Fortinet white logo
Fortinet white logo

CLI Reference

config firewall ssl setting

config firewall ssl setting

SSL proxy settings.

config firewall ssl setting
    Description: SSL proxy settings.
    set abbreviate-handshake [enable|disable]
    set cert-cache-capacity {integer}
    set cert-cache-timeout {integer}
    set kxp-queue-threshold {integer}
    set no-matching-cipher-action [bypass|drop]
    set proxy-connect-timeout {integer}
    set session-cache-capacity {integer}
    set session-cache-timeout {integer}
    set ssl-dh-bits [768|1024|...]
    set ssl-queue-threshold {integer}
    set ssl-send-empty-frags [enable|disable]
end

config firewall ssl setting

Parameter

Description

Type

Size

Default

abbreviate-handshake

Enable/disable use of SSL abbreviated handshake.

option

-

enable

Option

Description

enable

Enable use of SSL abbreviated handshake.

disable

Disable use of SSL abbreviated handshake.

cert-cache-capacity

Maximum capacity of the host certificate cache.

integer

Minimum value: 0 Maximum value: 500

200

cert-cache-timeout

Time limit to keep certificate cache.

integer

Minimum value: 1 Maximum value: 120

10

kxp-queue-threshold *

Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU.

integer

Minimum value: 0 Maximum value: 512

16

no-matching-cipher-action

Bypass or drop the connection when no matching cipher is found.

option

-

bypass

Option

Description

bypass

Bypass connection.

drop

Drop connection.

proxy-connect-timeout

Time limit to make an internal connection to the appropriate proxy process.

integer

Minimum value: 1 Maximum value: 60

30

session-cache-capacity

Capacity of the SSL session cache.

integer

Minimum value: 0 Maximum value: 1000

500

session-cache-timeout

Time limit to keep SSL session state.

integer

Minimum value: 1 Maximum value: 60

20

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-queue-threshold *

Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU.

integer

Minimum value: 0 Maximum value: 512

32

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

* This parameter may not exist in some models.

config firewall ssl setting

config firewall ssl setting

SSL proxy settings.

config firewall ssl setting
    Description: SSL proxy settings.
    set abbreviate-handshake [enable|disable]
    set cert-cache-capacity {integer}
    set cert-cache-timeout {integer}
    set kxp-queue-threshold {integer}
    set no-matching-cipher-action [bypass|drop]
    set proxy-connect-timeout {integer}
    set session-cache-capacity {integer}
    set session-cache-timeout {integer}
    set ssl-dh-bits [768|1024|...]
    set ssl-queue-threshold {integer}
    set ssl-send-empty-frags [enable|disable]
end

config firewall ssl setting

Parameter

Description

Type

Size

Default

abbreviate-handshake

Enable/disable use of SSL abbreviated handshake.

option

-

enable

Option

Description

enable

Enable use of SSL abbreviated handshake.

disable

Disable use of SSL abbreviated handshake.

cert-cache-capacity

Maximum capacity of the host certificate cache.

integer

Minimum value: 0 Maximum value: 500

200

cert-cache-timeout

Time limit to keep certificate cache.

integer

Minimum value: 1 Maximum value: 120

10

kxp-queue-threshold *

Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU.

integer

Minimum value: 0 Maximum value: 512

16

no-matching-cipher-action

Bypass or drop the connection when no matching cipher is found.

option

-

bypass

Option

Description

bypass

Bypass connection.

drop

Drop connection.

proxy-connect-timeout

Time limit to make an internal connection to the appropriate proxy process.

integer

Minimum value: 1 Maximum value: 60

30

session-cache-capacity

Capacity of the SSL session cache.

integer

Minimum value: 0 Maximum value: 1000

500

session-cache-timeout

Time limit to keep SSL session state.

integer

Minimum value: 1 Maximum value: 60

20

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-queue-threshold *

Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU.

integer

Minimum value: 0 Maximum value: 512

32

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

* This parameter may not exist in some models.