config firewall ssl-ssh-profile
Configure SSL/SSH protocol options.
config firewall ssl-ssh-profile
Description: Configure SSL/SSH protocol options.
edit <name>
set block-blacklisted-certificates [disable|enable]
set caname {string}
set comment {var-string}
config ftps
Description: Configure FTPS options.
set ports {integer}
set status [disable|deep-inspection]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config https
Description: Configure HTTPS options.
set ports {integer}
set status [disable|certificate-inspection|...]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config imaps
Description: Configure IMAPS options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
set mapi-over-https [enable|disable]
config pop3s
Description: Configure POP3S options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
set rpc-over-https [enable|disable]
set server-cert {string}
set server-cert-mode [re-sign|replace]
config smtps
Description: Configure SMTPS options.
set ports {integer}
set status [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
config ssh
Description: Configure SSH options.
set ports {integer}
set status [disable|deep-inspection]
set inspect-all [disable|deep-inspection]
set proxy-after-tcp-handshake [enable|disable]
set unsupported-version [bypass|block]
set ssh-tun-policy-check [disable|enable]
set ssh-algorithm [compatible|high-encryption]
end
config ssl
Description: Configure SSL options.
set inspect-all [disable|certificate-inspection|...]
set client-certificate [bypass|inspect|...]
set unsupported-ssl-cipher [allow|block]
set unsupported-ssl-negotiation [allow|block]
set expired-server-cert [allow|block|...]
set revoked-server-cert [allow|block|...]
set untrusted-server-cert [allow|block|...]
set cert-validation-timeout [allow|block|...]
set cert-validation-failure [allow|block|...]
set sni-server-cert-check [enable|strict|...]
end
set ssl-anomalies-log [disable|enable]
config ssl-exempt
Description: Servers to exempt from SSL inspection.
edit <id>
set type [fortiguard-category|address|...]
set fortiguard-category {integer}
set address {string}
set address6 {string}
set wildcard-fqdn {string}
set regex {string}
next
end
set ssl-exemptions-log [disable|enable]
set ssl-negotiation-log [disable|enable]
config ssl-server
Description: SSL server settings used for client certificate request.
edit <id>
set ip {ipv4-address-any}
set https-client-certificate [bypass|inspect|...]
set smtps-client-certificate [bypass|inspect|...]
set pop3s-client-certificate [bypass|inspect|...]
set imaps-client-certificate [bypass|inspect|...]
set ftps-client-certificate [bypass|inspect|...]
set ssl-other-client-certificate [bypass|inspect|...]
next
end
set untrusted-caname {string}
set use-ssl-server [disable|enable]
set whitelist [enable|disable]
next
end
config firewall ssl-ssh-profile
|
Parameter |
Description |
Type |
Size |
Default |
||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
block-blacklisted-certificates |
Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. |
option |
- |
enable |
||||||
|
|
|
|||||||||
|
caname |
CA certificate used by SSL Inspection. |
string |
Maximum length: 35 |
Fortinet_CA_SSL |
||||||
|
comment |
Optional comments. |
var-string |
Maximum length: 255 |
|
||||||
|
mapi-over-https |
Enable/disable inspection of MAPI over HTTPS. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
name |
Name. |
string |
Maximum length: 35 |
|
||||||
|
rpc-over-https |
Enable/disable inspection of RPC over HTTPS. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
server-cert |
Certificate used by SSL Inspection to replace server certificate. |
string |
Maximum length: 35 |
Fortinet_SSL |
||||||
|
server-cert-mode |
Re-sign or replace the server's certificate. |
option |
- |
re-sign |
||||||
|
|
|
|||||||||
|
ssl-anomalies-log |
Enable/disable logging SSL anomalies. |
option |
- |
enable |
||||||
|
|
|
|||||||||
|
ssl-exemptions-log |
Enable/disable logging SSL exemptions. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
ssl-negotiation-log |
Enable/disable logging SSL negotiation. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
untrusted-caname |
Untrusted CA certificate used by SSL Inspection. |
string |
Maximum length: 35 |
Fortinet_CA_Untrusted |
||||||
|
use-ssl-server |
Enable/disable the use of SSL server table for SSL offloading. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
whitelist |
Enable/disable exempting servers by FortiGuard whitelist. |
option |
- |
disable |
||||||
|
|
|
|||||||||
config ftps
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||
|
status |
Configure protocol inspection status. |
option |
- |
deep-inspection |
||||||||
|
|
|
|||||||||||
|
client-certificate |
Action based on received client certificate. |
option |
- |
bypass |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
config https
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||
|
status |
Configure protocol inspection status. |
option |
- |
deep-inspection |
||||||||
|
|
|
|||||||||||
|
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
client-certificate |
Action based on received client certificate. |
option |
- |
bypass |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
config imaps
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||
|
status |
Configure protocol inspection status. |
option |
- |
deep-inspection |
||||||||
|
|
|
|||||||||||
|
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
client-certificate |
Action based on received client certificate. |
option |
- |
inspect |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
config pop3s
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||
|
status |
Configure protocol inspection status. |
option |
- |
deep-inspection |
||||||||
|
|
|
|||||||||||
|
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
client-certificate |
Action based on received client certificate. |
option |
- |
inspect |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
config smtps
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||
|
status |
Configure protocol inspection status. |
option |
- |
deep-inspection |
||||||||
|
|
|
|||||||||||
|
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
client-certificate |
Action based on received client certificate. |
option |
- |
inspect |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
config ssh
|
Parameter |
Description |
Type |
Size |
Default |
||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||
|
status |
Configure protocol inspection status. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
inspect-all |
Level of SSL inspection. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
unsupported-version |
Action based on SSH version being unsupported. |
option |
- |
bypass |
||||||
|
|
|
|||||||||
|
ssh-tun-policy-check |
Enable/disable SSH tunnel policy check. |
option |
- |
disable |
||||||
|
|
|
|||||||||
|
ssh-algorithm |
Relative strength of encryption algorithms accepted during negotiation. |
option |
- |
compatible |
||||||
|
|
|
|||||||||
config ssl
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
inspect-all |
Level of SSL inspection. |
option |
- |
disable |
||||||||
|
|
|
|||||||||||
|
client-certificate |
Action based on received client certificate. |
option |
- |
bypass |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||
|
|
|
|||||||||||
|
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||
|
|
|
|||||||||||
|
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||
|
|
|
|||||||||||
config ssl-exempt
|
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
id |
ID number. |
integer |
Minimum value: 0 Maximum value: 512 |
0 |
||||||||||||
|
type |
Type of address object (IPv4 or IPv6) or FortiGuard category. |
option |
- |
fortiguard-category |
||||||||||||
|
|
|
|||||||||||||||
|
fortiguard-category |
FortiGuard category ID. |
integer |
Minimum value: 0 Maximum value: 255 |
0 |
||||||||||||
|
address |
IPv4 address object. |
string |
Maximum length: 79 |
|
||||||||||||
|
address6 |
IPv6 address object. |
string |
Maximum length: 79 |
|
||||||||||||
|
wildcard-fqdn |
Exempt servers by wildcard FQDN. |
string |
Maximum length: 79 |
|
||||||||||||
|
regex |
Exempt servers by regular expression. |
string |
Maximum length: 255 |
|
||||||||||||
config ssl-server
|
Parameter |
Description |
Type |
Size |
Default |
||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
id |
SSL server ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||
|
ip |
IPv4 address of the SSL server. |
ipv4-address-any |
Not Specified |
0.0.0.0 |
||||||||
|
https-client-certificate |
Action based on received client certificate during the HTTPS handshake. |
option |
- |
bypass |
||||||||
|
|
|
|||||||||||
|
smtps-client-certificate |
Action based on received client certificate during the SMTPS handshake. |
option |
- |
bypass |
||||||||
|
|
|
|||||||||||
|
pop3s-client-certificate |
Action based on received client certificate during the POP3S handshake. |
option |
- |
bypass |
||||||||
|
|
|
|||||||||||
|
imaps-client-certificate |
Action based on received client certificate during the IMAPS handshake. |
option |
- |
bypass |
||||||||
|
|
|
|||||||||||
|
ftps-client-certificate |
Action based on received client certificate during the FTPS handshake. |
option |
- |
bypass |
||||||||
|
|
|
|||||||||||
|
ssl-other-client-certificate |
Action based on received client certificate during an SSL protocol handshake. |
option |
- |
bypass |
||||||||
|
|
|
|||||||||||