Fortinet white logo
Fortinet white logo

CLI Reference

config firewall ssl setting

config firewall ssl setting

SSL proxy settings.

config firewall ssl setting
    Description: SSL proxy settings.
    set proxy-connect-timeout {integer}
    set ssl-dh-bits [768|1024|...]
    set ssl-send-empty-frags [enable|disable]
    set no-matching-cipher-action [bypass|drop]
    set cert-cache-capacity {integer}
    set cert-cache-timeout {integer}
    set session-cache-capacity {integer}
    set session-cache-timeout {integer}
    set kxp-queue-threshold {integer}
    set ssl-queue-threshold {integer}
    set abbreviate-handshake [enable|disable]
end

config firewall ssl setting

Parameter

Description

Type

Size

Default

proxy-connect-timeout

Time limit to make an internal connection to the appropriate proxy process.

integer

Minimum value: 1 Maximum value: 60

30

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

no-matching-cipher-action

Bypass or drop the connection when no matching cipher is found.

option

-

bypass

Option

Description

bypass

Bypass connection.

drop

Drop connection.

cert-cache-capacity

Maximum capacity of the host certificate cache.

integer

Minimum value: 0 Maximum value: 500

200

cert-cache-timeout

Time limit to keep certificate cache.

integer

Minimum value: 1 Maximum value: 120

10

session-cache-capacity

Capacity of the SSL session cache.

integer

Minimum value: 0 Maximum value: 1000

500

session-cache-timeout

Time limit to keep SSL session state.

integer

Minimum value: 1 Maximum value: 60

20

kxp-queue-threshold

Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU.

integer

Minimum value: 0 Maximum value: 512

16

ssl-queue-threshold

Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU.

integer

Minimum value: 0 Maximum value: 512

32

abbreviate-handshake

Enable/disable use of SSL abbreviated handshake.

option

-

enable

Option

Description

enable

Enable use of SSL abbreviated handshake.

disable

Disable use of SSL abbreviated handshake.

config firewall ssl setting

config firewall ssl setting

SSL proxy settings.

config firewall ssl setting
    Description: SSL proxy settings.
    set proxy-connect-timeout {integer}
    set ssl-dh-bits [768|1024|...]
    set ssl-send-empty-frags [enable|disable]
    set no-matching-cipher-action [bypass|drop]
    set cert-cache-capacity {integer}
    set cert-cache-timeout {integer}
    set session-cache-capacity {integer}
    set session-cache-timeout {integer}
    set kxp-queue-threshold {integer}
    set ssl-queue-threshold {integer}
    set abbreviate-handshake [enable|disable]
end

config firewall ssl setting

Parameter

Description

Type

Size

Default

proxy-connect-timeout

Time limit to make an internal connection to the appropriate proxy process.

integer

Minimum value: 1 Maximum value: 60

30

ssl-dh-bits

Bit-size of Diffie-Hellman.

option

-

2048

Option

Description

768

768-bit Diffie-Hellman prime.

1024

1024-bit Diffie-Hellman prime.

1536

1536-bit Diffie-Hellman prime.

2048

2048-bit Diffie-Hellman prime.

ssl-send-empty-frags

Enable/disable sending empty fragments to avoid attack on CBC IV (for SSL 3.0 and TLS 1.0 only).

option

-

enable

Option

Description

enable

Send empty fragments.

disable

Do not send empty fragments.

no-matching-cipher-action

Bypass or drop the connection when no matching cipher is found.

option

-

bypass

Option

Description

bypass

Bypass connection.

drop

Drop connection.

cert-cache-capacity

Maximum capacity of the host certificate cache.

integer

Minimum value: 0 Maximum value: 500

200

cert-cache-timeout

Time limit to keep certificate cache.

integer

Minimum value: 1 Maximum value: 120

10

session-cache-capacity

Capacity of the SSL session cache.

integer

Minimum value: 0 Maximum value: 1000

500

session-cache-timeout

Time limit to keep SSL session state.

integer

Minimum value: 1 Maximum value: 60

20

kxp-queue-threshold

Maximum length of the CP KXP queue. When the queue becomes full, the proxy switches cipher functions to the main CPU.

integer

Minimum value: 0 Maximum value: 512

16

ssl-queue-threshold

Maximum length of the CP SSL queue. When the queue becomes full, the proxy switches cipher functions to the main CPU.

integer

Minimum value: 0 Maximum value: 512

32

abbreviate-handshake

Enable/disable use of SSL abbreviated handshake.

option

-

enable

Option

Description

enable

Enable use of SSL abbreviated handshake.

disable

Disable use of SSL abbreviated handshake.