CLI Reference

alertemail
- alertemail setting
antivirus
- antivirus heuristic
- antivirus profile
- antivirus quarantine
- antivirus settings
application
- application custom
- application group
- application list
- application name
- application rule-settings
authentication
- authentication rule
- authentication scheme
- authentication setting
certificate
- certificate ca
- certificate crl
- certificate local
- certificate remote
credential-store
- credential-store domain-controller
dlp
- dlp filepattern
- dlp fp-doc-source
- dlp sensitivity
- dlp sensor
- dlp settings
dnsfilter
- dnsfilter domain-filter
- dnsfilter profile
emailfilter
- emailfilter bwl
- emailfilter bword
- emailfilter dnsbl
- emailfilter fortishield
- emailfilter iptrust
- emailfilter mheader
- emailfilter options
- emailfilter profile
endpoint-control
- endpoint-control fctems
extender-controller
- extender-controller dataplan
- extender-controller extender
file-filter
- file-filter profile
firewall
- firewall DoS-policy
- firewall DoS-policy6
- firewall acl
- firewall acl6
- firewall address
- firewall address6
- firewall address6-template
- firewall addrgrp
- firewall addrgrp6
- firewall auth-portal
- firewall central-snat-map
- firewall city
- firewall country
- firewall decrypted-traffic-mirror
- firewall dnstranslation
- firewall identity-based-route
- firewall interface-policy
- firewall interface-policy6
- firewall internet-service
- firewall internet-service-addition
- firewall internet-service-append
- firewall internet-service-botnet
- firewall internet-service-custom
- firewall internet-service-custom-group
- firewall internet-service-definition
- firewall internet-service-extension
- firewall internet-service-group
- firewall internet-service-ipbl-reason
- firewall internet-service-ipbl-vendor
- firewall internet-service-list
- firewall internet-service-name
- firewall internet-service-owner
- firewall internet-service-reputation
- firewall internet-service-sld
- firewall ip-translation
- firewall ipmacbinding setting
- firewall ipmacbinding table
- firewall ippool
- firewall ippool6
- firewall ldb-monitor
- firewall local-in-policy
- firewall local-in-policy6
- firewall multicast-address
- firewall multicast-address6
- firewall multicast-policy
- firewall multicast-policy6
- firewall policy
- firewall policy46
- firewall policy64
- firewall profile-group
- firewall profile-protocol-options
- firewall proxy-address
- firewall proxy-addrgrp
- firewall proxy-policy
- firewall region
- firewall schedule group
- firewall schedule onetime
- firewall schedule recurring
- firewall security-policy
- firewall service category
- firewall service custom
- firewall service group
- firewall shaper per-ip-shaper
- firewall shaper traffic-shaper
- firewall shaping-policy
- firewall shaping-profile
- firewall sniffer
- firewall ssh host-key
- firewall ssh local-ca
- firewall ssh local-key
- firewall ssh setting
- firewall ssl setting
- firewall ssl-server
- firewall ssl-ssh-profile
- firewall traffic-class
- firewall ttl-policy
- firewall vendor-mac
- firewall vip
- firewall vip46
- firewall vip6
- firewall vip64
- firewall vipgrp
- firewall vipgrp46
- firewall vipgrp6
- firewall vipgrp64
- firewall wildcard-fqdn custom
- firewall wildcard-fqdn group
ftp-proxy
- ftp-proxy explicit
icap
- icap profile
- icap server
ips
- ips custom
- ips decoder
- ips global
- ips rule
- ips rule-settings
- ips sensor
- ips settings
- ips view-map
log
- log custom-field
- log disk filter
- log disk setting
- log eventfilter
- log fortianalyzer filter
- log fortianalyzer override-filter
- log fortianalyzer override-setting
- log fortianalyzer setting
- log fortianalyzer-cloud filter
- log fortianalyzer-cloud override-filter
- log fortianalyzer-cloud override-setting
- log fortianalyzer-cloud setting
- log fortianalyzer2 filter
- log fortianalyzer2 override-filter
- log fortianalyzer2 override-setting
- log fortianalyzer2 setting
- log fortianalyzer3 filter
- log fortianalyzer3 override-filter
- log fortianalyzer3 override-setting
- log fortianalyzer3 setting
- log fortiguard filter
- log fortiguard override-filter
- log fortiguard override-setting
- log fortiguard setting
- log gui-display
- log memory filter
- log memory global-setting
- log memory setting
- log null-device filter
- log null-device setting
- log setting
- log syslogd filter
- log syslogd override-filter
- log syslogd override-setting
- log syslogd setting
- log syslogd2 filter
- log syslogd2 override-filter
- log syslogd2 override-setting
- log syslogd2 setting
- log syslogd3 filter
- log syslogd3 override-filter
- log syslogd3 override-setting
- log syslogd3 setting
- log syslogd4 filter
- log syslogd4 override-filter
- log syslogd4 override-setting
- log syslogd4 setting
- log threat-weight
- log webtrends filter
- log webtrends setting
monitoring
- monitoring np6-ipsec-engine
report
- report chart
- report dataset
- report layout
- report setting
- report style
- report theme
router
- router access-list
- router access-list6
- router aspath-list
- router auth-path
- router bfd
- router bfd6
- router bgp
- router community-list
- router isis
- router key-chain
- router multicast
- router multicast-flow
- router multicast6
- router ospf
- router ospf6
- router policy
- router policy6
- router prefix-list
- router prefix-list6
- router rip
- router ripng
- router route-map
- router setting
- router static
- router static6
ssh-filter
- ssh-filter profile
switch-controller
- switch-controller auto-config custom
- switch-controller auto-config default
- switch-controller auto-config policy
- switch-controller custom-command
- switch-controller global
- switch-controller initial-config template
- switch-controller initial-config vlans
- switch-controller lldp-profile
- switch-controller lldp-settings
- switch-controller location
- switch-controller mac-policy
- switch-controller managed-switch
- switch-controller nac-device
- switch-controller nac-settings
- switch-controller port-policy
- switch-controller ptp policy
- switch-controller qos dot1p-map
- switch-controller qos ip-dscp-map
- switch-controller qos qos-policy
- switch-controller qos queue-policy
- switch-controller remote-log
- switch-controller security-policy 802-1X
- switch-controller security-policy local-access
- switch-controller snmp-community
- switch-controller snmp-user
- switch-controller storm-control-policy
- switch-controller stp-instance
- switch-controller stp-settings
- switch-controller switch-group
- switch-controller switch-interface-tag
- switch-controller switch-profile
- switch-controller system
- switch-controller traffic-policy
- switch-controller virtual-port-pool
- switch-controller vlan-policy
system
- system 3g-modem custom
- system accprofile
- system admin
- system alarm
- system alias
- system api-user
- system arp-table
- system auto-install
- system auto-script
- system automation-action
- system automation-destination
- system automation-stitch
- system automation-trigger
- system autoupdate push-update
- system autoupdate schedule
- system autoupdate tunneling
- system central-management
- system cluster-sync
- system console
- system csf
- system custom-language
- system ddns
- system dedicated-mgmt
- system dhcp server
- system dhcp6 server
- system dns
- system dns-database
- system dns-server
- system dscp-based-priority
- system email-server
- system external-resource
- system fips-cc
- system fortiguard
- system fortimanager
- system fortisandbox
- system fsso-polling
- system ftm-push
- system geneve
- system geoip-country
- system geoip-override
- system global
- system gre-tunnel
- system ha
- system ha-monitor
- system interface
- system ipip-tunnel
- system ips
- system ips-urlfilter-dns
- system ips-urlfilter-dns6
- system ipsec-aggregate
- system ipv6-neighbor-cache
- system ipv6-tunnel
- system isf-queue-profile
- system link-monitor
- system lldp network-policy
- system lte-modem
- system mac-address-table
- system mobile-tunnel
- system modem
- system nat64
- system nd-proxy
- system netflow
- system network-visibility
- system np6
- system npu
- system ntp
- system object-tagging
- system password-policy
- system password-policy-guest-admin
- system pppoe-interface
- system probe-response
- system proxy-arp
- system ptp
- system replacemsg admin
- system replacemsg alertmail
- system replacemsg auth
- system replacemsg fortiguard-wf
- system replacemsg ftp
- system replacemsg http
- system replacemsg icap
- system replacemsg mail
- system replacemsg nac-quar
- system replacemsg spam
- system replacemsg sslvpn
- system replacemsg traffic-quota
- system replacemsg utm
- system replacemsg webproxy
- system replacemsg-group
- system replacemsg-image
- system resource-limits
- system saml
- system sdn-connector
- system sdwan
- system session-helper
- system session-ttl
- system settings
- system sflow
- system sit-tunnel
- system sms-server
- system snmp community
- system snmp sysinfo
- system snmp user
- system speed-test-server
- system sso-admin
- system standalone-cluster
- system storage
- system switch-interface
- system tos-based-priority
- system vdom
- system vdom-dns
- system vdom-exception
- system vdom-link
- system vdom-netflow
- system vdom-property
- system vdom-radius-server
- system vdom-sflow
- system virtual-wire-pair
- system vne-tunnel
- system vxlan
- system wccp
- system zone
user
- user adgrp
- user domain-controller
- user exchange
- user fortitoken
- user fsso
- user fsso-polling
- user group
- user krb-keytab
- user ldap
- user local
- user nac-policy
- user password-policy
- user peer
- user peergrp
- user pop3
- user radius
- user saml
- user security-exempt-list
- user setting
- user tacacs+
voip
- voip profile
vpn
- vpn certificate ca
- vpn certificate crl
- vpn certificate local
- vpn certificate ocsp-server
- vpn certificate remote
- vpn certificate setting
- vpn ipsec concentrator
- vpn ipsec forticlient
- vpn ipsec manualkey
- vpn ipsec manualkey-interface
- vpn ipsec phase1
- vpn ipsec phase1-interface
- vpn ipsec phase2
- vpn ipsec phase2-interface
- vpn l2tp
- vpn ocvpn
- vpn pptp
- vpn ssl settings
- vpn ssl web host-check-software
- vpn ssl web portal
- vpn ssl web realm
- vpn ssl web user-bookmark
- vpn ssl web user-group-bookmark
waf
- waf main-class
- waf profile
- waf signature
- waf sub-class
wanopt
- wanopt auth-group
- wanopt cache-service
- wanopt content-delivery-network-rule
- wanopt peer
- wanopt profile
- wanopt remote-storage
- wanopt settings
- wanopt webcache
web-proxy
- web-proxy debug-url
- web-proxy explicit
- web-proxy forward-server
- web-proxy forward-server-group
- web-proxy global
- web-proxy profile
- web-proxy url-match
- web-proxy wisp
webfilter
- webfilter content
- webfilter content-header
- webfilter fortiguard
- webfilter ftgd-local-cat
- webfilter ftgd-local-rating
- webfilter ips-urlfilter-cache-setting
- webfilter ips-urlfilter-setting
- webfilter ips-urlfilter-setting6
- webfilter override
- webfilter profile
- webfilter search-engine
- webfilter urlfilter
wireless-controller
- wireless-controller access-control-list
- wireless-controller address
- wireless-controller addrgrp
- wireless-controller ap-status
- wireless-controller apcfg-profile
- wireless-controller arrp-profile
- wireless-controller ble-profile
- wireless-controller bonjour-profile
- wireless-controller global
- wireless-controller hotspot20 anqp-3gpp-cellular
- wireless-controller hotspot20 anqp-ip-address-type
- wireless-controller hotspot20 anqp-nai-realm
- wireless-controller hotspot20 anqp-network-auth-type
- wireless-controller hotspot20 anqp-roaming-consortium
- wireless-controller hotspot20 anqp-venue-name
- wireless-controller hotspot20 h2qp-conn-capability
- wireless-controller hotspot20 h2qp-operator-name
- wireless-controller hotspot20 h2qp-osu-provider
- wireless-controller hotspot20 h2qp-wan-metric
- wireless-controller hotspot20 hs-profile
- wireless-controller hotspot20 icon
- wireless-controller hotspot20 qos-map
- wireless-controller inter-controller
- wireless-controller log
- wireless-controller mpsk-profile
- wireless-controller qos-profile
- wireless-controller region
- wireless-controller setting
- wireless-controller snmp
- wireless-controller timers
- wireless-controller utm-profile
- wireless-controller vap
- wireless-controller vap-group
- wireless-controller wag-profile
- wireless-controller wids-profile
- wireless-controller wtp
- wireless-controller wtp-group
- wireless-controller wtp-profile

Home FortiGate / FortiOS 6.4.3 CLI Reference

6.4.3

firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

  config firewall ssl-ssh-profile
      Description: Configure SSL/SSH protocol options.
      edit <name>
          set comment {var-string}
          config ssl
              Description: Configure SSL options.
              set inspect-all [disable|certificate-inspection|...]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config https
              Description: Configure HTTPS options.
              set ports {integer}
              set status [disable|certificate-inspection|...]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ftps
              Description: Configure FTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config imaps
              Description: Configure IMAPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config pop3s
              Description: Configure POP3S options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config smtps
              Description: Configure SMTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ssh
              Description: Configure SSH options.
              set ports {integer}
              set status [disable|deep-inspection]
              set inspect-all [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set unsupported-version [bypass|block]
              set ssh-tun-policy-check [disable|enable]
              set ssh-algorithm [compatible|high-encryption]
          end
          set whitelist [enable|disable]
          set block-blacklisted-certificates [disable|enable]
          config ssl-exempt
              Description: Servers to exempt from SSL inspection.
              edit <id>
                  set type [fortiguard-category|address|...]
                  set fortiguard-category {integer}
                  set address {string}
                  set address6 {string}
                  set wildcard-fqdn {string}
                  set regex {string}
              next
          end
          set server-cert-mode [re-sign|replace]
          set use-ssl-server [disable|enable]
          set caname {string}
          set untrusted-caname {string}
          set server-cert {string}
          config ssl-server
              Description: SSL server settings used for client certificate request.
              edit <id>
                  set ip {ipv4-address-any}
                  set https-client-certificate [bypass|inspect|...]
                  set smtps-client-certificate [bypass|inspect|...]
                  set pop3s-client-certificate [bypass|inspect|...]
                  set imaps-client-certificate [bypass|inspect|...]
                  set ftps-client-certificate [bypass|inspect|...]
                  set ssl-other-client-certificate [bypass|inspect|...]
              next
          end
          set ssl-anomalies-log [disable|enable]
          set ssl-exemptions-log [disable|enable]
          set ssl-negotiation-log [disable|enable]
          set rpc-over-https [enable|disable]
          set mapi-over-https [enable|disable]
      next
  end

config firewall ssl-ssh-profile

Parameter Name	Description	Type	Size
comment	Optional comments.	var-string	Maximum length: 255
whitelist	Enable/disable exempting servers by FortiGuard whitelist. enable: Enable setting. disable: Disable setting.	option	-
block-blacklisted-certificates	Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. disable: Disable FortiGuard certificate blacklist. enable: Enable FortiGuard certificate blacklist.	option	-
server-cert-mode	Re-sign or replace the server's certificate. re-sign: Multiple clients connecting to multiple servers. replace: Protect an SSL server.	option	-
use-ssl-server	Enable/disable the use of SSL server table for SSL offloading. disable: Don't use SSL server configuration. enable: Use SSL server configuration.	option	-
caname	CA certificate used by SSL Inspection.	string	Maximum length: 35
untrusted-caname	Untrusted CA certificate used by SSL Inspection.	string	Maximum length: 35
server-cert	Certificate used by SSL Inspection to replace server certificate.	string	Maximum length: 35
ssl-anomalies-log	Enable/disable logging SSL anomalies. disable: Disable logging SSL anomalies. enable: Enable logging SSL anomalies.	option	-
ssl-exemptions-log	Enable/disable logging SSL exemptions. disable: Disable logging SSL exemptions. enable: Enable logging SSL exemptions.	option	-
ssl-negotiation-log	Enable/disable logging SSL negotiation. disable: Disable logging SSL negotiation. enable: Enable logging SSL negotiation.	option	-
rpc-over-https	Enable/disable inspection of RPC over HTTPS. enable: Enable inspection of RPC over HTTPS. disable: Disable inspection of RPC over HTTPS.	option	-
mapi-over-https	Enable/disable inspection of MAPI over HTTPS. enable: Enable inspection of MAPI over HTTPS. disable: Disable inspection of MAPI over HTTPS.	option	-

config ssl

Parameter Name	Description	Type	Size
inspect-all	Level of SSL inspection. disable: Disable. certificate-inspection: Inspect SSL handshake only. deep-inspection: Full SSL inspection.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config https

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. certificate-inspection: Inspect SSL handshake only. deep-inspection: Full SSL inspection.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config ftps

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config imaps

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config pop3s

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config smtps

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config ssh

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection.	option	-
inspect-all	Level of SSL inspection. disable: Disable. deep-inspection: Full SSL inspection.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
unsupported-version	Action based on SSH version being unsupported. bypass: Bypass the session. block: Block the session.	option	-
ssh-tun-policy-check	Enable/disable SSH tunnel policy check. disable: Disable SSH tunnel policy check. enable: Enable SSH tunnel policy check.	option	-
ssh-algorithm	Relative strength of encryption algorithms accepted during negotiation. compatible: Allow a broader set of encryption algorithms for best compatibility. high-encryption: Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.	option	-

config ssl-exempt

Parameter Name	Description	Type	Size
type	Type of address object (IPv4 or IPv6) or FortiGuard category. fortiguard-category: FortiGuard category. address: Firewall IPv4 address. address6: Firewall IPv6 address. wildcard-fqdn: Fully Qualified Domain Name with wildcard characters. regex: Regular expression FQDN.	option	-
fortiguard-category	FortiGuard category ID.	integer	Minimum value: 0 Maximum value: 255
address	IPv4 address object.	string	Maximum length: 79
address6	IPv6 address object.	string	Maximum length: 79
wildcard-fqdn	Exempt servers by wildcard FQDN.	string	Maximum length: 79
regex	Exempt servers by regular expression.	string	Maximum length: 255

config ssl-server

Parameter Name	Description	Type	Size
ip	IPv4 address of the SSL server.	ipv4-address-any	Not Specified
https-client-certificate	Action based on received client certificate during the HTTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
smtps-client-certificate	Action based on received client certificate during the SMTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
pop3s-client-certificate	Action based on received client certificate during the POP3S handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
imaps-client-certificate	Action based on received client certificate during the IMAPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
ftps-client-certificate	Action based on received client certificate during the FTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
ssl-other-client-certificate	Action based on received client certificate during an SSL protocol handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-

Configure SSL/SSH protocol options.

  config firewall ssl-ssh-profile
      Description: Configure SSL/SSH protocol options.
      edit <name>
          set comment {var-string}
          config ssl
              Description: Configure SSL options.
              set inspect-all [disable|certificate-inspection|...]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config https
              Description: Configure HTTPS options.
              set ports {integer}
              set status [disable|certificate-inspection|...]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ftps
              Description: Configure FTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config imaps
              Description: Configure IMAPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config pop3s
              Description: Configure POP3S options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config smtps
              Description: Configure SMTPS options.
              set ports {integer}
              set status [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set client-certificate [bypass|inspect|...]
              set unsupported-ssl-cipher [allow|block]
              set unsupported-ssl-negotiation [allow|block]
              set expired-server-cert [allow|block|...]
              set revoked-server-cert [allow|block|...]
              set untrusted-server-cert [allow|block|...]
              set cert-validation-timeout [allow|block|...]
              set cert-validation-failure [allow|block|...]
              set sni-server-cert-check [enable|strict|...]
          end
          config ssh
              Description: Configure SSH options.
              set ports {integer}
              set status [disable|deep-inspection]
              set inspect-all [disable|deep-inspection]
              set proxy-after-tcp-handshake [enable|disable]
              set unsupported-version [bypass|block]
              set ssh-tun-policy-check [disable|enable]
              set ssh-algorithm [compatible|high-encryption]
          end
          set whitelist [enable|disable]
          set block-blacklisted-certificates [disable|enable]
          config ssl-exempt
              Description: Servers to exempt from SSL inspection.
              edit <id>
                  set type [fortiguard-category|address|...]
                  set fortiguard-category {integer}
                  set address {string}
                  set address6 {string}
                  set wildcard-fqdn {string}
                  set regex {string}
              next
          end
          set server-cert-mode [re-sign|replace]
          set use-ssl-server [disable|enable]
          set caname {string}
          set untrusted-caname {string}
          set server-cert {string}
          config ssl-server
              Description: SSL server settings used for client certificate request.
              edit <id>
                  set ip {ipv4-address-any}
                  set https-client-certificate [bypass|inspect|...]
                  set smtps-client-certificate [bypass|inspect|...]
                  set pop3s-client-certificate [bypass|inspect|...]
                  set imaps-client-certificate [bypass|inspect|...]
                  set ftps-client-certificate [bypass|inspect|...]
                  set ssl-other-client-certificate [bypass|inspect|...]
              next
          end
          set ssl-anomalies-log [disable|enable]
          set ssl-exemptions-log [disable|enable]
          set ssl-negotiation-log [disable|enable]
          set rpc-over-https [enable|disable]
          set mapi-over-https [enable|disable]
      next
  end

config firewall ssl-ssh-profile

Parameter Name	Description	Type	Size
comment	Optional comments.	var-string	Maximum length: 255
whitelist	Enable/disable exempting servers by FortiGuard whitelist. enable: Enable setting. disable: Disable setting.	option	-
block-blacklisted-certificates	Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blacklist. disable: Disable FortiGuard certificate blacklist. enable: Enable FortiGuard certificate blacklist.	option	-
server-cert-mode	Re-sign or replace the server's certificate. re-sign: Multiple clients connecting to multiple servers. replace: Protect an SSL server.	option	-
use-ssl-server	Enable/disable the use of SSL server table for SSL offloading. disable: Don't use SSL server configuration. enable: Use SSL server configuration.	option	-
caname	CA certificate used by SSL Inspection.	string	Maximum length: 35
untrusted-caname	Untrusted CA certificate used by SSL Inspection.	string	Maximum length: 35
server-cert	Certificate used by SSL Inspection to replace server certificate.	string	Maximum length: 35
ssl-anomalies-log	Enable/disable logging SSL anomalies. disable: Disable logging SSL anomalies. enable: Enable logging SSL anomalies.	option	-
ssl-exemptions-log	Enable/disable logging SSL exemptions. disable: Disable logging SSL exemptions. enable: Enable logging SSL exemptions.	option	-
ssl-negotiation-log	Enable/disable logging SSL negotiation. disable: Disable logging SSL negotiation. enable: Enable logging SSL negotiation.	option	-
rpc-over-https	Enable/disable inspection of RPC over HTTPS. enable: Enable inspection of RPC over HTTPS. disable: Disable inspection of RPC over HTTPS.	option	-
mapi-over-https	Enable/disable inspection of MAPI over HTTPS. enable: Enable inspection of MAPI over HTTPS. disable: Disable inspection of MAPI over HTTPS.	option	-

config ssl

Parameter Name	Description	Type	Size
inspect-all	Level of SSL inspection. disable: Disable. certificate-inspection: Inspect SSL handshake only. deep-inspection: Full SSL inspection.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config https

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. certificate-inspection: Inspect SSL handshake only. deep-inspection: Full SSL inspection.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config ftps

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config imaps

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config pop3s

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config smtps

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
client-certificate	Action based on received client certificate. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
unsupported-ssl-cipher	Action based on the SSL cipher used being unsupported. allow: Bypass the session when the cipher is not supported. block: Block the session when the cipher is not supported.	option	-
unsupported-ssl-negotiation	Action based on the SSL negotiation used being unsupported. allow: Bypass the session when the negotiation is not supported. block: Block the session when the negotiation is not supported.	option	-
expired-server-cert	Action based on server certificate is expired. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
revoked-server-cert	Action based on server certificate is revoked. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
untrusted-server-cert	Action based on server certificate is not issued by a trusted CA. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-timeout	Action based on certificate validation timeout. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
cert-validation-failure	Action based on certificate validation failure. allow: Allow the server certificate. block: Block the session. ignore: Re-sign the server certificate as trusted.	option	-
sni-server-cert-check	Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. enable: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, use the CN in the server certificate to do URL filtering. strict: Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. If mismatched, close the connection. disable: Do not check the SNI in the client hello message with the CN or SAN fields in the returned server certificate.	option	-

config ssh

Parameter Name	Description	Type	Size
ports	Ports to use for scanning (1 - 65535, default = 443).	integer	Minimum value: 1 Maximum value: 65535
status	Configure protocol inspection status. disable: Disable. deep-inspection: Full SSL inspection.	option	-
inspect-all	Level of SSL inspection. disable: Disable. deep-inspection: Full SSL inspection.	option	-
proxy-after-tcp-handshake	Proxy traffic after the TCP 3-way handshake has been established (not before). enable: Enable setting. disable: Disable setting.	option	-
unsupported-version	Action based on SSH version being unsupported. bypass: Bypass the session. block: Block the session.	option	-
ssh-tun-policy-check	Enable/disable SSH tunnel policy check. disable: Disable SSH tunnel policy check. enable: Enable SSH tunnel policy check.	option	-
ssh-algorithm	Relative strength of encryption algorithms accepted during negotiation. compatible: Allow a broader set of encryption algorithms for best compatibility. high-encryption: Allow only AES-CTR, AES-GCM ciphers and high encryption algorithms.	option	-

config ssl-exempt

Parameter Name	Description	Type	Size
type	Type of address object (IPv4 or IPv6) or FortiGuard category. fortiguard-category: FortiGuard category. address: Firewall IPv4 address. address6: Firewall IPv6 address. wildcard-fqdn: Fully Qualified Domain Name with wildcard characters. regex: Regular expression FQDN.	option	-
fortiguard-category	FortiGuard category ID.	integer	Minimum value: 0 Maximum value: 255
address	IPv4 address object.	string	Maximum length: 79
address6	IPv6 address object.	string	Maximum length: 79
wildcard-fqdn	Exempt servers by wildcard FQDN.	string	Maximum length: 79
regex	Exempt servers by regular expression.	string	Maximum length: 255

config ssl-server

Parameter Name	Description	Type	Size
ip	IPv4 address of the SSL server.	ipv4-address-any	Not Specified
https-client-certificate	Action based on received client certificate during the HTTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
smtps-client-certificate	Action based on received client certificate during the SMTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
pop3s-client-certificate	Action based on received client certificate during the POP3S handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
imaps-client-certificate	Action based on received client certificate during the IMAPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
ftps-client-certificate	Action based on received client certificate during the FTPS handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-
ssl-other-client-certificate	Action based on received client certificate during an SSL protocol handshake. bypass: Bypass the session. inspect: Inspect the session. block: Block the session.	option	-

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

firewall ssl-ssh-profile

Configure SSL/SSH protocol options.

config firewall ssl-ssh-profile

config ssl

config https

config ftps

config imaps

config pop3s

config smtps

config ssh

config ssl-exempt

config ssl-server

firewall ssl-ssh-profile