Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    7.2.2
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.0.0
    5.6.0
    5.4.0
    5.2.0
    5.0.0

    config firewall access-proxy6

    config firewall access-proxy6

    Configure IPv6 access proxy.

    config firewall access-proxy6

    Description: Configure IPv6 access proxy.

    edit <name>

    set vip {string}

    set client-cert [disable|enable]

    set user-agent-detect [disable|enable]

    set auth-portal [disable|enable]

    set auth-virtual-host {string}

    set empty-cert-action [accept|block|...]

    set log-blocked-traffic [enable|disable]

    set add-vhost-domain-to-dnsdb [enable|disable]

    set decrypted-traffic-mirror {string}

    config api-gateway

    Description: Set IPv4 API Gateway.

    edit <id>

    set url-map {string}

    set service [http|https|...]

    set ldb-method [static|round-robin|...]

    set virtual-host {string}

    set url-map-type [sub-string|wildcard|...]

    config realservers

    Description: Select the real servers that this Access Proxy will distribute traffic to.

    edit <id>

    set addr-type [ip|fqdn]

    set address {string}

    set ip {ipv4-address-any}

    set domain {string}

    set port {integer}

    set mappedport {user}

    set status [active|standby|...]

    set type [tcp-forwarding|ssh]

    set weight {integer}

    set http-host {string}

    set health-check [disable|enable]

    set health-check-proto [ping|http|...]

    set holddown-interval [enable|disable]

    set ssh-client-cert {string}

    set ssh-host-key-validation [disable|enable]

    set ssh-host-key <name1>, <name2>, ...

    next

    end

    set application <name1>, <name2>, ...

    set persistence [none|http-cookie]

    set http-cookie-domain-from-host [disable|enable]

    set http-cookie-domain {string}

    set http-cookie-path {string}

    set http-cookie-generation {integer}

    set http-cookie-age {integer}

    set http-cookie-share [disable|same-ip]

    set https-cookie-secure [disable|enable]

    set saml-server {string}

    set saml-redirect [disable|enable]

    set ssl-dh-bits [768|1024|...]

    set ssl-algorithm [high|medium|...]

    config ssl-cipher-suites

    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.

    edit <priority>

    set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

    set versions {option1}, {option2}, ...

    next

    end

    set ssl-min-version [tls-1.0|tls-1.1|...]

    set ssl-max-version [tls-1.0|tls-1.1|...]

    set ssl-vpn-web-portal {string}

    next

    end

    config api-gateway6

    Description: Set IPv6 API Gateway.

    edit <id>

    set url-map {string}

    set service [http|https|...]

    set ldb-method [static|round-robin|...]

    set virtual-host {string}

    set url-map-type [sub-string|wildcard|...]

    config realservers

    Description: Select the real servers that this Access Proxy will distribute traffic to.

    edit <id>

    set addr-type [ip|fqdn]

    set address {string}

    set ip {ipv6-address}

    set domain {string}

    set port {integer}

    set mappedport {user}

    set status [active|standby|...]

    set type [tcp-forwarding|ssh]

    set weight {integer}

    set http-host {string}

    set health-check [disable|enable]

    set health-check-proto [ping|http|...]

    set holddown-interval [enable|disable]

    set ssh-client-cert {string}

    set ssh-host-key-validation [disable|enable]

    set ssh-host-key <name1>, <name2>, ...

    next

    end

    set application <name1>, <name2>, ...

    set persistence [none|http-cookie]

    set http-cookie-domain-from-host [disable|enable]

    set http-cookie-domain {string}

    set http-cookie-path {string}

    set http-cookie-generation {integer}

    set http-cookie-age {integer}

    set http-cookie-share [disable|same-ip]

    set https-cookie-secure [disable|enable]

    set saml-server {string}

    set saml-redirect [disable|enable]

    set ssl-dh-bits [768|1024|...]

    set ssl-algorithm [high|medium|...]

    config ssl-cipher-suites

    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.

    edit <priority>

    set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

    set versions {option1}, {option2}, ...

    next

    end

    set ssl-min-version [tls-1.0|tls-1.1|...]

    set ssl-max-version [tls-1.0|tls-1.1|...]

    set ssl-vpn-web-portal {string}

    next

    end

    next

    end

    config firewall access-proxy6

    Parameter

    Description

    Type

    Size

    Default

    vip

    Virtual IP name.

    string

    Not Specified

    client-cert

    Enable/disable to request client certificate.

    option

    -

    enable

    Option

    Description

    disable

    Disable client certificate request.

    enable

    Enable client certificate request.

    user-agent-detect

    Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

    option

    -

    enable

    Option

    Description

    disable

    Disable to detect unknown device by HTTP user-agent if no client certificate provided.

    enable

    Enable to detect unknown device by HTTP user-agent if no client certificate provided.

    auth-portal

    Enable/disable authentication portal.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication portal.

    enable

    Enable authentication portal.

    auth-virtual-host

    Virtual host for authentication portal.

    string

    Not Specified

    empty-cert-action

    Action of an empty client certificate.

    option

    -

    block

    Option

    Description

    accept

    Accept the SSL handshake if the client certificate is empty.

    block

    Block the SSL handshake if the client certificate is empty.

    accept-unmanageable

    Accept the SSL handshake only if the end-point is unmanageable.

    log-blocked-traffic

    Enable/disable logging of blocked traffic.

    option

    -

    disable

    Option

    Description

    enable

    Log all traffic denied by this access proxy.

    disable

    Do not log all traffic denied by this access proxy.

    add-vhost-domain-to-dnsdb

    Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel.

    option

    -

    disable

    Option

    Description

    enable

    add dns entry for all vhosts used by access proxy.

    disable

    Do not add dns entry for all vhosts used by access proxy.

    decrypted-traffic-mirror

    Decrypted traffic mirror.

    string

    Not Specified

    config api-gateway

    Parameter

    Description

    Type

    Size

    Default

    url-map

    URL pattern to match.

    string

    Not Specified

    /

    service

    Service.

    option

    -

    https

    Option

    Description

    http

    HTTP.

    https

    HTTPS.

    tcp-forwarding

    TCP-FORWARDING.

    samlsp

    SAML-SP.

    web-portal

    VPN-SSL-WEB-PORTAL.

    saas

    SAAS.

    ldb-method

    Method used to distribute sessions to real servers.

    option

    -

    static

    Option

    Description

    static

    Distribute to server based on source IP.

    round-robin

    Distribute to server based round robin order.

    weighted

    Distribute to server based on weight.

    first-alive

    Distribute to the first server that is alive.

    http-host

    Distribute to server based on host field in HTTP header.

    virtual-host

    Virtual host.

    string

    Not Specified

    url-map-type

    Type of url-map.

    option

    -

    sub-string

    Option

    Description

    sub-string

    Match the pattern if a string contains the sub-string.

    wildcard

    Match the pattern with wildcards.

    regex

    Match the pattern with a regular expression.

    application <name>

    SaaS application controlled by this Access Proxy.

    SaaS application name.

    string

    Maximum length: 79

    persistence

    Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

    option

    -

    none

    Option

    Description

    none

    None.

    http-cookie

    HTTP cookie.

    http-cookie-domain-from-host

    Enable/disable use of HTTP cookie domain from host field in HTTP.

    option

    -

    disable

    Option

    Description

    disable

    Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

    enable

    Enable use of HTTP cookie domain from host field in HTTP.

    http-cookie-domain

    Domain that HTTP cookie persistence should apply to.

    string

    Not Specified

    http-cookie-path

    Limit HTTP cookie persistence to the specified path.

    string

    Not Specified

    http-cookie-generation

    Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    http-cookie-age

    Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

    integer

    Minimum value: 0 Maximum value: 525600

    60

    http-cookie-share

    Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

    option

    -

    same-ip

    Option

    Description

    disable

    Only allow HTTP cookie to match this API Gateway.

    same-ip

    Allow HTTP cookie to match any API Gateway with same IP.

    https-cookie-secure

    Enable/disable verification that inserted HTTPS cookies are secure.

    option

    -

    disable

    Option

    Description

    disable

    Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

    enable

    Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

    saml-server

    SAML service provider configuration for VIP authentication.

    string

    Not Specified

    saml-redirect

    Enable/disable SAML redirection after successful authentication.

    option

    -

    disable

    Option

    Description

    disable

    Do not support redirection after successful SAML authentication.

    enable

    Support redirection after successful SAML authentication.

    ssl-dh-bits

    Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

    option

    -

    2048

    Option

    Description

    768

    768-bit Diffie-Hellman prime.

    1024

    1024-bit Diffie-Hellman prime.

    1536

    1536-bit Diffie-Hellman prime.

    2048

    2048-bit Diffie-Hellman prime.

    3072

    3072-bit Diffie-Hellman prime.

    4096

    4096-bit Diffie-Hellman prime.

    ssl-algorithm

    Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

    option

    -

    high

    Option

    Description

    high

    High encryption. Allow only AES and ChaCha.

    medium

    Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

    low

    Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

    ssl-min-version

    Lowest SSL/TLS version acceptable from a server.

    option

    -

    tls-1.1

    Option

    Description

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-max-version

    Highest SSL/TLS version acceptable from a server.

    option

    -

    tls-1.3

    Option

    Description

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-vpn-web-portal

    SSL-VPN web portal.

    string

    Not Specified

    config realservers

    Parameter

    Description

    Type

    Size

    Default

    addr-type

    Type of address.

    option

    -

    ip

    Option

    Description

    ip

    Standard IPv4 address.

    fqdn

    Non-wildcard FQDN address object.

    address

    Address or address group of the real server.

    string

    Not Specified

    ip

    IPv6 address of the real server.

    ipv6-address

    Not Specified

    ::

    domain

    Wildcard domain name of the real server.

    string

    Not Specified

    port

    Port for communicating with the real server.

    integer

    Minimum value: 1 Maximum value: 65535

    443

    mappedport

    Port for communicating with the real server.

    user

    Not Specified

    status

    Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

    option

    -

    active

    Option

    Description

    active

    Server status active.

    standby

    Server status standby.

    disable

    Server status disable.

    type

    TCP forwarding server type.

    option

    -

    tcp-forwarding

    Option

    Description

    tcp-forwarding

    TCP forwarding.

    ssh

    SSH.

    weight

    Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

    integer

    Minimum value: 1 Maximum value: 255

    1

    http-host

    HTTP server domain name in HTTP header.

    string

    Not Specified

    health-check

    Enable to check the responsiveness of the real server before forwarding traffic.

    option

    -

    disable

    Option

    Description

    disable

    Disable per server health check.

    enable

    Enable per server health check.

    health-check-proto

    Protocol of the health check monitor to use when polling to determine server's connectivity status.

    option

    -

    ping

    Option

    Description

    ping

    Use PING to test the link with the server.

    http

    Use HTTP-GET to test the link with the server.

    tcp-connect

    Use a full TCP connection to test the link with the server.

    holddown-interval

    Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

    option

    -

    enable

    Option

    Description

    enable

    Enable per server holddown.

    disable

    Disable per server holddown.

    ssh-client-cert

    Set access-proxy SSH client certificate profile.

    string

    Not Specified

    ssh-host-key-validation

    Enable/disable SSH real server host key validation.

    option

    -

    disable

    Option

    Description

    disable

    Disable SSH real server host key validation.

    enable

    Enable SSH real server host key validation.

    ssh-host-key <name>

    One or more server host key.

    Server host key name.

    string

    Maximum length: 79

    config ssl-cipher-suites

    Parameter

    Description

    Type

    Size

    Default

    cipher

    Cipher suite name.

    option

    -

    Option

    Description

    TLS-AES-128-GCM-SHA256

    Cipher suite TLS-AES-128-GCM-SHA256.

    TLS-AES-256-GCM-SHA384

    Cipher suite TLS-AES-256-GCM-SHA384.

    TLS-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

    TLS-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

    TLS-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

    TLS-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

    TLS-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

    TLS-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

    TLS-DHE-DSS-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

    TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

    TLS-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

    TLS-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

    TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

    TLS-ECDHE-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

    TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-RC4-128-MD5

    Cipher suite TLS-RSA-WITH-RC4-128-MD5.

    TLS-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-RSA-WITH-RC4-128-SHA.

    TLS-DHE-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

    TLS-DHE-DSS-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

    TLS-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

    versions

    SSL/TLS versions that the cipher suite can be used with.

    option

    -

    tls-1.0 tls-1.1 tls-1.2 tls-1.3

    Option

    Description

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    config api-gateway6

    Parameter

    Description

    Type

    Size

    Default

    url-map

    URL pattern to match.

    string

    Not Specified

    /

    service

    Service.

    option

    -

    https

    Option

    Description

    http

    HTTP.

    https

    HTTPS.

    tcp-forwarding

    TCP-FORWARDING.

    samlsp

    SAML-SP.

    web-portal

    VPN-SSL-WEB-PORTAL.

    saas

    SAAS.

    ldb-method

    Method used to distribute sessions to real servers.

    option

    -

    static

    Option

    Description

    static

    Distribute to server based on source IP.

    round-robin

    Distribute to server based round robin order.

    weighted

    Distribute to server based on weight.

    first-alive

    Distribute to the first server that is alive.

    http-host

    Distribute to server based on host field in HTTP header.

    virtual-host

    Virtual host.

    string

    Not Specified

    url-map-type

    Type of url-map.

    option

    -

    sub-string

    Option

    Description

    sub-string

    Match the pattern if a string contains the sub-string.

    wildcard

    Match the pattern with wildcards.

    regex

    Match the pattern with a regular expression.

    application <name>

    SaaS application controlled by this Access Proxy.

    SaaS application name.

    string

    Maximum length: 79

    persistence

    Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

    option

    -

    none

    Option

    Description

    none

    None.

    http-cookie

    HTTP cookie.

    http-cookie-domain-from-host

    Enable/disable use of HTTP cookie domain from host field in HTTP.

    option

    -

    disable

    Option

    Description

    disable

    Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

    enable

    Enable use of HTTP cookie domain from host field in HTTP.

    http-cookie-domain

    Domain that HTTP cookie persistence should apply to.

    string

    Not Specified

    http-cookie-path

    Limit HTTP cookie persistence to the specified path.

    string

    Not Specified

    http-cookie-generation

    Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    http-cookie-age

    Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

    integer

    Minimum value: 0 Maximum value: 525600

    60

    http-cookie-share

    Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

    option

    -

    same-ip

    Option

    Description

    disable

    Only allow HTTP cookie to match this API Gateway.

    same-ip

    Allow HTTP cookie to match any API Gateway with same IP.

    https-cookie-secure

    Enable/disable verification that inserted HTTPS cookies are secure.

    option

    -

    disable

    Option

    Description

    disable

    Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

    enable

    Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

    saml-server

    SAML service provider configuration for VIP authentication.

    string

    Not Specified

    saml-redirect

    Enable/disable SAML redirection after successful authentication.

    option

    -

    disable

    Option

    Description

    disable

    Do not support redirection after successful SAML authentication.

    enable

    Support redirection after successful SAML authentication.

    ssl-dh-bits

    Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

    option

    -

    2048

    Option

    Description

    768

    768-bit Diffie-Hellman prime.

    1024

    1024-bit Diffie-Hellman prime.

    1536

    1536-bit Diffie-Hellman prime.

    2048

    2048-bit Diffie-Hellman prime.

    3072

    3072-bit Diffie-Hellman prime.

    4096

    4096-bit Diffie-Hellman prime.

    ssl-algorithm

    Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

    option

    -

    high

    Option

    Description

    high

    High encryption. Allow only AES and ChaCha.

    medium

    Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

    low

    Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

    ssl-min-version

    Lowest SSL/TLS version acceptable from a server.

    option

    -

    tls-1.1

    Option

    Description

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-max-version

    Highest SSL/TLS version acceptable from a server.

    option

    -

    tls-1.3

    Option

    Description

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-vpn-web-portal

    SSL-VPN web portal.

    string

    Not Specified

    config realservers

    Parameter

    Description

    Type

    Size

    Default

    addr-type

    Type of address.

    option

    -

    ip

    address

    Address or address group of the real server.

    string

    Not Specified

    ip

    IPv6 address of the real server.

    ipv6-address

    Not Specified

    ::

    domain

    Wildcard domain name of the real server.

    string

    Not Specified

    port

    Port for communicating with the real server.

    integer

    Minimum value: 1 Maximum value: 65535

    443

    mappedport

    Port for communicating with the real server.

    user

    Not Specified

    status

    Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

    option

    -

    active

    type

    TCP forwarding server type.

    option

    -

    tcp-forwarding

    weight

    Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

    integer

    Minimum value: 1 Maximum value: 255

    1

    http-host

    HTTP server domain name in HTTP header.

    string

    Not Specified

    health-check

    Enable to check the responsiveness of the real server before forwarding traffic.

    option

    -

    disable

    health-check-proto

    Protocol of the health check monitor to use when polling to determine server's connectivity status.

    option

    -

    ping

    holddown-interval

    Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

    option

    -

    enable

    ssh-client-cert

    Set access-proxy SSH client certificate profile.

    string

    Not Specified

    ssh-host-key-validation

    Enable/disable SSH real server host key validation.

    option

    -

    disable

    ssh-host-key <name>

    One or more server host key.

    Server host key name.

    string

    Maximum length: 79

    config ssl-cipher-suites

    Parameter

    Description

    Type

    Size

    Default

    cipher

    Cipher suite name.

    option

    -

    versions

    SSL/TLS versions that the cipher suite can be used with.

    option

    -

    tls-1.0 tls-1.1 tls-1.2 tls-1.3
    Previous
    Next

    config firewall access-proxy6

    config firewall access-proxy6

    Configure IPv6 access proxy.

    config firewall access-proxy6

    Description: Configure IPv6 access proxy.

    edit <name>

    set vip {string}

    set client-cert [disable|enable]

    set user-agent-detect [disable|enable]

    set auth-portal [disable|enable]

    set auth-virtual-host {string}

    set empty-cert-action [accept|block|...]

    set log-blocked-traffic [enable|disable]

    set add-vhost-domain-to-dnsdb [enable|disable]

    set decrypted-traffic-mirror {string}

    config api-gateway

    Description: Set IPv4 API Gateway.

    edit <id>

    set url-map {string}

    set service [http|https|...]

    set ldb-method [static|round-robin|...]

    set virtual-host {string}

    set url-map-type [sub-string|wildcard|...]

    config realservers

    Description: Select the real servers that this Access Proxy will distribute traffic to.

    edit <id>

    set addr-type [ip|fqdn]

    set address {string}

    set ip {ipv4-address-any}

    set domain {string}

    set port {integer}

    set mappedport {user}

    set status [active|standby|...]

    set type [tcp-forwarding|ssh]

    set weight {integer}

    set http-host {string}

    set health-check [disable|enable]

    set health-check-proto [ping|http|...]

    set holddown-interval [enable|disable]

    set ssh-client-cert {string}

    set ssh-host-key-validation [disable|enable]

    set ssh-host-key <name1>, <name2>, ...

    next

    end

    set application <name1>, <name2>, ...

    set persistence [none|http-cookie]

    set http-cookie-domain-from-host [disable|enable]

    set http-cookie-domain {string}

    set http-cookie-path {string}

    set http-cookie-generation {integer}

    set http-cookie-age {integer}

    set http-cookie-share [disable|same-ip]

    set https-cookie-secure [disable|enable]

    set saml-server {string}

    set saml-redirect [disable|enable]

    set ssl-dh-bits [768|1024|...]

    set ssl-algorithm [high|medium|...]

    config ssl-cipher-suites

    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.

    edit <priority>

    set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

    set versions {option1}, {option2}, ...

    next

    end

    set ssl-min-version [tls-1.0|tls-1.1|...]

    set ssl-max-version [tls-1.0|tls-1.1|...]

    set ssl-vpn-web-portal {string}

    next

    end

    config api-gateway6

    Description: Set IPv6 API Gateway.

    edit <id>

    set url-map {string}

    set service [http|https|...]

    set ldb-method [static|round-robin|...]

    set virtual-host {string}

    set url-map-type [sub-string|wildcard|...]

    config realservers

    Description: Select the real servers that this Access Proxy will distribute traffic to.

    edit <id>

    set addr-type [ip|fqdn]

    set address {string}

    set ip {ipv6-address}

    set domain {string}

    set port {integer}

    set mappedport {user}

    set status [active|standby|...]

    set type [tcp-forwarding|ssh]

    set weight {integer}

    set http-host {string}

    set health-check [disable|enable]

    set health-check-proto [ping|http|...]

    set holddown-interval [enable|disable]

    set ssh-client-cert {string}

    set ssh-host-key-validation [disable|enable]

    set ssh-host-key <name1>, <name2>, ...

    next

    end

    set application <name1>, <name2>, ...

    set persistence [none|http-cookie]

    set http-cookie-domain-from-host [disable|enable]

    set http-cookie-domain {string}

    set http-cookie-path {string}

    set http-cookie-generation {integer}

    set http-cookie-age {integer}

    set http-cookie-share [disable|same-ip]

    set https-cookie-secure [disable|enable]

    set saml-server {string}

    set saml-redirect [disable|enable]

    set ssl-dh-bits [768|1024|...]

    set ssl-algorithm [high|medium|...]

    config ssl-cipher-suites

    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.

    edit <priority>

    set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]

    set versions {option1}, {option2}, ...

    next

    end

    set ssl-min-version [tls-1.0|tls-1.1|...]

    set ssl-max-version [tls-1.0|tls-1.1|...]

    set ssl-vpn-web-portal {string}

    next

    end

    next

    end

    config firewall access-proxy6

    Parameter

    Description

    Type

    Size

    Default

    vip

    Virtual IP name.

    string

    Not Specified

    client-cert

    Enable/disable to request client certificate.

    option

    -

    enable

    Option

    Description

    disable

    Disable client certificate request.

    enable

    Enable client certificate request.

    user-agent-detect

    Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

    option

    -

    enable

    Option

    Description

    disable

    Disable to detect unknown device by HTTP user-agent if no client certificate provided.

    enable

    Enable to detect unknown device by HTTP user-agent if no client certificate provided.

    auth-portal

    Enable/disable authentication portal.

    option

    -

    disable

    Option

    Description

    disable

    Disable authentication portal.

    enable

    Enable authentication portal.

    auth-virtual-host

    Virtual host for authentication portal.

    string

    Not Specified

    empty-cert-action

    Action of an empty client certificate.

    option

    -

    block

    Option

    Description

    accept

    Accept the SSL handshake if the client certificate is empty.

    block

    Block the SSL handshake if the client certificate is empty.

    accept-unmanageable

    Accept the SSL handshake only if the end-point is unmanageable.

    log-blocked-traffic

    Enable/disable logging of blocked traffic.

    option

    -

    disable

    Option

    Description

    enable

    Log all traffic denied by this access proxy.

    disable

    Do not log all traffic denied by this access proxy.

    add-vhost-domain-to-dnsdb

    Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel.

    option

    -

    disable

    Option

    Description

    enable

    add dns entry for all vhosts used by access proxy.

    disable

    Do not add dns entry for all vhosts used by access proxy.

    decrypted-traffic-mirror

    Decrypted traffic mirror.

    string

    Not Specified

    config api-gateway

    Parameter

    Description

    Type

    Size

    Default

    url-map

    URL pattern to match.

    string

    Not Specified

    /

    service

    Service.

    option

    -

    https

    Option

    Description

    http

    HTTP.

    https

    HTTPS.

    tcp-forwarding

    TCP-FORWARDING.

    samlsp

    SAML-SP.

    web-portal

    VPN-SSL-WEB-PORTAL.

    saas

    SAAS.

    ldb-method

    Method used to distribute sessions to real servers.

    option

    -

    static

    Option

    Description

    static

    Distribute to server based on source IP.

    round-robin

    Distribute to server based round robin order.

    weighted

    Distribute to server based on weight.

    first-alive

    Distribute to the first server that is alive.

    http-host

    Distribute to server based on host field in HTTP header.

    virtual-host

    Virtual host.

    string

    Not Specified

    url-map-type

    Type of url-map.

    option

    -

    sub-string

    Option

    Description

    sub-string

    Match the pattern if a string contains the sub-string.

    wildcard

    Match the pattern with wildcards.

    regex

    Match the pattern with a regular expression.

    application <name>

    SaaS application controlled by this Access Proxy.

    SaaS application name.

    string

    Maximum length: 79

    persistence

    Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

    option

    -

    none

    Option

    Description

    none

    None.

    http-cookie

    HTTP cookie.

    http-cookie-domain-from-host

    Enable/disable use of HTTP cookie domain from host field in HTTP.

    option

    -

    disable

    Option

    Description

    disable

    Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

    enable

    Enable use of HTTP cookie domain from host field in HTTP.

    http-cookie-domain

    Domain that HTTP cookie persistence should apply to.

    string

    Not Specified

    http-cookie-path

    Limit HTTP cookie persistence to the specified path.

    string

    Not Specified

    http-cookie-generation

    Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    http-cookie-age

    Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

    integer

    Minimum value: 0 Maximum value: 525600

    60

    http-cookie-share

    Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

    option

    -

    same-ip

    Option

    Description

    disable

    Only allow HTTP cookie to match this API Gateway.

    same-ip

    Allow HTTP cookie to match any API Gateway with same IP.

    https-cookie-secure

    Enable/disable verification that inserted HTTPS cookies are secure.

    option

    -

    disable

    Option

    Description

    disable

    Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

    enable

    Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

    saml-server

    SAML service provider configuration for VIP authentication.

    string

    Not Specified

    saml-redirect

    Enable/disable SAML redirection after successful authentication.

    option

    -

    disable

    Option

    Description

    disable

    Do not support redirection after successful SAML authentication.

    enable

    Support redirection after successful SAML authentication.

    ssl-dh-bits

    Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

    option

    -

    2048

    Option

    Description

    768

    768-bit Diffie-Hellman prime.

    1024

    1024-bit Diffie-Hellman prime.

    1536

    1536-bit Diffie-Hellman prime.

    2048

    2048-bit Diffie-Hellman prime.

    3072

    3072-bit Diffie-Hellman prime.

    4096

    4096-bit Diffie-Hellman prime.

    ssl-algorithm

    Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

    option

    -

    high

    Option

    Description

    high

    High encryption. Allow only AES and ChaCha.

    medium

    Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

    low

    Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

    ssl-min-version

    Lowest SSL/TLS version acceptable from a server.

    option

    -

    tls-1.1

    Option

    Description

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-max-version

    Highest SSL/TLS version acceptable from a server.

    option

    -

    tls-1.3

    Option

    Description

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-vpn-web-portal

    SSL-VPN web portal.

    string

    Not Specified

    config realservers

    Parameter

    Description

    Type

    Size

    Default

    addr-type

    Type of address.

    option

    -

    ip

    Option

    Description

    ip

    Standard IPv4 address.

    fqdn

    Non-wildcard FQDN address object.

    address

    Address or address group of the real server.

    string

    Not Specified

    ip

    IPv6 address of the real server.

    ipv6-address

    Not Specified

    ::

    domain

    Wildcard domain name of the real server.

    string

    Not Specified

    port

    Port for communicating with the real server.

    integer

    Minimum value: 1 Maximum value: 65535

    443

    mappedport

    Port for communicating with the real server.

    user

    Not Specified

    status

    Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

    option

    -

    active

    Option

    Description

    active

    Server status active.

    standby

    Server status standby.

    disable

    Server status disable.

    type

    TCP forwarding server type.

    option

    -

    tcp-forwarding

    Option

    Description

    tcp-forwarding

    TCP forwarding.

    ssh

    SSH.

    weight

    Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

    integer

    Minimum value: 1 Maximum value: 255

    1

    http-host

    HTTP server domain name in HTTP header.

    string

    Not Specified

    health-check

    Enable to check the responsiveness of the real server before forwarding traffic.

    option

    -

    disable

    Option

    Description

    disable

    Disable per server health check.

    enable

    Enable per server health check.

    health-check-proto

    Protocol of the health check monitor to use when polling to determine server's connectivity status.

    option

    -

    ping

    Option

    Description

    ping

    Use PING to test the link with the server.

    http

    Use HTTP-GET to test the link with the server.

    tcp-connect

    Use a full TCP connection to test the link with the server.

    holddown-interval

    Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

    option

    -

    enable

    Option

    Description

    enable

    Enable per server holddown.

    disable

    Disable per server holddown.

    ssh-client-cert

    Set access-proxy SSH client certificate profile.

    string

    Not Specified

    ssh-host-key-validation

    Enable/disable SSH real server host key validation.

    option

    -

    disable

    Option

    Description

    disable

    Disable SSH real server host key validation.

    enable

    Enable SSH real server host key validation.

    ssh-host-key <name>

    One or more server host key.

    Server host key name.

    string

    Maximum length: 79

    config ssl-cipher-suites

    Parameter

    Description

    Type

    Size

    Default

    cipher

    Cipher suite name.

    option

    -

    Option

    Description

    TLS-AES-128-GCM-SHA256

    Cipher suite TLS-AES-128-GCM-SHA256.

    TLS-AES-256-GCM-SHA384

    Cipher suite TLS-AES-256-GCM-SHA384.

    TLS-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

    TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

    TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

    TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-AES-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

    TLS-RSA-WITH-AES-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

    TLS-RSA-WITH-AES-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

    TLS-RSA-WITH-AES-128-GCM-SHA256

    Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

    TLS-RSA-WITH-AES-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

    TLS-RSA-WITH-AES-256-GCM-SHA384

    Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

    Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

    TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

    TLS-DHE-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

    TLS-DHE-DSS-WITH-SEED-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

    TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

    TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

    TLS-RSA-WITH-SEED-CBC-SHA

    Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

    TLS-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

    TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

    TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

    TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

    Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

    TLS-ECDHE-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

    TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-3DES-EDE-CBC-SHA

    Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

    TLS-RSA-WITH-RC4-128-MD5

    Cipher suite TLS-RSA-WITH-RC4-128-MD5.

    TLS-RSA-WITH-RC4-128-SHA

    Cipher suite TLS-RSA-WITH-RC4-128-SHA.

    TLS-DHE-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

    TLS-DHE-DSS-WITH-DES-CBC-SHA

    Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

    TLS-RSA-WITH-DES-CBC-SHA

    Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

    versions

    SSL/TLS versions that the cipher suite can be used with.

    option

    -

    tls-1.0 tls-1.1 tls-1.2 tls-1.3

    Option

    Description

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    config api-gateway6

    Parameter

    Description

    Type

    Size

    Default

    url-map

    URL pattern to match.

    string

    Not Specified

    /

    service

    Service.

    option

    -

    https

    Option

    Description

    http

    HTTP.

    https

    HTTPS.

    tcp-forwarding

    TCP-FORWARDING.

    samlsp

    SAML-SP.

    web-portal

    VPN-SSL-WEB-PORTAL.

    saas

    SAAS.

    ldb-method

    Method used to distribute sessions to real servers.

    option

    -

    static

    Option

    Description

    static

    Distribute to server based on source IP.

    round-robin

    Distribute to server based round robin order.

    weighted

    Distribute to server based on weight.

    first-alive

    Distribute to the first server that is alive.

    http-host

    Distribute to server based on host field in HTTP header.

    virtual-host

    Virtual host.

    string

    Not Specified

    url-map-type

    Type of url-map.

    option

    -

    sub-string

    Option

    Description

    sub-string

    Match the pattern if a string contains the sub-string.

    wildcard

    Match the pattern with wildcards.

    regex

    Match the pattern with a regular expression.

    application <name>

    SaaS application controlled by this Access Proxy.

    SaaS application name.

    string

    Maximum length: 79

    persistence

    Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

    option

    -

    none

    Option

    Description

    none

    None.

    http-cookie

    HTTP cookie.

    http-cookie-domain-from-host

    Enable/disable use of HTTP cookie domain from host field in HTTP.

    option

    -

    disable

    Option

    Description

    disable

    Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

    enable

    Enable use of HTTP cookie domain from host field in HTTP.

    http-cookie-domain

    Domain that HTTP cookie persistence should apply to.

    string

    Not Specified

    http-cookie-path

    Limit HTTP cookie persistence to the specified path.

    string

    Not Specified

    http-cookie-generation

    Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

    integer

    Minimum value: 0 Maximum value: 4294967295

    0

    http-cookie-age

    Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

    integer

    Minimum value: 0 Maximum value: 525600

    60

    http-cookie-share

    Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

    option

    -

    same-ip

    Option

    Description

    disable

    Only allow HTTP cookie to match this API Gateway.

    same-ip

    Allow HTTP cookie to match any API Gateway with same IP.

    https-cookie-secure

    Enable/disable verification that inserted HTTPS cookies are secure.

    option

    -

    disable

    Option

    Description

    disable

    Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

    enable

    Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

    saml-server

    SAML service provider configuration for VIP authentication.

    string

    Not Specified

    saml-redirect

    Enable/disable SAML redirection after successful authentication.

    option

    -

    disable

    Option

    Description

    disable

    Do not support redirection after successful SAML authentication.

    enable

    Support redirection after successful SAML authentication.

    ssl-dh-bits

    Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

    option

    -

    2048

    Option

    Description

    768

    768-bit Diffie-Hellman prime.

    1024

    1024-bit Diffie-Hellman prime.

    1536

    1536-bit Diffie-Hellman prime.

    2048

    2048-bit Diffie-Hellman prime.

    3072

    3072-bit Diffie-Hellman prime.

    4096

    4096-bit Diffie-Hellman prime.

    ssl-algorithm

    Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

    option

    -

    high

    Option

    Description

    high

    High encryption. Allow only AES and ChaCha.

    medium

    Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

    low

    Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

    ssl-min-version

    Lowest SSL/TLS version acceptable from a server.

    option

    -

    tls-1.1

    Option

    Description

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-max-version

    Highest SSL/TLS version acceptable from a server.

    option

    -

    tls-1.3

    Option

    Description

    tls-1.0

    TLS 1.0.

    tls-1.1

    TLS 1.1.

    tls-1.2

    TLS 1.2.

    tls-1.3

    TLS 1.3.

    ssl-vpn-web-portal

    SSL-VPN web portal.

    string

    Not Specified

    config realservers

    Parameter

    Description

    Type

    Size

    Default

    addr-type

    Type of address.

    option

    -

    ip

    address

    Address or address group of the real server.

    string

    Not Specified

    ip

    IPv6 address of the real server.

    ipv6-address

    Not Specified

    ::

    domain

    Wildcard domain name of the real server.

    string

    Not Specified

    port

    Port for communicating with the real server.

    integer

    Minimum value: 1 Maximum value: 65535

    443

    mappedport

    Port for communicating with the real server.

    user

    Not Specified

    status

    Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

    option

    -

    active

    type

    TCP forwarding server type.

    option

    -

    tcp-forwarding

    weight

    Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

    integer

    Minimum value: 1 Maximum value: 255

    1

    http-host

    HTTP server domain name in HTTP header.

    string

    Not Specified

    health-check

    Enable to check the responsiveness of the real server before forwarding traffic.

    option

    -

    disable

    health-check-proto

    Protocol of the health check monitor to use when polling to determine server's connectivity status.

    option

    -

    ping

    holddown-interval

    Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

    option

    -

    enable

    ssh-client-cert

    Set access-proxy SSH client certificate profile.

    string

    Not Specified

    ssh-host-key-validation

    Enable/disable SSH real server host key validation.

    option

    -

    disable

    ssh-host-key <name>

    One or more server host key.

    Server host key name.

    string

    Maximum length: 79

    config ssl-cipher-suites

    Parameter

    Description

    Type

    Size

    Default

    cipher

    Cipher suite name.

    option

    -

    versions

    SSL/TLS versions that the cipher suite can be used with.

    option

    -

    tls-1.0 tls-1.1 tls-1.2 tls-1.3
    Previous
    Next