Fortinet white logo
Fortinet white logo

CLI Reference

config firewall access-proxy

config firewall access-proxy

Configure IPv4 access proxy.

config firewall access-proxy
    Description: Configure IPv4 access proxy.
    edit <name>
        set add-vhost-domain-to-dnsdb [enable|disable]
        config api-gateway
            Description: Set IPv4 API Gateway.
            edit <id>
                set application <name1>, <name2>, ...
                set h2-support [enable|disable]
                set h3-support [enable|disable]
                set http-cookie-age {integer}
                set http-cookie-domain {string}
                set http-cookie-domain-from-host [disable|enable]
                set http-cookie-generation {integer}
                set http-cookie-path {string}
                set http-cookie-share [disable|same-ip]
                set https-cookie-secure [disable|enable]
                set ldb-method [static|round-robin|...]
                set persistence [none|http-cookie]
                config quic
                    Description: QUIC setting.
                    set ack-delay-exponent {integer}
                    set active-connection-id-limit {integer}
                    set active-migration [enable|disable]
                    set grease-quic-bit [enable|disable]
                    set max-ack-delay {integer}
                    set max-datagram-frame-size {integer}
                    set max-idle-timeout {integer}
                    set max-udp-payload-size {integer}
                end
                config realservers
                    Description: Select the real servers that this Access Proxy will distribute traffic to.
                    edit <id>
                        set addr-type [ip|fqdn]
                        set address {string}
                        set domain {string}
                        set external-auth [enable|disable]
                        set health-check [disable|enable]
                        set health-check-proto [ping|http|...]
                        set holddown-interval [enable|disable]
                        set http-host {string}
                        set ip {ipv4-address-any}
                        set mappedport {user}
                        set port {integer}
                        set ssh-client-cert {string}
                        set ssh-host-key <name1>, <name2>, ...
                        set ssh-host-key-validation [disable|enable]
                        set status [active|standby|...]
                        set translate-host [enable|disable]
                        set tunnel-encryption [enable|disable]
                        set type [tcp-forwarding|ssh]
                        set weight {integer}
                    next
                end
                set saml-redirect [disable|enable]
                set saml-server {string}
                set service [http|https|...]
                set ssl-algorithm [high|medium|...]
                config ssl-cipher-suites
                    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
                    edit <priority>
                        set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                        set versions {option1}, {option2}, ...
                    next
                end
                set ssl-dh-bits [768|1024|...]
                set ssl-max-version [tls-1.0|tls-1.1|...]
                set ssl-min-version [tls-1.0|tls-1.1|...]
                set ssl-renegotiation [enable|disable]
                set ssl-vpn-web-portal {string}
                set url-map {string}
                set url-map-type [sub-string|wildcard|...]
                set virtual-host {string}
            next
        end
        config api-gateway6
            Description: Set IPv6 API Gateway.
            edit <id>
                set application <name1>, <name2>, ...
                set h2-support [enable|disable]
                set h3-support [enable|disable]
                set http-cookie-age {integer}
                set http-cookie-domain {string}
                set http-cookie-domain-from-host [disable|enable]
                set http-cookie-generation {integer}
                set http-cookie-path {string}
                set http-cookie-share [disable|same-ip]
                set https-cookie-secure [disable|enable]
                set ldb-method [static|round-robin|...]
                set persistence [none|http-cookie]
                config quic
                    Description: QUIC setting.
                    set ack-delay-exponent {integer}
                    set active-connection-id-limit {integer}
                    set active-migration [enable|disable]
                    set grease-quic-bit [enable|disable]
                    set max-ack-delay {integer}
                    set max-datagram-frame-size {integer}
                    set max-idle-timeout {integer}
                    set max-udp-payload-size {integer}
                end
                config realservers
                    Description: Select the real servers that this Access Proxy will distribute traffic to.
                    edit <id>
                        set addr-type [ip|fqdn]
                        set address {string}
                        set domain {string}
                        set external-auth [enable|disable]
                        set health-check [disable|enable]
                        set health-check-proto [ping|http|...]
                        set holddown-interval [enable|disable]
                        set http-host {string}
                        set ip {ipv6-address}
                        set mappedport {user}
                        set port {integer}
                        set ssh-client-cert {string}
                        set ssh-host-key <name1>, <name2>, ...
                        set ssh-host-key-validation [disable|enable]
                        set status [active|standby|...]
                        set translate-host [enable|disable]
                        set tunnel-encryption [enable|disable]
                        set type [tcp-forwarding|ssh]
                        set weight {integer}
                    next
                end
                set saml-redirect [disable|enable]
                set saml-server {string}
                set service [http|https|...]
                set ssl-algorithm [high|medium|...]
                config ssl-cipher-suites
                    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
                    edit <priority>
                        set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                        set versions {option1}, {option2}, ...
                    next
                end
                set ssl-dh-bits [768|1024|...]
                set ssl-max-version [tls-1.0|tls-1.1|...]
                set ssl-min-version [tls-1.0|tls-1.1|...]
                set ssl-renegotiation [enable|disable]
                set ssl-vpn-web-portal {string}
                set url-map {string}
                set url-map-type [sub-string|wildcard|...]
                set virtual-host {string}
            next
        end
        set auth-portal [disable|enable]
        set auth-virtual-host {string}
        set client-cert [disable|enable]
        set decrypted-traffic-mirror {string}
        set empty-cert-action [accept|block|...]
        set log-blocked-traffic [enable|disable]
        set svr-pool-multiplex [enable|disable]
        set svr-pool-server-max-concurrent-request {integer}
        set svr-pool-server-max-request {integer}
        set svr-pool-ttl {integer}
        set user-agent-detect [disable|enable]
        set vip {string}
    next
end

config firewall access-proxy

Parameter

Description

Type

Size

Default

add-vhost-domain-to-dnsdb

Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel.

option

-

disable

Option

Description

enable

add dns entry for all vhosts used by access proxy.

disable

Do not add dns entry for all vhosts used by access proxy.

auth-portal

Enable/disable authentication portal.

option

-

disable

Option

Description

disable

Disable authentication portal.

enable

Enable authentication portal.

auth-virtual-host

Virtual host for authentication portal.

string

Maximum length: 79

client-cert

Enable/disable to request client certificate.

option

-

enable

Option

Description

disable

Disable client certificate request.

enable

Enable client certificate request.

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

empty-cert-action

Action of an empty client certificate.

option

-

block

Option

Description

accept

Accept the SSL handshake if the client certificate is empty.

block

Block the SSL handshake if the client certificate is empty.

accept-unmanageable

Accept the SSL handshake only if the end-point is unmanageable.

log-blocked-traffic

Enable/disable logging of blocked traffic.

option

-

enable

Option

Description

enable

Log all traffic denied by this access proxy.

disable

Do not log all traffic denied by this access proxy.

name

Access Proxy name.

string

Maximum length: 79

svr-pool-multiplex

Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway.

option

-

enable

Option

Description

enable

Enable server pool multiplexing. Share connected server.

disable

Disable server pool multiplexing. Do not share connected server.

svr-pool-server-max-concurrent-request

Maximum number of concurrent requests that servers in server pool could handle.

integer

Minimum value: 0 Maximum value: 2147483647

0

svr-pool-server-max-request

Maximum number of requests that servers in server pool handle before disconnecting.

integer

Minimum value: 0 Maximum value: 2147483647

0

svr-pool-ttl

Time-to-live in the server pool for idle connections to servers.

integer

Minimum value: 0 Maximum value: 2147483647

15

user-agent-detect

Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

option

-

enable

Option

Description

disable

Disable to detect unknown device by HTTP user-agent if no client certificate provided.

enable

Enable to detect unknown device by HTTP user-agent if no client certificate provided.

vip

Virtual IP name.

string

Maximum length: 79

config api-gateway

Parameter

Description

Type

Size

Default

application <name>

SaaS application controlled by this Access Proxy.

SaaS application name.

string

Maximum length: 79

h2-support

HTTP2 support, default=Enable.

option

-

enable

Option

Description

enable

Enable HTTP2 support.

disable

Disable HTTP2 support.

h3-support

HTTP3/QUIC support, default=Disable.

option

-

disable

Option

Description

enable

Enable HTTP3/QUIC support.

disable

Disable HTTP3/QUIC support.

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-share

Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

id

API Gateway ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ldb-method

Method used to distribute sessions to real servers.

option

-

static

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

Option

Description

none

None.

http-cookie

HTTP cookie.

saml-redirect

Enable/disable SAML redirection after successful authentication.

option

-

enable

Option

Description

disable

Do not support redirection after successful SAML authentication.

enable

Support redirection after successful SAML authentication.

saml-server

SAML service provider configuration for VIP authentication.

string

Maximum length: 35

service

Service.

option

-

https

Option

Description

http

HTTP.

https

HTTPS.

tcp-forwarding

TCP-FORWARDING.

samlsp

SAML-SP.

web-portal

VPN-SSL-WEB-PORTAL.

saas

SAAS.

ssl-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-max-version

Highest SSL/TLS version acceptable from a server.

option

-

tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-min-version

Lowest SSL/TLS version acceptable from a server.

option

-

tls-1.1

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

-

enable

Option

Description

enable

Enable secure renegotiation.

disable

Disable secure renegotiation.

ssl-vpn-web-portal

SSL-VPN web portal.

string

Maximum length: 35

url-map

URL pattern to match.

string

Maximum length: 511

/

url-map-type

Type of url-map.

option

-

sub-string

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

virtual-host

Virtual host.

string

Maximum length: 79

config quic

Parameter

Description

Type

Size

Default

ack-delay-exponent

ACK delay exponent.

integer

Minimum value: 1 Maximum value: 20

3

active-connection-id-limit

Active connection ID limit.

integer

Minimum value: 1 Maximum value: 8

2

active-migration

Enable/disable active migration.

option

-

disable

Option

Description

enable

Enable active migration.

disable

Disable active migration.

grease-quic-bit

Enable/disable grease QUIC bit.

option

-

enable

Option

Description

enable

Enable grease QUIC bit.

disable

Disable grease QUIC bit.

max-ack-delay

Maximum ACK delay in milliseconds.

integer

Minimum value: 1 Maximum value: 16383

25

max-datagram-frame-size

Maximum datagram frame size in bytes.

integer

Minimum value: 1 Maximum value: 1500

1500

max-idle-timeout

Maximum idle timeout milliseconds.

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes.

integer

Minimum value: 1200 Maximum value: 1500

1500

config realservers

Parameter

Description

Type

Size

Default

addr-type

Type of address.

option

-

ip

Option

Description

ip

Standard IPv4 address.

fqdn

Non-wildcard FQDN address object.

address

Address or address group of the real server.

string

Maximum length: 79

domain

Wildcard domain name of the real server.

string

Maximum length: 255

external-auth

Enable/disable use of external browser as user-agent for SAML user authentication.

option

-

disable

Option

Description

enable

Enable use of external browser as user-agent for SAML user authentication.

disable

Disable use of external browser as user-agent for SAML user authentication.

health-check

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

disable

Option

Description

disable

Disable per server health check.

enable

Enable per server health check.

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

Option

Description

ping

Use PING to test the link with the server.

http

Use HTTP-GET to test the link with the server.

tcp-connect

Use a full TCP connection to test the link with the server.

holddown-interval

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

option

-

enable

Option

Description

enable

Enable per server holddown.

disable

Disable per server holddown.

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

id

Real server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

IPv6 address of the real server.

ipv6-address

Not Specified

::

mappedport

Port for communicating with the real server.

user

Not Specified

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

443

ssh-client-cert

Set access-proxy SSH client certificate profile.

string

Maximum length: 79

ssh-host-key <name>

One or more server host key.

Server host key name.

string

Maximum length: 79

ssh-host-key-validation

Enable/disable SSH real server host key validation.

option

-

disable

Option

Description

disable

Disable SSH real server host key validation.

enable

Enable SSH real server host key validation.

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

translate-host

Enable/disable translation of hostname/IP from virtual server to real server.

option

-

enable

Option

Description

enable

Enable virtual hostname/IP translation.

disable

Disable virtual hostname/IP translation.

tunnel-encryption

Tunnel encryption.

option

-

disable

Option

Description

enable

Enable tcp forwarding tunnel encryption.

disable

Disable tcp forwarding tunnel encryption.

type

TCP forwarding server type.

option

-

tcp-forwarding

Option

Description

tcp-forwarding

TCP forwarding.

ssh

SSH.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

TLS-DHE-DSS-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

TLS-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

TLS-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config api-gateway6

Parameter

Description

Type

Size

Default

application <name>

SaaS application controlled by this Access Proxy.

SaaS application name.

string

Maximum length: 79

h2-support

HTTP2 support, default=Enable.

option

-

enable

Option

Description

enable

Enable HTTP2 support.

disable

Disable HTTP2 support.

h3-support

HTTP3/QUIC support, default=Disable.

option

-

disable

Option

Description

enable

Enable HTTP3/QUIC support.

disable

Disable HTTP3/QUIC support.

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-share

Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

id

API Gateway ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ldb-method

Method used to distribute sessions to real servers.

option

-

static

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

Option

Description

none

None.

http-cookie

HTTP cookie.

saml-redirect

Enable/disable SAML redirection after successful authentication.

option

-

enable

Option

Description

disable

Do not support redirection after successful SAML authentication.

enable

Support redirection after successful SAML authentication.

saml-server

SAML service provider configuration for VIP authentication.

string

Maximum length: 35

service

Service.

option

-

https

Option

Description

http

HTTP.

https

HTTPS.

tcp-forwarding

TCP-FORWARDING.

samlsp

SAML-SP.

web-portal

VPN-SSL-WEB-PORTAL.

saas

SAAS.

ssl-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-max-version

Highest SSL/TLS version acceptable from a server.

option

-

tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-min-version

Lowest SSL/TLS version acceptable from a server.

option

-

tls-1.1

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

-

enable

Option

Description

enable

Enable secure renegotiation.

disable

Disable secure renegotiation.

ssl-vpn-web-portal

SSL-VPN web portal.

string

Maximum length: 35

url-map

URL pattern to match.

string

Maximum length: 511

/

url-map-type

Type of url-map.

option

-

sub-string

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

virtual-host

Virtual host.

string

Maximum length: 79

config quic

Parameter

Description

Type

Size

Default

ack-delay-exponent

ACK delay exponent.

integer

Minimum value: 1 Maximum value: 20

3

active-connection-id-limit

Active connection ID limit.

integer

Minimum value: 1 Maximum value: 8

2

active-migration

Enable/disable active migration.

option

-

disable

grease-quic-bit

Enable/disable grease QUIC bit.

option

-

enable

max-ack-delay

Maximum ACK delay in milliseconds.

integer

Minimum value: 1 Maximum value: 16383

25

max-datagram-frame-size

Maximum datagram frame size in bytes.

integer

Minimum value: 1 Maximum value: 1500

1500

max-idle-timeout

Maximum idle timeout milliseconds.

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes.

integer

Minimum value: 1200 Maximum value: 1500

1500

config realservers

Parameter

Description

Type

Size

Default

addr-type

Type of address.

option

-

ip

address

Address or address group of the real server.

string

Maximum length: 79

domain

Wildcard domain name of the real server.

string

Maximum length: 255

external-auth

Enable/disable use of external browser as user-agent for SAML user authentication.

option

-

disable

health-check

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

disable

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

holddown-interval

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

option

-

enable

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

id

Real server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

IPv6 address of the real server.

ipv6-address

Not Specified

::

mappedport

Port for communicating with the real server.

user

Not Specified

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

443

ssh-client-cert

Set access-proxy SSH client certificate profile.

string

Maximum length: 79

ssh-host-key <name>

One or more server host key.

Server host key name.

string

Maximum length: 79

ssh-host-key-validation

Enable/disable SSH real server host key validation.

option

-

disable

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

translate-host

Enable/disable translation of hostname/IP from virtual server to real server.

option

-

enable

tunnel-encryption

Tunnel encryption.

option

-

disable

type

TCP forwarding server type.

option

-

tcp-forwarding

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

-

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

tls-1.0 tls-1.1 tls-1.2 tls-1.3

config firewall access-proxy

config firewall access-proxy

Configure IPv4 access proxy.

config firewall access-proxy
    Description: Configure IPv4 access proxy.
    edit <name>
        set add-vhost-domain-to-dnsdb [enable|disable]
        config api-gateway
            Description: Set IPv4 API Gateway.
            edit <id>
                set application <name1>, <name2>, ...
                set h2-support [enable|disable]
                set h3-support [enable|disable]
                set http-cookie-age {integer}
                set http-cookie-domain {string}
                set http-cookie-domain-from-host [disable|enable]
                set http-cookie-generation {integer}
                set http-cookie-path {string}
                set http-cookie-share [disable|same-ip]
                set https-cookie-secure [disable|enable]
                set ldb-method [static|round-robin|...]
                set persistence [none|http-cookie]
                config quic
                    Description: QUIC setting.
                    set ack-delay-exponent {integer}
                    set active-connection-id-limit {integer}
                    set active-migration [enable|disable]
                    set grease-quic-bit [enable|disable]
                    set max-ack-delay {integer}
                    set max-datagram-frame-size {integer}
                    set max-idle-timeout {integer}
                    set max-udp-payload-size {integer}
                end
                config realservers
                    Description: Select the real servers that this Access Proxy will distribute traffic to.
                    edit <id>
                        set addr-type [ip|fqdn]
                        set address {string}
                        set domain {string}
                        set external-auth [enable|disable]
                        set health-check [disable|enable]
                        set health-check-proto [ping|http|...]
                        set holddown-interval [enable|disable]
                        set http-host {string}
                        set ip {ipv4-address-any}
                        set mappedport {user}
                        set port {integer}
                        set ssh-client-cert {string}
                        set ssh-host-key <name1>, <name2>, ...
                        set ssh-host-key-validation [disable|enable]
                        set status [active|standby|...]
                        set translate-host [enable|disable]
                        set tunnel-encryption [enable|disable]
                        set type [tcp-forwarding|ssh]
                        set weight {integer}
                    next
                end
                set saml-redirect [disable|enable]
                set saml-server {string}
                set service [http|https|...]
                set ssl-algorithm [high|medium|...]
                config ssl-cipher-suites
                    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
                    edit <priority>
                        set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                        set versions {option1}, {option2}, ...
                    next
                end
                set ssl-dh-bits [768|1024|...]
                set ssl-max-version [tls-1.0|tls-1.1|...]
                set ssl-min-version [tls-1.0|tls-1.1|...]
                set ssl-renegotiation [enable|disable]
                set ssl-vpn-web-portal {string}
                set url-map {string}
                set url-map-type [sub-string|wildcard|...]
                set virtual-host {string}
            next
        end
        config api-gateway6
            Description: Set IPv6 API Gateway.
            edit <id>
                set application <name1>, <name2>, ...
                set h2-support [enable|disable]
                set h3-support [enable|disable]
                set http-cookie-age {integer}
                set http-cookie-domain {string}
                set http-cookie-domain-from-host [disable|enable]
                set http-cookie-generation {integer}
                set http-cookie-path {string}
                set http-cookie-share [disable|same-ip]
                set https-cookie-secure [disable|enable]
                set ldb-method [static|round-robin|...]
                set persistence [none|http-cookie]
                config quic
                    Description: QUIC setting.
                    set ack-delay-exponent {integer}
                    set active-connection-id-limit {integer}
                    set active-migration [enable|disable]
                    set grease-quic-bit [enable|disable]
                    set max-ack-delay {integer}
                    set max-datagram-frame-size {integer}
                    set max-idle-timeout {integer}
                    set max-udp-payload-size {integer}
                end
                config realservers
                    Description: Select the real servers that this Access Proxy will distribute traffic to.
                    edit <id>
                        set addr-type [ip|fqdn]
                        set address {string}
                        set domain {string}
                        set external-auth [enable|disable]
                        set health-check [disable|enable]
                        set health-check-proto [ping|http|...]
                        set holddown-interval [enable|disable]
                        set http-host {string}
                        set ip {ipv6-address}
                        set mappedport {user}
                        set port {integer}
                        set ssh-client-cert {string}
                        set ssh-host-key <name1>, <name2>, ...
                        set ssh-host-key-validation [disable|enable]
                        set status [active|standby|...]
                        set translate-host [enable|disable]
                        set tunnel-encryption [enable|disable]
                        set type [tcp-forwarding|ssh]
                        set weight {integer}
                    next
                end
                set saml-redirect [disable|enable]
                set saml-server {string}
                set service [http|https|...]
                set ssl-algorithm [high|medium|...]
                config ssl-cipher-suites
                    Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
                    edit <priority>
                        set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                        set versions {option1}, {option2}, ...
                    next
                end
                set ssl-dh-bits [768|1024|...]
                set ssl-max-version [tls-1.0|tls-1.1|...]
                set ssl-min-version [tls-1.0|tls-1.1|...]
                set ssl-renegotiation [enable|disable]
                set ssl-vpn-web-portal {string}
                set url-map {string}
                set url-map-type [sub-string|wildcard|...]
                set virtual-host {string}
            next
        end
        set auth-portal [disable|enable]
        set auth-virtual-host {string}
        set client-cert [disable|enable]
        set decrypted-traffic-mirror {string}
        set empty-cert-action [accept|block|...]
        set log-blocked-traffic [enable|disable]
        set svr-pool-multiplex [enable|disable]
        set svr-pool-server-max-concurrent-request {integer}
        set svr-pool-server-max-request {integer}
        set svr-pool-ttl {integer}
        set user-agent-detect [disable|enable]
        set vip {string}
    next
end

config firewall access-proxy

Parameter

Description

Type

Size

Default

add-vhost-domain-to-dnsdb

Enable/disable adding vhost/domain to dnsdb for ztna dox tunnel.

option

-

disable

Option

Description

enable

add dns entry for all vhosts used by access proxy.

disable

Do not add dns entry for all vhosts used by access proxy.

auth-portal

Enable/disable authentication portal.

option

-

disable

Option

Description

disable

Disable authentication portal.

enable

Enable authentication portal.

auth-virtual-host

Virtual host for authentication portal.

string

Maximum length: 79

client-cert

Enable/disable to request client certificate.

option

-

enable

Option

Description

disable

Disable client certificate request.

enable

Enable client certificate request.

decrypted-traffic-mirror

Decrypted traffic mirror.

string

Maximum length: 35

empty-cert-action

Action of an empty client certificate.

option

-

block

Option

Description

accept

Accept the SSL handshake if the client certificate is empty.

block

Block the SSL handshake if the client certificate is empty.

accept-unmanageable

Accept the SSL handshake only if the end-point is unmanageable.

log-blocked-traffic

Enable/disable logging of blocked traffic.

option

-

enable

Option

Description

enable

Log all traffic denied by this access proxy.

disable

Do not log all traffic denied by this access proxy.

name

Access Proxy name.

string

Maximum length: 79

svr-pool-multiplex

Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway.

option

-

enable

Option

Description

enable

Enable server pool multiplexing. Share connected server.

disable

Disable server pool multiplexing. Do not share connected server.

svr-pool-server-max-concurrent-request

Maximum number of concurrent requests that servers in server pool could handle.

integer

Minimum value: 0 Maximum value: 2147483647

0

svr-pool-server-max-request

Maximum number of requests that servers in server pool handle before disconnecting.

integer

Minimum value: 0 Maximum value: 2147483647

0

svr-pool-ttl

Time-to-live in the server pool for idle connections to servers.

integer

Minimum value: 0 Maximum value: 2147483647

15

user-agent-detect

Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

option

-

enable

Option

Description

disable

Disable to detect unknown device by HTTP user-agent if no client certificate provided.

enable

Enable to detect unknown device by HTTP user-agent if no client certificate provided.

vip

Virtual IP name.

string

Maximum length: 79

config api-gateway

Parameter

Description

Type

Size

Default

application <name>

SaaS application controlled by this Access Proxy.

SaaS application name.

string

Maximum length: 79

h2-support

HTTP2 support, default=Enable.

option

-

enable

Option

Description

enable

Enable HTTP2 support.

disable

Disable HTTP2 support.

h3-support

HTTP3/QUIC support, default=Disable.

option

-

disable

Option

Description

enable

Enable HTTP3/QUIC support.

disable

Disable HTTP3/QUIC support.

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-share

Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

id

API Gateway ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ldb-method

Method used to distribute sessions to real servers.

option

-

static

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

Option

Description

none

None.

http-cookie

HTTP cookie.

saml-redirect

Enable/disable SAML redirection after successful authentication.

option

-

enable

Option

Description

disable

Do not support redirection after successful SAML authentication.

enable

Support redirection after successful SAML authentication.

saml-server

SAML service provider configuration for VIP authentication.

string

Maximum length: 35

service

Service.

option

-

https

Option

Description

http

HTTP.

https

HTTPS.

tcp-forwarding

TCP-FORWARDING.

samlsp

SAML-SP.

web-portal

VPN-SSL-WEB-PORTAL.

saas

SAAS.

ssl-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-max-version

Highest SSL/TLS version acceptable from a server.

option

-

tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-min-version

Lowest SSL/TLS version acceptable from a server.

option

-

tls-1.1

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

-

enable

Option

Description

enable

Enable secure renegotiation.

disable

Disable secure renegotiation.

ssl-vpn-web-portal

SSL-VPN web portal.

string

Maximum length: 35

url-map

URL pattern to match.

string

Maximum length: 511

/

url-map-type

Type of url-map.

option

-

sub-string

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

virtual-host

Virtual host.

string

Maximum length: 79

config quic

Parameter

Description

Type

Size

Default

ack-delay-exponent

ACK delay exponent.

integer

Minimum value: 1 Maximum value: 20

3

active-connection-id-limit

Active connection ID limit.

integer

Minimum value: 1 Maximum value: 8

2

active-migration

Enable/disable active migration.

option

-

disable

Option

Description

enable

Enable active migration.

disable

Disable active migration.

grease-quic-bit

Enable/disable grease QUIC bit.

option

-

enable

Option

Description

enable

Enable grease QUIC bit.

disable

Disable grease QUIC bit.

max-ack-delay

Maximum ACK delay in milliseconds.

integer

Minimum value: 1 Maximum value: 16383

25

max-datagram-frame-size

Maximum datagram frame size in bytes.

integer

Minimum value: 1 Maximum value: 1500

1500

max-idle-timeout

Maximum idle timeout milliseconds.

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes.

integer

Minimum value: 1200 Maximum value: 1500

1500

config realservers

Parameter

Description

Type

Size

Default

addr-type

Type of address.

option

-

ip

Option

Description

ip

Standard IPv4 address.

fqdn

Non-wildcard FQDN address object.

address

Address or address group of the real server.

string

Maximum length: 79

domain

Wildcard domain name of the real server.

string

Maximum length: 255

external-auth

Enable/disable use of external browser as user-agent for SAML user authentication.

option

-

disable

Option

Description

enable

Enable use of external browser as user-agent for SAML user authentication.

disable

Disable use of external browser as user-agent for SAML user authentication.

health-check

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

disable

Option

Description

disable

Disable per server health check.

enable

Enable per server health check.

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

Option

Description

ping

Use PING to test the link with the server.

http

Use HTTP-GET to test the link with the server.

tcp-connect

Use a full TCP connection to test the link with the server.

holddown-interval

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

option

-

enable

Option

Description

enable

Enable per server holddown.

disable

Disable per server holddown.

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

id

Real server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

IPv6 address of the real server.

ipv6-address

Not Specified

::

mappedport

Port for communicating with the real server.

user

Not Specified

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

443

ssh-client-cert

Set access-proxy SSH client certificate profile.

string

Maximum length: 79

ssh-host-key <name>

One or more server host key.

Server host key name.

string

Maximum length: 79

ssh-host-key-validation

Enable/disable SSH real server host key validation.

option

-

disable

Option

Description

disable

Disable SSH real server host key validation.

enable

Enable SSH real server host key validation.

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

Option

Description

active

Server status active.

standby

Server status standby.

disable

Server status disable.

translate-host

Enable/disable translation of hostname/IP from virtual server to real server.

option

-

enable

Option

Description

enable

Enable virtual hostname/IP translation.

disable

Disable virtual hostname/IP translation.

tunnel-encryption

Tunnel encryption.

option

-

disable

Option

Description

enable

Enable tcp forwarding tunnel encryption.

disable

Disable tcp forwarding tunnel encryption.

type

TCP forwarding server type.

option

-

tcp-forwarding

Option

Description

tcp-forwarding

TCP forwarding.

ssh

SSH.

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

-

Option

Description

TLS-AES-128-GCM-SHA256

Cipher suite TLS-AES-128-GCM-SHA256.

TLS-AES-256-GCM-SHA384

Cipher suite TLS-AES-256-GCM-SHA384.

TLS-CHACHA20-POLY1305-SHA256

Cipher suite TLS-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256

Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-AES-128-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.

TLS-RSA-WITH-AES-256-CBC-SHA

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.

TLS-RSA-WITH-AES-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.

TLS-RSA-WITH-AES-128-GCM-SHA256

Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.

TLS-RSA-WITH-AES-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.

TLS-RSA-WITH-AES-256-GCM-SHA384

Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA

Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.

TLS-DHE-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.

TLS-DHE-DSS-WITH-SEED-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.

TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.

TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.

TLS-RSA-WITH-SEED-CBC-SHA

Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.

TLS-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.

TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.

TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.

TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384

Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.

TLS-ECDHE-RSA-WITH-RC4-128-SHA

Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-3DES-EDE-CBC-SHA

Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.

TLS-RSA-WITH-RC4-128-MD5

Cipher suite TLS-RSA-WITH-RC4-128-MD5.

TLS-RSA-WITH-RC4-128-SHA

Cipher suite TLS-RSA-WITH-RC4-128-SHA.

TLS-DHE-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.

TLS-DHE-DSS-WITH-DES-CBC-SHA

Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.

TLS-RSA-WITH-DES-CBC-SHA

Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

config api-gateway6

Parameter

Description

Type

Size

Default

application <name>

SaaS application controlled by this Access Proxy.

SaaS application name.

string

Maximum length: 79

h2-support

HTTP2 support, default=Enable.

option

-

enable

Option

Description

enable

Enable HTTP2 support.

disable

Disable HTTP2 support.

h3-support

HTTP3/QUIC support, default=Disable.

option

-

disable

Option

Description

enable

Enable HTTP3/QUIC support.

disable

Disable HTTP3/QUIC support.

http-cookie-age

Time in minutes that client web browsers should keep a cookie. Default is 60 minutes. 0 = no time limit.

integer

Minimum value: 0 Maximum value: 525600

60

http-cookie-domain

Domain that HTTP cookie persistence should apply to.

string

Maximum length: 35

http-cookie-domain-from-host

Enable/disable use of HTTP cookie domain from host field in HTTP.

option

-

disable

Option

Description

disable

Disable use of HTTP cookie domain from host field in HTTP (use http-cooke-domain setting).

enable

Enable use of HTTP cookie domain from host field in HTTP.

http-cookie-generation

Generation of HTTP cookie to be accepted. Changing invalidates all existing cookies.

integer

Minimum value: 0 Maximum value: 4294967295

0

http-cookie-path

Limit HTTP cookie persistence to the specified path.

string

Maximum length: 35

http-cookie-share

Control sharing of cookies across API Gateway. Use of same-ip means a cookie from one virtual server can be used by another. Disable stops cookie sharing.

option

-

same-ip

Option

Description

disable

Only allow HTTP cookie to match this API Gateway.

same-ip

Allow HTTP cookie to match any API Gateway with same IP.

https-cookie-secure

Enable/disable verification that inserted HTTPS cookies are secure.

option

-

disable

Option

Description

disable

Do not mark cookie as secure, allow sharing between an HTTP and HTTPS connection.

enable

Mark inserted cookie as secure, cookie can only be used for HTTPS a connection.

id

API Gateway ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ldb-method

Method used to distribute sessions to real servers.

option

-

static

Option

Description

static

Distribute to server based on source IP.

round-robin

Distribute to server based round robin order.

weighted

Distribute to server based on weight.

first-alive

Distribute to the first server that is alive.

http-host

Distribute to server based on host field in HTTP header.

persistence

Configure how to make sure that clients connect to the same server every time they make a request that is part of the same session.

option

-

none

Option

Description

none

None.

http-cookie

HTTP cookie.

saml-redirect

Enable/disable SAML redirection after successful authentication.

option

-

enable

Option

Description

disable

Do not support redirection after successful SAML authentication.

enable

Support redirection after successful SAML authentication.

saml-server

SAML service provider configuration for VIP authentication.

string

Maximum length: 35

service

Service.

option

-

https

Option

Description

http

HTTP.

https

HTTPS.

tcp-forwarding

TCP-FORWARDING.

samlsp

SAML-SP.

web-portal

VPN-SSL-WEB-PORTAL.

saas

SAAS.

ssl-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

-

high

Option

Description

high

High encryption. Allow only AES and ChaCha.

medium

Medium encryption. Allow AES, ChaCha, 3DES, and RC4.

low

Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.

ssl-dh-bits

Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

3072

3072-bit Diffie-Hellman prime.

4096

4096-bit Diffie-Hellman prime.

ssl-max-version

Highest SSL/TLS version acceptable from a server.

option

-

tls-1.3

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-min-version

Lowest SSL/TLS version acceptable from a server.

option

-

tls-1.1

Option

Description

tls-1.0

TLS 1.0.

tls-1.1

TLS 1.1.

tls-1.2

TLS 1.2.

tls-1.3

TLS 1.3.

ssl-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

-

enable

Option

Description

enable

Enable secure renegotiation.

disable

Disable secure renegotiation.

ssl-vpn-web-portal

SSL-VPN web portal.

string

Maximum length: 35

url-map

URL pattern to match.

string

Maximum length: 511

/

url-map-type

Type of url-map.

option

-

sub-string

Option

Description

sub-string

Match the pattern if a string contains the sub-string.

wildcard

Match the pattern with wildcards.

regex

Match the pattern with a regular expression.

virtual-host

Virtual host.

string

Maximum length: 79

config quic

Parameter

Description

Type

Size

Default

ack-delay-exponent

ACK delay exponent.

integer

Minimum value: 1 Maximum value: 20

3

active-connection-id-limit

Active connection ID limit.

integer

Minimum value: 1 Maximum value: 8

2

active-migration

Enable/disable active migration.

option

-

disable

grease-quic-bit

Enable/disable grease QUIC bit.

option

-

enable

max-ack-delay

Maximum ACK delay in milliseconds.

integer

Minimum value: 1 Maximum value: 16383

25

max-datagram-frame-size

Maximum datagram frame size in bytes.

integer

Minimum value: 1 Maximum value: 1500

1500

max-idle-timeout

Maximum idle timeout milliseconds.

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes.

integer

Minimum value: 1200 Maximum value: 1500

1500

config realservers

Parameter

Description

Type

Size

Default

addr-type

Type of address.

option

-

ip

address

Address or address group of the real server.

string

Maximum length: 79

domain

Wildcard domain name of the real server.

string

Maximum length: 255

external-auth

Enable/disable use of external browser as user-agent for SAML user authentication.

option

-

disable

health-check

Enable to check the responsiveness of the real server before forwarding traffic.

option

-

disable

health-check-proto

Protocol of the health check monitor to use when polling to determine server's connectivity status.

option

-

ping

holddown-interval

Enable/disable holddown timer. Server will be considered active and reachable once the holddown period has expired (30 seconds).

option

-

enable

http-host

HTTP server domain name in HTTP header.

string

Maximum length: 63

id

Real server ID.

integer

Minimum value: 0 Maximum value: 4294967295

0

ip

IPv6 address of the real server.

ipv6-address

Not Specified

::

mappedport

Port for communicating with the real server.

user

Not Specified

port

Port for communicating with the real server.

integer

Minimum value: 1 Maximum value: 65535

443

ssh-client-cert

Set access-proxy SSH client certificate profile.

string

Maximum length: 79

ssh-host-key <name>

One or more server host key.

Server host key name.

string

Maximum length: 79

ssh-host-key-validation

Enable/disable SSH real server host key validation.

option

-

disable

status

Set the status of the real server to active so that it can accept traffic, or on standby or disabled so no traffic is sent.

option

-

active

translate-host

Enable/disable translation of hostname/IP from virtual server to real server.

option

-

enable

tunnel-encryption

Tunnel encryption.

option

-

disable

type

TCP forwarding server type.

option

-

tcp-forwarding

weight

Weight of the real server. If weighted load balancing is enabled, the server with the highest weight gets more connections.

integer

Minimum value: 1 Maximum value: 255

1

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

-

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

0

versions

SSL/TLS versions that the cipher suite can be used with.

option

-

tls-1.0 tls-1.1 tls-1.2 tls-1.3