config ztna traffic-forward-proxy

Configure ZTNA traffic forward proxy.

config ztna traffic-forward-proxy
    Description: Configure ZTNA traffic forward proxy.
    edit <name>
        set auth-portal [disable|enable]
        set client-cert [disable|enable]
        set comment {var-string}
        set empty-cert-action [accept|block|...]
        set h3-support [enable|disable]
        set interface {string}
        set log-blocked-traffic [enable|disable]
        set port {user}
        config quic
            Description: QUIC setting.
            set ack-delay-exponent {integer}
            set active-connection-id-limit {integer}
            set active-migration [enable|disable]
            set grease-quic-bit [enable|disable]
            set max-ack-delay {integer}
            set max-datagram-frame-size {integer}
            set max-idle-timeout {integer}
            set max-udp-payload-size {integer}
        end
        set ssl-accept-ffdhe-groups [enable|disable]
        set ssl-algorithm [high|medium|...]
        set ssl-certificate <name1>, <name2>, ...
        config ssl-cipher-suites
            Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-client-fallback [disable|enable]
        set ssl-client-rekey-count {integer}
        set ssl-client-renegotiation [allow|deny|...]
        set ssl-client-session-state-max {integer}
        set ssl-client-session-state-timeout {integer}
        set ssl-client-session-state-type [disable|time|...]
        set ssl-dh-bits [768|1024|...]
        set ssl-hpkp [disable|enable|...]
        set ssl-hpkp-age {integer}
        set ssl-hpkp-backup {string}
        set ssl-hpkp-include-subdomains [disable|enable]
        set ssl-hpkp-primary {string}
        set ssl-hpkp-report-uri {var-string}
        set ssl-hsts [disable|enable]
        set ssl-hsts-age {integer}
        set ssl-hsts-include-subdomains [disable|enable]
        set ssl-http-location-conversion [enable|disable]
        set ssl-http-match-host [enable|disable]
        set ssl-max-version [ssl-3.0|tls-1.0|...]
        set ssl-min-version [ssl-3.0|tls-1.0|...]
        set ssl-mode [half|full]
        set ssl-pfs [require|deny|...]
        set ssl-send-empty-frags [enable|disable]
        set ssl-server-algorithm [high|medium|...]
        config ssl-server-cipher-suites
            Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-server-max-version [ssl-3.0|tls-1.0|...]
        set ssl-server-min-version [ssl-3.0|tls-1.0|...]
        set ssl-server-renegotiation [enable|disable]
        set ssl-server-session-state-max {integer}
        set ssl-server-session-state-timeout {integer}
        set ssl-server-session-state-type [disable|time|...]
        set status [enable|disable]
        set svr-pool-multiplex [enable|disable]
        set svr-pool-server-max-concurrent-request {integer}
        set svr-pool-server-max-request {integer}
        set svr-pool-ttl {integer}
        set user-agent-detect [disable|enable]
    next
end

config ztna traffic-forward-proxy

Parameter

Description

Type

Size

Default

auth-portal

Enable/disable authentication portal.

option

disable

Option	Description
disable	Disable authentication portal.
enable	Enable authentication portal.

client-cert

Enable/disable to request client certificate.

option

enable

Option	Description
disable	Disable client certificate request.
enable	Enable client certificate request.

comment

Comment.

var-string

Maximum length: 255

empty-cert-action

Action of an empty client certificate.

option

block

Option	Description
accept	Accept the SSL handshake if the client certificate is empty.
block	Block the SSL handshake if the client certificate is empty.
accept-unmanageable	Accept the SSL handshake only if the end-point is unmanageable.

h3-support

Enable/disable HTTP3/QUIC support (default = disable).

option

disable

Option	Description
enable	Enable HTTP3/QUIC support.
disable	Disable HTTP3/QUIC support.

interface

interface name

string

Maximum length: 15

log-blocked-traffic

Enable/disable logging of blocked traffic.

option

enable

Option	Description
enable	Log all traffic denied by this access proxy.
disable	Do not log all traffic denied by this access proxy.

name

Traffic forward proxy name

string

Maximum length: 79

port

Accept incoming traffic on one or more ports (0 - 65535).

user

Not Specified

ssl-accept-ffdhe-groups

Enable/disable FFDHE cipher suite for SSL key exchange.

option

enable

Option	Description
enable	Accept FFDHE groups.
disable	Do not accept FFDHE groups.

ssl-algorithm

Permitted encryption algorithms for SSL sessions according to encryption strength.

option

high

Option	Description
high	High encryption. Allow only AES and ChaCha.
medium	Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low	Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
custom	Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-certificate <name>

Name of the certificate to use for SSL handshake.

Certificate list.

string

Maximum length: 79

ssl-client-fallback

Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).

option

enable

Option	Description
disable	Disable.
enable	Enable.

ssl-client-rekey-count

Maximum length of data in MB before triggering a client rekey (0 = disable).

integer

Minimum value: 200 Maximum value: 1048576

ssl-client-renegotiation

Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.

option

secure

Option	Description
allow	Allow a SSL client to renegotiate.
deny	Abort any client initiated SSL re-negotiation attempt.
secure	Abort any client initiated SSL re-negotiation attempt that does not use RFC 5746 Secure Renegotiation.

ssl-client-session-state-max

Maximum number of client to FortiProxy SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

1000

ssl-client-session-state-timeout

Number of minutes to keep client to FortiProxy SSL session state.

integer

Minimum value: 1 Maximum value: 14400

ssl-client-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

option

both

Option	Description
disable	Do not keep session states.
time	Expire session states after this many minutes.
count	Expire session states when this maximum is reached.
both	Expire session states based on time or count, whichever occurs first.

ssl-dh-bits

Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).

option

2048

Option	Description
768	768-bit Diffie-Hellman prime.
1024	1024-bit Diffie-Hellman prime.
1536	1536-bit Diffie-Hellman prime.
2048	2048-bit Diffie-Hellman prime.
3072	3072-bit Diffie-Hellman prime.
4096	4096-bit Diffie-Hellman prime.

ssl-hpkp

Enable/disable including HPKP header in response.

option

disable

Option	Description
disable	Do not add a HPKP header to each HTTP response.
enable	Add a HPKP header to each a HTTP response.
report-only	Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp-age

Number of seconds the client should honor the HPKP setting.

integer

Minimum value: 60 Maximum value: 157680000

5184000

ssl-hpkp-backup

Certificate to generate backup HPKP pin from.

string

Maximum length: 79

ssl-hpkp-include-subdomains

Indicate that HPKP header applies to all subdomains.

option

disable

Option	Description
disable	HPKP header does not apply to subdomains.
enable	HPKP header applies to subdomains.

ssl-hpkp-primary

Certificate to generate primary HPKP pin from.

string

Maximum length: 79

ssl-hpkp-report-uri

URL to report HPKP violations to.

var-string

Maximum length: 255

ssl-hsts

Enable/disable including HSTS header in response.

option

disable

Option	Description
disable	Do not add a HSTS header to each a HTTP response.
enable	Add a HSTS header to each HTTP response.

ssl-hsts-age

Number of seconds the client should honor the HSTS setting.

integer

Minimum value: 60 Maximum value: 157680000

5184000

ssl-hsts-include-subdomains

Indicate that HSTS header applies to all subdomains.

option

disable

Option	Description
disable	HSTS header does not apply to subdomains.
enable	HSTS header applies to subdomains.

ssl-http-location-conversion

Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.

option

disable

Option	Description
enable	Enable HTTP location conversion.
disable	Disable HTTP location conversion.

ssl-http-match-host

Enable/disable HTTP host matching for location conversion.

option

enable

Option	Description
enable	Match HTTP host in response header.
disable	Do not match HTTP host.

ssl-max-version

Highest SSL/TLS version acceptable from a client.

option

tls-1.3

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.

ssl-min-version

Lowest SSL/TLS version acceptable from a client.

option

tls-1.1

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.

ssl-mode

Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).

option

half

Option	Description
half	Client to FortiProxy SSL.
full	Client to FortiProxy and FortiProxy to Server SSL.

ssl-pfs

Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

option

require

Option	Description
require	Allow only Diffie-Hellman cipher-suites, so PFS is applied.
deny	Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
allow	Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.

option

enable

Option	Description
enable	Send empty fragments.
disable	Do not send empty fragments.

ssl-server-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

client

Option	Description
high	High encryption. Allow only AES and ChaCha.
medium	Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low	Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
custom	Custom encryption. Use ssl-server-cipher-suites to select the cipher suites that are allowed.
client	Use the same encryption algorithms for both client and server sessions.

ssl-server-max-version

Highest SSL/TLS version acceptable from a server. Use the client setting by default.

option

client

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.
client	Use same value as client configuration.

ssl-server-min-version

Lowest SSL/TLS version acceptable from a server. Use the client setting by default.

option

client

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.
client	Use same value as client configuration.

ssl-server-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

enable

Option	Description
enable	Enable secure renegotiation.
disable	Disable secure renegotiation.

ssl-server-session-state-max

Maximum number of FortiGate to Server SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

100

ssl-server-session-state-timeout

Number of minutes to keep FortiGate to Server SSL session state.

integer

Minimum value: 1 Maximum value: 14400

ssl-server-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

option

both

Option	Description
disable	Do not keep session states.
time	Expire session states after this many minutes.
count	Expire session states when this maximum is reached.
both	Expire session states based on time or count, whichever occurs first.

status

Enable/disable the traffic forward proxy for ZTNA traffic.

option

disable

Option	Description
enable	Enable the ZTNA traffic forward proxy.
disable	Disable the ZTNA traffic forward proxy.

svr-pool-multiplex

Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway.

option

enable

Option	Description
enable	Enable server pool multiplexing. Share connected server.
disable	Disable server pool multiplexing. Do not share connected server.

svr-pool-server-max-concurrent-request

Maximum number of concurrent requests that servers in server pool could handle (default = unlimited).

integer

Minimum value: 0 Maximum value: 2147483647

svr-pool-server-max-request

Maximum number of requests that servers in server pool handle before disconnecting (default = unlimited).

integer

Minimum value: 0 Maximum value: 2147483647

svr-pool-ttl

Time-to-live in the server pool for idle connections to servers.

integer

Minimum value: 0 Maximum value: 2147483647

user-agent-detect

Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

option

enable

Option	Description
disable	Disable to detect unknown device by HTTP user-agent if no client certificate provided.
enable	Enable to detect unknown device by HTTP user-agent if no client certificate provided.

config quic

Parameter

Description

Type

Size

Default

ack-delay-exponent

ACK delay exponent (1 - 20, default = 3).

integer

Minimum value: 1 Maximum value: 20

active-connection-id-limit

Active connection ID limit (1 - 8, default = 2).

integer

Minimum value: 1 Maximum value: 8

active-migration

Enable/disable active migration (default = disable).

option

disable

Option	Description
enable	Enable active migration.
disable	Disable active migration.

grease-quic-bit

Enable/disable grease QUIC bit (default = enable).

option

enable

Option	Description
enable	Enable grease QUIC bit.
disable	Disable grease QUIC bit.

max-ack-delay

Maximum ACK delay in milliseconds (1 - 16383, default = 25).

integer

Minimum value: 1 Maximum value: 16383

max-datagram-frame-size

Maximum datagram frame size in bytes (1 - 1500, default = 1500).

integer

Minimum value: 1 Maximum value: 1500

1500

max-idle-timeout

Maximum idle timeout milliseconds (1 - 60000, default = 30000).

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes (1200 - 1500, default = 1500).

integer

Minimum value: 1200 Maximum value: 1500

1500

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

Option	Description
TLS-AES-128-GCM-SHA256	Cipher suite TLS-AES-128-GCM-SHA256.
TLS-AES-256-GCM-SHA384	Cipher suite TLS-AES-256-GCM-SHA384.
TLS-CHACHA20-POLY1305-SHA256	Cipher suite TLS-CHACHA20-POLY1305-SHA256.
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-DHE-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
TLS-DHE-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
TLS-DHE-DSS-WITH-AES-128-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
TLS-DHE-DSS-WITH-AES-256-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384	Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
TLS-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
TLS-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
TLS-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
TLS-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
TLS-RSA-WITH-AES-256-CBC-SHA256	Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
TLS-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-RSA-WITH-SEED-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
TLS-DHE-DSS-WITH-SEED-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
TLS-RSA-WITH-SEED-CBC-SHA	Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
TLS-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
TLS-ECDHE-RSA-WITH-RC4-128-SHA	Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
TLS-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-RSA-WITH-RC4-128-MD5	Cipher suite TLS-RSA-WITH-RC4-128-MD5.
TLS-RSA-WITH-RC4-128-SHA	Cipher suite TLS-RSA-WITH-RC4-128-SHA.
TLS-DHE-RSA-WITH-DES-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
TLS-DHE-DSS-WITH-DES-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
TLS-RSA-WITH-DES-CBC-SHA	Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

versions

SSL/TLS versions that the cipher suite can be used with.

option

ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.

config ssl-server-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

Option	Description
TLS-AES-128-GCM-SHA256	Cipher suite TLS-AES-128-GCM-SHA256.
TLS-AES-256-GCM-SHA384	Cipher suite TLS-AES-256-GCM-SHA384.
TLS-CHACHA20-POLY1305-SHA256	Cipher suite TLS-CHACHA20-POLY1305-SHA256.
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-DHE-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
TLS-DHE-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
TLS-DHE-DSS-WITH-AES-128-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
TLS-DHE-DSS-WITH-AES-256-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384	Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
TLS-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
TLS-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
TLS-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
TLS-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
TLS-RSA-WITH-AES-256-CBC-SHA256	Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
TLS-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-RSA-WITH-SEED-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
TLS-DHE-DSS-WITH-SEED-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
TLS-RSA-WITH-SEED-CBC-SHA	Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
TLS-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
TLS-ECDHE-RSA-WITH-RC4-128-SHA	Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
TLS-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-RSA-WITH-RC4-128-MD5	Cipher suite TLS-RSA-WITH-RC4-128-MD5.
TLS-RSA-WITH-RC4-128-SHA	Cipher suite TLS-RSA-WITH-RC4-128-SHA.
TLS-DHE-RSA-WITH-DES-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
TLS-DHE-DSS-WITH-DES-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
TLS-RSA-WITH-DES-CBC-SHA	Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

versions

SSL/TLS versions that the cipher suite can be used with.

option

ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.

config ztna traffic-forward-proxy

Configure ZTNA traffic forward proxy.

config ztna traffic-forward-proxy
    Description: Configure ZTNA traffic forward proxy.
    edit <name>
        set auth-portal [disable|enable]
        set client-cert [disable|enable]
        set comment {var-string}
        set empty-cert-action [accept|block|...]
        set h3-support [enable|disable]
        set interface {string}
        set log-blocked-traffic [enable|disable]
        set port {user}
        config quic
            Description: QUIC setting.
            set ack-delay-exponent {integer}
            set active-connection-id-limit {integer}
            set active-migration [enable|disable]
            set grease-quic-bit [enable|disable]
            set max-ack-delay {integer}
            set max-datagram-frame-size {integer}
            set max-idle-timeout {integer}
            set max-udp-payload-size {integer}
        end
        set ssl-accept-ffdhe-groups [enable|disable]
        set ssl-algorithm [high|medium|...]
        set ssl-certificate <name1>, <name2>, ...
        config ssl-cipher-suites
            Description: SSL/TLS cipher suites acceptable from a client, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-client-fallback [disable|enable]
        set ssl-client-rekey-count {integer}
        set ssl-client-renegotiation [allow|deny|...]
        set ssl-client-session-state-max {integer}
        set ssl-client-session-state-timeout {integer}
        set ssl-client-session-state-type [disable|time|...]
        set ssl-dh-bits [768|1024|...]
        set ssl-hpkp [disable|enable|...]
        set ssl-hpkp-age {integer}
        set ssl-hpkp-backup {string}
        set ssl-hpkp-include-subdomains [disable|enable]
        set ssl-hpkp-primary {string}
        set ssl-hpkp-report-uri {var-string}
        set ssl-hsts [disable|enable]
        set ssl-hsts-age {integer}
        set ssl-hsts-include-subdomains [disable|enable]
        set ssl-http-location-conversion [enable|disable]
        set ssl-http-match-host [enable|disable]
        set ssl-max-version [ssl-3.0|tls-1.0|...]
        set ssl-min-version [ssl-3.0|tls-1.0|...]
        set ssl-mode [half|full]
        set ssl-pfs [require|deny|...]
        set ssl-send-empty-frags [enable|disable]
        set ssl-server-algorithm [high|medium|...]
        config ssl-server-cipher-suites
            Description: SSL/TLS cipher suites to offer to a server, ordered by priority.
            edit <priority>
                set cipher [TLS-AES-128-GCM-SHA256|TLS-AES-256-GCM-SHA384|...]
                set versions {option1}, {option2}, ...
            next
        end
        set ssl-server-max-version [ssl-3.0|tls-1.0|...]
        set ssl-server-min-version [ssl-3.0|tls-1.0|...]
        set ssl-server-renegotiation [enable|disable]
        set ssl-server-session-state-max {integer}
        set ssl-server-session-state-timeout {integer}
        set ssl-server-session-state-type [disable|time|...]
        set status [enable|disable]
        set svr-pool-multiplex [enable|disable]
        set svr-pool-server-max-concurrent-request {integer}
        set svr-pool-server-max-request {integer}
        set svr-pool-ttl {integer}
        set user-agent-detect [disable|enable]
    next
end

config ztna traffic-forward-proxy

Parameter

Description

Type

Size

Default

auth-portal

Enable/disable authentication portal.

option

disable

Option	Description
disable	Disable authentication portal.
enable	Enable authentication portal.

client-cert

Enable/disable to request client certificate.

option

enable

Option	Description
disable	Disable client certificate request.
enable	Enable client certificate request.

comment

Comment.

var-string

Maximum length: 255

empty-cert-action

Action of an empty client certificate.

option

block

Option	Description
accept	Accept the SSL handshake if the client certificate is empty.
block	Block the SSL handshake if the client certificate is empty.
accept-unmanageable	Accept the SSL handshake only if the end-point is unmanageable.

h3-support

Enable/disable HTTP3/QUIC support (default = disable).

option

disable

Option	Description
enable	Enable HTTP3/QUIC support.
disable	Disable HTTP3/QUIC support.

interface

interface name

string

Maximum length: 15

log-blocked-traffic

Enable/disable logging of blocked traffic.

option

enable

Option	Description
enable	Log all traffic denied by this access proxy.
disable	Do not log all traffic denied by this access proxy.

name

Traffic forward proxy name

string

Maximum length: 79

port

Accept incoming traffic on one or more ports (0 - 65535).

user

Not Specified

ssl-accept-ffdhe-groups

Enable/disable FFDHE cipher suite for SSL key exchange.

option

enable

Option	Description
enable	Accept FFDHE groups.
disable	Do not accept FFDHE groups.

ssl-algorithm

Permitted encryption algorithms for SSL sessions according to encryption strength.

option

high

Option	Description
high	High encryption. Allow only AES and ChaCha.
medium	Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low	Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
custom	Custom encryption. Use config ssl-cipher-suites to select the cipher suites that are allowed.

ssl-certificate <name>

Name of the certificate to use for SSL handshake.

Certificate list.

string

Maximum length: 79

ssl-client-fallback

Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).

option

enable

Option	Description
disable	Disable.
enable	Enable.

ssl-client-rekey-count

Maximum length of data in MB before triggering a client rekey (0 = disable).

integer

Minimum value: 200 Maximum value: 1048576

ssl-client-renegotiation

Allow, deny, or require secure renegotiation of client sessions to comply with RFC 5746.

option

secure

Option	Description
allow	Allow a SSL client to renegotiate.
deny	Abort any client initiated SSL re-negotiation attempt.
secure	Abort any client initiated SSL re-negotiation attempt that does not use RFC 5746 Secure Renegotiation.

ssl-client-session-state-max

Maximum number of client to FortiProxy SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

1000

ssl-client-session-state-timeout

Number of minutes to keep client to FortiProxy SSL session state.

integer

Minimum value: 1 Maximum value: 14400

ssl-client-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.

option

both

Option	Description
disable	Do not keep session states.
time	Expire session states after this many minutes.
count	Expire session states when this maximum is reached.
both	Expire session states based on time or count, whichever occurs first.

ssl-dh-bits

Bit-size of Diffie-Hellman (DH) prime used in DHE-RSA negotiation (default = 2048).

option

2048

Option	Description
768	768-bit Diffie-Hellman prime.
1024	1024-bit Diffie-Hellman prime.
1536	1536-bit Diffie-Hellman prime.
2048	2048-bit Diffie-Hellman prime.
3072	3072-bit Diffie-Hellman prime.
4096	4096-bit Diffie-Hellman prime.

ssl-hpkp

Enable/disable including HPKP header in response.

option

disable

Option	Description
disable	Do not add a HPKP header to each HTTP response.
enable	Add a HPKP header to each a HTTP response.
report-only	Add a HPKP Report-Only header to each HTTP response.

ssl-hpkp-age

Number of seconds the client should honor the HPKP setting.

integer

Minimum value: 60 Maximum value: 157680000

5184000

ssl-hpkp-backup

Certificate to generate backup HPKP pin from.

string

Maximum length: 79

ssl-hpkp-include-subdomains

Indicate that HPKP header applies to all subdomains.

option

disable

Option	Description
disable	HPKP header does not apply to subdomains.
enable	HPKP header applies to subdomains.

ssl-hpkp-primary

Certificate to generate primary HPKP pin from.

string

Maximum length: 79

ssl-hpkp-report-uri

URL to report HPKP violations to.

var-string

Maximum length: 255

ssl-hsts

Enable/disable including HSTS header in response.

option

disable

Option	Description
disable	Do not add a HSTS header to each a HTTP response.
enable	Add a HSTS header to each HTTP response.

ssl-hsts-age

Number of seconds the client should honor the HSTS setting.

integer

Minimum value: 60 Maximum value: 157680000

5184000

ssl-hsts-include-subdomains

Indicate that HSTS header applies to all subdomains.

option

disable

Option	Description
disable	HSTS header does not apply to subdomains.
enable	HSTS header applies to subdomains.

ssl-http-location-conversion

Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.

option

disable

Option	Description
enable	Enable HTTP location conversion.
disable	Disable HTTP location conversion.

ssl-http-match-host

Enable/disable HTTP host matching for location conversion.

option

enable

Option	Description
enable	Match HTTP host in response header.
disable	Do not match HTTP host.

ssl-max-version

Highest SSL/TLS version acceptable from a client.

option

tls-1.3

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.

ssl-min-version

Lowest SSL/TLS version acceptable from a client.

option

tls-1.1

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.

ssl-mode

Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).

option

half

Option	Description
half	Client to FortiProxy SSL.
full	Client to FortiProxy and FortiProxy to Server SSL.

ssl-pfs

Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.

option

require

Option	Description
require	Allow only Diffie-Hellman cipher-suites, so PFS is applied.
deny	Allow only non-Diffie-Hellman cipher-suites, so PFS is not applied.
allow	Allow use of any cipher suite so PFS may or may not be used depending on the cipher suite selected.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.

option

enable

Option	Description
enable	Send empty fragments.
disable	Do not send empty fragments.

ssl-server-algorithm

Permitted encryption algorithms for the server side of SSL full mode sessions according to encryption strength.

option

client

Option	Description
high	High encryption. Allow only AES and ChaCha.
medium	Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
low	Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
custom	Custom encryption. Use ssl-server-cipher-suites to select the cipher suites that are allowed.
client	Use the same encryption algorithms for both client and server sessions.

ssl-server-max-version

Highest SSL/TLS version acceptable from a server. Use the client setting by default.

option

client

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.
client	Use same value as client configuration.

ssl-server-min-version

Lowest SSL/TLS version acceptable from a server. Use the client setting by default.

option

client

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.
client	Use same value as client configuration.

ssl-server-renegotiation

Enable/disable secure renegotiation to comply with RFC 5746.

option

enable

Option	Description
enable	Enable secure renegotiation.
disable	Disable secure renegotiation.

ssl-server-session-state-max

Maximum number of FortiGate to Server SSL session states to keep.

integer

Minimum value: 1 Maximum value: 10000

100

ssl-server-session-state-timeout

Number of minutes to keep FortiGate to Server SSL session state.

integer

Minimum value: 1 Maximum value: 14400

ssl-server-session-state-type

How to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate.

option

both

Option	Description
disable	Do not keep session states.
time	Expire session states after this many minutes.
count	Expire session states when this maximum is reached.
both	Expire session states based on time or count, whichever occurs first.

status

Enable/disable the traffic forward proxy for ZTNA traffic.

option

disable

Option	Description
enable	Enable the ZTNA traffic forward proxy.
disable	Disable the ZTNA traffic forward proxy.

svr-pool-multiplex

Enable/disable server pool multiplexing. Share connected server in HTTP, HTTPS, and web-portal api-gateway.

option

enable

Option	Description
enable	Enable server pool multiplexing. Share connected server.
disable	Disable server pool multiplexing. Do not share connected server.

svr-pool-server-max-concurrent-request

Maximum number of concurrent requests that servers in server pool could handle (default = unlimited).

integer

Minimum value: 0 Maximum value: 2147483647

svr-pool-server-max-request

Maximum number of requests that servers in server pool handle before disconnecting (default = unlimited).

integer

Minimum value: 0 Maximum value: 2147483647

svr-pool-ttl

Time-to-live in the server pool for idle connections to servers.

integer

Minimum value: 0 Maximum value: 2147483647

user-agent-detect

Enable/disable to detect device type by HTTP user-agent if no client certificate provided.

option

enable

Option	Description
disable	Disable to detect unknown device by HTTP user-agent if no client certificate provided.
enable	Enable to detect unknown device by HTTP user-agent if no client certificate provided.

config quic

Parameter

Description

Type

Size

Default

ack-delay-exponent

ACK delay exponent (1 - 20, default = 3).

integer

Minimum value: 1 Maximum value: 20

active-connection-id-limit

Active connection ID limit (1 - 8, default = 2).

integer

Minimum value: 1 Maximum value: 8

active-migration

Enable/disable active migration (default = disable).

option

disable

Option	Description
enable	Enable active migration.
disable	Disable active migration.

grease-quic-bit

Enable/disable grease QUIC bit (default = enable).

option

enable

Option	Description
enable	Enable grease QUIC bit.
disable	Disable grease QUIC bit.

max-ack-delay

Maximum ACK delay in milliseconds (1 - 16383, default = 25).

integer

Minimum value: 1 Maximum value: 16383

max-datagram-frame-size

Maximum datagram frame size in bytes (1 - 1500, default = 1500).

integer

Minimum value: 1 Maximum value: 1500

1500

max-idle-timeout

Maximum idle timeout milliseconds (1 - 60000, default = 30000).

integer

Minimum value: 1 Maximum value: 60000

30000

max-udp-payload-size

Maximum UDP payload size in bytes (1200 - 1500, default = 1500).

integer

Minimum value: 1200 Maximum value: 1500

1500

config ssl-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

Option	Description
TLS-AES-128-GCM-SHA256	Cipher suite TLS-AES-128-GCM-SHA256.
TLS-AES-256-GCM-SHA384	Cipher suite TLS-AES-256-GCM-SHA384.
TLS-CHACHA20-POLY1305-SHA256	Cipher suite TLS-CHACHA20-POLY1305-SHA256.
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-DHE-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
TLS-DHE-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
TLS-DHE-DSS-WITH-AES-128-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
TLS-DHE-DSS-WITH-AES-256-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384	Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
TLS-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
TLS-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
TLS-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
TLS-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
TLS-RSA-WITH-AES-256-CBC-SHA256	Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
TLS-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-RSA-WITH-SEED-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
TLS-DHE-DSS-WITH-SEED-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
TLS-RSA-WITH-SEED-CBC-SHA	Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
TLS-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
TLS-ECDHE-RSA-WITH-RC4-128-SHA	Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
TLS-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-RSA-WITH-RC4-128-MD5	Cipher suite TLS-RSA-WITH-RC4-128-MD5.
TLS-RSA-WITH-RC4-128-SHA	Cipher suite TLS-RSA-WITH-RC4-128-SHA.
TLS-DHE-RSA-WITH-DES-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
TLS-DHE-DSS-WITH-DES-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
TLS-RSA-WITH-DES-CBC-SHA	Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

versions

SSL/TLS versions that the cipher suite can be used with.

option

ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.

config ssl-server-cipher-suites

Parameter

Description

Type

Size

Default

cipher

Cipher suite name.

option

Option	Description
TLS-AES-128-GCM-SHA256	Cipher suite TLS-AES-128-GCM-SHA256.
TLS-AES-256-GCM-SHA384	Cipher suite TLS-AES-256-GCM-SHA384.
TLS-CHACHA20-POLY1305-SHA256	Cipher suite TLS-CHACHA20-POLY1305-SHA256.
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256	Cipher suite TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-DHE-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
TLS-DHE-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-128-CBC-SHA256.
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-128-GCM-SHA256.
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-DHE-RSA-WITH-AES-256-GCM-SHA384.
TLS-DHE-DSS-WITH-AES-128-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
TLS-DHE-DSS-WITH-AES-256-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA.
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-128-CBC-SHA256.
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-128-GCM-SHA256.
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384	Cipher suite TLS-DHE-DSS-WITH-AES-256-GCM-SHA384.
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384.
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
TLS-RSA-WITH-AES-128-CBC-SHA	Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA.
TLS-RSA-WITH-AES-256-CBC-SHA	Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA.
TLS-RSA-WITH-AES-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-AES-128-CBC-SHA256.
TLS-RSA-WITH-AES-128-GCM-SHA256	Cipher suite TLS-RSA-WITH-AES-128-GCM-SHA256.
TLS-RSA-WITH-AES-256-CBC-SHA256	Cipher suite TLS-RSA-WITH-AES-256-CBC-SHA256.
TLS-RSA-WITH-AES-256-GCM-SHA384	Cipher suite TLS-RSA-WITH-AES-256-GCM-SHA384.
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA	Cipher suite TLS-DSS-RSA-WITH-CAMELLIA-128-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA.
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256.
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-RSA-WITH-SEED-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-SEED-CBC-SHA.
TLS-DHE-DSS-WITH-SEED-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-SEED-CBC-SHA.
TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
TLS-RSA-WITH-SEED-CBC-SHA	Cipher suite TLS-RSA-WITH-SEED-CBC-SHA.
TLS-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384.
TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256	Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC_SHA256.
TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384	Cipher suite TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC_SHA384.
TLS-ECDHE-RSA-WITH-RC4-128-SHA	Cipher suite TLS-ECDHE-RSA-WITH-RC4-128-SHA.
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA.
TLS-RSA-WITH-3DES-EDE-CBC-SHA	Cipher suite TLS-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-RSA-WITH-RC4-128-MD5	Cipher suite TLS-RSA-WITH-RC4-128-MD5.
TLS-RSA-WITH-RC4-128-SHA	Cipher suite TLS-RSA-WITH-RC4-128-SHA.
TLS-DHE-RSA-WITH-DES-CBC-SHA	Cipher suite TLS-DHE-RSA-WITH-DES-CBC-SHA.
TLS-DHE-DSS-WITH-DES-CBC-SHA	Cipher suite TLS-DHE-DSS-WITH-DES-CBC-SHA.
TLS-RSA-WITH-DES-CBC-SHA	Cipher suite TLS-RSA-WITH-DES-CBC-SHA.

priority

SSL/TLS cipher suites priority.

integer

Minimum value: 0 Maximum value: 4294967295

versions

SSL/TLS versions that the cipher suite can be used with.

option

ssl-3.0 tls-1.0 tls-1.1 tls-1.2 tls-1.3

Option	Description
ssl-3.0	SSL 3.0.
tls-1.0	TLS 1.0.
tls-1.1	TLS 1.1.
tls-1.2	TLS 1.2.
tls-1.3	TLS 1.3.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

Web Application / API Protection

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

All Products

CLI Reference

config ztna traffic-forward-proxy

config ztna traffic-forward-proxy

config ztna traffic-forward-proxy

config quic

config ssl-cipher-suites

config ssl-server-cipher-suites

config ztna traffic-forward-proxy

config ztna traffic-forward-proxy

config ztna traffic-forward-proxy

config quic

config ssl-cipher-suites