP3S options.
set ports {integer}
set status [disable|deep-inspection]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config smtps
Description: Configure SMTPS options.
set ports {integer}
set status [disable|deep-inspection]
set client-cert-request [bypass|inspect|...]
set unsupported-ssl [bypass|inspect|...]
set invalid-server-cert [allow|block]
set untrusted-server-cert [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ssh
Description: Configure SSH options.
set ports {integer}
set status [disable|deep-inspection]
set inspect-all [disable|deep-inspection]
set unsupported-version [bypass|block]
set ssh-tun-policy-check [disable|enable]
set ssh-algorithm [compatible|high-encryption]
end
set whitelist [enable|disable]
set block-blacklisted-certificates [disable|enable]
config ssl-exempt
Description: Servers to exempt from SSL inspection.
edit <id>
set type [fortiguard-category|address|...]
set fortiguard-category {integer}
set address {string}
set address6 {string}
set wildcard-fqdn {string}
set regex {string}
next
end
set server-cert-mode [re-sign|replace]
set use-ssl-server [disable|enable]
set caname {string}
set untrusted-caname {string}
set server-cert {string}
config ssl-server
Description: SSL servers.
edit <id>
set ip {ipv4-address-any}
set https-client-cert-request [bypass|inspect|...]
set smtps-client-cert-request [bypass|inspect|...]
set pop3s-client-cert-request [bypass|inspect|...]
set imaps-client-cert-request [bypass|inspect|...]
set ftps-client-cert-request [bypass|inspect|...]
set ssl-other-client-cert-request [bypass|inspect|...]
next
end
set ssl-anomalies-log [disable|enable]
set ssl-exemptions-log [disable|enable]
set rpc-over-https [enable|disable]
set mapi-over-https [enable|disable]
next
end
Parameter Name | Description | Type | Size |
---|---|---|---|
comment | Optional comments. | var-string | Maximum length: 255 |
whitelist | Enable/disable exempting servers by FortiGuard whitelist. enable: Enable setting. disable: Disable setting. |
option | - |
block-blacklisted-certificates | Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. disable: Disable FortiGuard certificate blacklist. enable: Enable FortiGuard certificate blacklist. |
option | - |
server-cert-mode | Re-sign or replace the server's certificate. re-sign: Multiple clients connecting to multiple servers. replace: Protect an SSL server. |
option | - |
use-ssl-server | Enable/disable the use of SSL server table for SSL offloading. disable: Don't use SSL server configuration. enable: Use SSL server configuration. |
option | - |
caname | CA certificate used by SSL Inspection. | string | Maximum length: 35 |
untrusted-caname | Untrusted CA certificate used by SSL Inspection. | string | Maximum length: 35 |
server-cert | Certificate used by SSL Inspection to replace server certificate. | string | Maximum length: 35 |
ssl-anomalies-log | Enable/disable logging SSL anomalies. disable: Disable logging SSL anomalies. enable: Enable logging SSL anomalies. |
option | - |
ssl-exemptions-log | Enable/disable logging SSL exemptions. disable: Disable logging SSL exemptions. enable: Enable logging SSL exemptions. |
option | - |
rpc-over-https | Enable/disable inspection of RPC over HTTPS. enable: Enable inspection of RPC over HTTPS. disable: Disable inspection of RPC over HTTPS. |
option | - |
mapi-over-https | Enable/disable inspection of MAPI over HTTPS. enable: Enable inspection of MAPI over HTTPS. disable: Disable inspection of MAPI over HTTPS. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
inspect-all | Level of SSL inspection. disable: Disable. certificate-inspection: Inspect SSL handshake only. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. certificate-inspection: Inspect SSL handshake only. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
client-cert-request | Action based on client certificate request. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
unsupported-ssl | Action based on the SSL encryption used being unsupported. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
invalid-server-cert | Allow or block the invalid SSL session server certificate. allow: Allow the invalid server certificate. block: Block the connection when an invalid server certificate is detected. |
option | - |
untrusted-server-cert | Allow, ignore, or block the untrusted SSL session server certificate. allow: Allow the untrusted server certificate. block: Block the connection when an untrusted server certificate is detected. ignore: Always take the server certificate as trusted. |
option | - |
sni-server-cert-check | Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
ports | Ports to use for scanning (1 - 65535, default = 443). | integer | Minimum value: 1 Maximum value: 65535 |
status | Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
inspect-all | Level of SSL inspection. disable: Disable. deep-inspection: Full SSL inspection. |
option | - |
unsupported-version | Action based on SSH version being unsupported. bypass: Bypass the session. block: Block the session. |
option | - |
ssh-tun-policy-check | Enable/disable SSH tunnel policy check. disable: Disable SSH tunnel policy check. enable: Enable SSH tunnel policy check. |
option | - |
ssh-algorithm | Relative strength of encryption algorithms accepted during negotiation. compatible: Allow a broader set of encryption algorithms for best compatibility. high-encryption: Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms. |
option | - |
Parameter Name | Description | Type | Size |
---|---|---|---|
type | Type of address object (IPv4 or IPv6) or FortiGuard category. fortiguard-category: FortiGuard category. address: Firewall IPv4 address. address6: Firewall IPv6 address. wildcard-fqdn: Fully Qualified Domain Name with wildcard characters. regex: Regular expression FQDN. |
option | - |
fortiguard-category | FortiGuard category ID. | integer | Minimum value: 0 Maximum value: 255 |
address | IPv4 address object. | string | Maximum length: 79 |
address6 | IPv6 address object. | string | Maximum length: 79 |
wildcard-fqdn | Exempt servers by wildcard FQDN. | string | Maximum length: 79 |
regex | Exempt servers by regular expression. | string | Maximum length: 255 |
Parameter Name | Description | Type | Size |
---|---|---|---|
ip | IPv4 address of the SSL server. | ipv4-address-any | Not Specified |
https-client-cert-request | Action based on client certificate request during the HTTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
smtps-client-cert-request | Action based on client certificate request during the SMTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
pop3s-client-cert-request | Action based on client certificate request during the POP3S handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
imaps-client-cert-request | Action based on client certificate request during the IMAPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
ftps-client-cert-request | Action based on client certificate request during the FTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |
ssl-other-client-cert-request | Action based on client certificate request during an SSL protocol handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session. |
option | - |