config firewall ssl-ssh-profile
Configure SSL/SSH protocol options.
config firewall ssl-ssh-profile Description: Configure SSL/SSH protocol options. edit <name> set comment {var-string} config ssl Description: Configure SSL options. set inspect-all [disable|certificate-inspection|...] set client-certificate [bypass|inspect|...] set unsupported-ssl-version [allow|block] set unsupported-ssl-cipher [allow|block] set unsupported-ssl-negotiation [allow|block] set expired-server-cert [allow|block|...] set revoked-server-cert [allow|block|...] set untrusted-server-cert [allow|block|...] set cert-validation-timeout [allow|block|...] set cert-validation-failure [allow|block|...] set sni-server-cert-check [enable|strict|...] set cert-probe-failure [allow|block] set encrypted-client-hello [allow|block] set min-allowed-ssl-version [ssl-3.0|tls-1.0|...] end config https Description: Configure HTTPS options. set ports {integer} set status [disable|certificate-inspection|...] set quic [inspect|bypass|...] set proxy-after-tcp-handshake [enable|disable] set client-certificate [bypass|inspect|...] set unsupported-ssl-version [allow|block] set unsupported-ssl-cipher [allow|block] set unsupported-ssl-negotiation [allow|block] set expired-server-cert [allow|block|...] set revoked-server-cert [allow|block|...] set untrusted-server-cert [allow|block|...] set cert-validation-timeout [allow|block|...] set cert-validation-failure [allow|block|...] set sni-server-cert-check [enable|strict|...] set cert-probe-failure [allow|block] set encrypted-client-hello [allow|block] set min-allowed-ssl-version [ssl-3.0|tls-1.0|...] end config ftps Description: Configure FTPS options. set ports {integer} set status [disable|deep-inspection] set client-certificate [bypass|inspect|...] set unsupported-ssl-version [allow|block] set unsupported-ssl-cipher [allow|block] set unsupported-ssl-negotiation [allow|block] set expired-server-cert [allow|block|...] set revoked-server-cert [allow|block|...] set untrusted-server-cert [allow|block|...] set cert-validation-timeout [allow|block|...] set cert-validation-failure [allow|block|...] set sni-server-cert-check [enable|strict|...] set min-allowed-ssl-version [ssl-3.0|tls-1.0|...] end config imaps Description: Configure IMAPS options. set ports {integer} set status [disable|deep-inspection] set proxy-after-tcp-handshake [enable|disable] set client-certificate [bypass|inspect|...] set unsupported-ssl-version [allow|block] set unsupported-ssl-cipher [allow|block] set unsupported-ssl-negotiation [allow|block] set expired-server-cert [allow|block|...] set revoked-server-cert [allow|block|...] set untrusted-server-cert [allow|block|...] set cert-validation-timeout [allow|block|...] set cert-validation-failure [allow|block|...] set sni-server-cert-check [enable|strict|...] end config pop3s Description: Configure POP3S options. set ports {integer} set status [disable|deep-inspection] set proxy-after-tcp-handshake [enable|disable] set client-certificate [bypass|inspect|...] set unsupported-ssl-version [allow|block] set unsupported-ssl-cipher [allow|block] set unsupported-ssl-negotiation [allow|block] set expired-server-cert [allow|block|...] set revoked-server-cert [allow|block|...] set untrusted-server-cert [allow|block|...] set cert-validation-timeout [allow|block|...] set cert-validation-failure [allow|block|...] set sni-server-cert-check [enable|strict|...] end config smtps Description: Configure SMTPS options. set ports {integer} set status [disable|deep-inspection] set proxy-after-tcp-handshake [enable|disable] set client-certificate [bypass|inspect|...] set unsupported-ssl-version [allow|block] set unsupported-ssl-cipher [allow|block] set unsupported-ssl-negotiation [allow|block] set expired-server-cert [allow|block|...] set revoked-server-cert [allow|block|...] set untrusted-server-cert [allow|block|...] set cert-validation-timeout [allow|block|...] set cert-validation-failure [allow|block|...] set sni-server-cert-check [enable|strict|...] end config ssh Description: Configure SSH options. set ports {integer} set status [disable|deep-inspection] set inspect-all [disable|deep-inspection] set proxy-after-tcp-handshake [enable|disable] set unsupported-version [bypass|block] set ssh-tun-policy-check [disable|enable] set ssh-algorithm [compatible|high-encryption] end config dot Description: Configure DNS over TLS options. set status [disable|deep-inspection] set quic [inspect|bypass|...] set proxy-after-tcp-handshake [enable|disable] set client-certificate [bypass|inspect|...] set unsupported-ssl-version [allow|block] set unsupported-ssl-cipher [allow|block] set unsupported-ssl-negotiation [allow|block] set expired-server-cert [allow|block|...] set revoked-server-cert [allow|block|...] set untrusted-server-cert [allow|block|...] set cert-validation-timeout [allow|block|...] set cert-validation-failure [allow|block|...] set sni-server-cert-check [enable|strict|...] end config ssl-client-certificate Description: Configure SSL client certificate setting. set status [do-not-offer|keyring-list|...] set keyring-list {string} set caname {string} set cert {string} end config ssl-exempt Description: Servers to exempt from SSL inspection. edit <id> set type [fortiguard-category|address|...] set fortiguard-category {integer} set address {string} set address6 {string} set wildcard-fqdn {string} set regex {string} set finger-print-category [unknown|firefox|...] next end config ech-outer-sni Description: ClientHelloOuter SNIs to be blocked. edit <name> set sni {string} next end set allowlist [enable|disable] set block-blocklisted-certificates [disable|enable] set server-cert-mode [re-sign|replace] set use-ssl-server [disable|enable] set caname {string} set untrusted-caname {string} set server-cert <name1>, <name2>, ... config ssl-server Description: SSL server settings used for client certificate request. edit <id> set ip {ipv4-address-any} set https-client-certificate [bypass|inspect|...] set smtps-client-certificate [bypass|inspect|...] set pop3s-client-certificate [bypass|inspect|...] set imaps-client-certificate [bypass|inspect|...] set ftps-client-certificate [bypass|inspect|...] set ssl-other-client-certificate [bypass|inspect|...] next end set ssl-exemption-ip-rating [enable|disable] set ssl-exemption-log [disable|enable] set ssl-anomaly-log [disable|enable] set ssl-negotiation-log [disable|enable] set ssl-server-cert-log [disable|enable] set ssl-handshake-log [disable|enable] set rpc-over-https [enable|disable] set mapi-over-https [enable|disable] set supported-alpn [http1-1|http2|...] next end
config firewall ssl-ssh-profile
Parameter |
Description |
Type |
Size |
Default |
||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
name |
Name. |
string |
Maximum length: 35 |
|
||||||||||
comment |
Optional comments. |
var-string |
Maximum length: 255 |
|
||||||||||
allowlist |
Enable/disable exempting servers by FortiGuard allowlist. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
block-blocklisted-certificates |
Enable/disable blocking SSL-based botnet communication by FortiGuard certificate blocklist. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
server-cert-mode |
Re-sign or replace the server's certificate. |
option |
- |
re-sign |
||||||||||
|
|
|||||||||||||
use-ssl-server |
Enable/disable the use of SSL server table for SSL offloading. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
caname |
CA certificate used by SSL Inspection. |
string |
Maximum length: 35 |
default-ca |
||||||||||
untrusted-caname |
Untrusted CA certificate used by SSL Inspection. |
string |
Maximum length: 35 |
default-untrusted-ca |
||||||||||
server-cert |
Certificate used by SSL Inspection to replace server certificate. Certificate list. |
string |
Maximum length: 79 |
|
||||||||||
ssl-exemption-ip-rating |
Enable/disable IP based URL rating. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
ssl-exemption-log |
Enable/disable logging of SSL exemptions. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
ssl-anomaly-log |
Enable/disable logging of SSL anomalies. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
ssl-negotiation-log |
Enable/disable logging of SSL negotiation events. |
option |
- |
enable |
||||||||||
|
|
|||||||||||||
ssl-server-cert-log |
Enable/disable logging of server certificate information. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
ssl-handshake-log |
Enable/disable logging of TLS handshakes. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
rpc-over-https |
Enable/disable inspection of RPC over HTTPS. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
mapi-over-https |
Enable/disable inspection of MAPI over HTTPS. |
option |
- |
disable |
||||||||||
|
|
|||||||||||||
supported-alpn |
Configure ALPN option. |
option |
- |
all |
||||||||||
|
|
config ssl
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
inspect-all |
Level of SSL inspection. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
client-certificate |
Action based on received client certificate. |
option |
- |
bypass |
||||||||||||
|
|
|||||||||||||||
unsupported-ssl-version |
Action based on the SSL version used being unsupported. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
cert-probe-failure |
Action based on certificate probe failure. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
encrypted-client-hello |
Block/allow session based on existence of encrypted-client-hello. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
min-allowed-ssl-version |
Minimum SSL version to be allowed. |
option |
- |
tls-1.1 |
||||||||||||
|
|
config https
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||||||
status |
Configure protocol inspection status. |
option |
- |
deep-inspection |
||||||||||||
|
|
|||||||||||||||
quic |
QUIC inspection status. |
option |
- |
inspect |
||||||||||||
|
|
|||||||||||||||
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
client-certificate |
Action based on received client certificate. |
option |
- |
bypass |
||||||||||||
|
|
|||||||||||||||
unsupported-ssl-version |
Action based on the SSL version used being unsupported. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
cert-probe-failure |
Action based on certificate probe failure. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
encrypted-client-hello |
Block/allow session based on existence of encrypted-client-hello. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
min-allowed-ssl-version |
Minimum SSL version to be allowed. |
option |
- |
tls-1.1 |
||||||||||||
|
|
config ftps
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||||||
status |
Configure protocol inspection status. |
option |
- |
deep-inspection |
||||||||||||
|
|
|||||||||||||||
client-certificate |
Action based on received client certificate. |
option |
- |
bypass |
||||||||||||
|
|
|||||||||||||||
unsupported-ssl-version |
Action based on the SSL version used being unsupported. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||||||
|
|
|||||||||||||||
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||||||
|
|
|||||||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
min-allowed-ssl-version |
Minimum SSL version to be allowed. |
option |
- |
tls-1.1 |
||||||||||||
|
|
config imaps
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||
status |
Configure protocol inspection status. |
option |
- |
deep-inspection |
||||||||
|
|
|||||||||||
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||||
|
|
|||||||||||
client-certificate |
Action based on received client certificate. |
option |
- |
inspect |
||||||||
|
|
|||||||||||
unsupported-ssl-version |
Action based on the SSL version used being unsupported. |
option |
- |
block |
||||||||
|
|
|||||||||||
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||
|
|
|||||||||||
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||
|
|
|||||||||||
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||
|
|
|||||||||||
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||
|
|
|||||||||||
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||
|
|
|||||||||||
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||
|
|
|||||||||||
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||
|
|
|||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||
|
|
config pop3s
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||
status |
Configure protocol inspection status. |
option |
- |
deep-inspection |
||||||||
|
|
|||||||||||
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||||
|
|
|||||||||||
client-certificate |
Action based on received client certificate. |
option |
- |
inspect |
||||||||
|
|
|||||||||||
unsupported-ssl-version |
Action based on the SSL version used being unsupported. |
option |
- |
block |
||||||||
|
|
|||||||||||
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||
|
|
|||||||||||
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||
|
|
|||||||||||
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||
|
|
|||||||||||
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||
|
|
|||||||||||
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||
|
|
|||||||||||
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||
|
|
|||||||||||
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||
|
|
|||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||
|
|
config smtps
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||||
status |
Configure protocol inspection status. |
option |
- |
deep-inspection |
||||||||
|
|
|||||||||||
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||||
|
|
|||||||||||
client-certificate |
Action based on received client certificate. |
option |
- |
inspect |
||||||||
|
|
|||||||||||
unsupported-ssl-version |
Action based on the SSL version used being unsupported. |
option |
- |
block |
||||||||
|
|
|||||||||||
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||
|
|
|||||||||||
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||
|
|
|||||||||||
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||
|
|
|||||||||||
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||
|
|
|||||||||||
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||
|
|
|||||||||||
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||
|
|
|||||||||||
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||
|
|
|||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||
|
|
config ssh
Parameter |
Description |
Type |
Size |
Default |
||||||
---|---|---|---|---|---|---|---|---|---|---|
ports |
Ports to use for scanning. |
integer |
Minimum value: 1 Maximum value: 65535 |
|
||||||
status |
Configure protocol inspection status. |
option |
- |
disable |
||||||
|
|
|||||||||
inspect-all |
Level of SSL inspection. |
option |
- |
disable |
||||||
|
|
|||||||||
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||
|
|
|||||||||
unsupported-version |
Action based on SSH version being unsupported. |
option |
- |
bypass |
||||||
|
|
|||||||||
ssh-tun-policy-check |
Enable/disable SSH tunnel policy check. |
option |
- |
disable |
||||||
|
|
|||||||||
ssh-algorithm |
Relative strength of encryption algorithms accepted during negotiation. |
option |
- |
compatible |
||||||
|
|
config dot
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
status |
Configure protocol inspection status. |
option |
- |
disable |
||||||||
|
|
|||||||||||
quic |
QUIC inspection status. |
option |
- |
inspect |
||||||||
|
|
|||||||||||
proxy-after-tcp-handshake |
Proxy traffic after the TCP 3-way handshake has been established (not before). |
option |
- |
disable |
||||||||
|
|
|||||||||||
client-certificate |
Action based on received client certificate. |
option |
- |
bypass |
||||||||
|
|
|||||||||||
unsupported-ssl-version |
Action based on the SSL version used being unsupported. |
option |
- |
block |
||||||||
|
|
|||||||||||
unsupported-ssl-cipher |
Action based on the SSL cipher used being unsupported. |
option |
- |
allow |
||||||||
|
|
|||||||||||
unsupported-ssl-negotiation |
Action based on the SSL negotiation used being unsupported. |
option |
- |
allow |
||||||||
|
|
|||||||||||
expired-server-cert |
Action based on server certificate is expired. |
option |
- |
block |
||||||||
|
|
|||||||||||
revoked-server-cert |
Action based on server certificate is revoked. |
option |
- |
block |
||||||||
|
|
|||||||||||
untrusted-server-cert |
Action based on server certificate is not issued by a trusted CA. |
option |
- |
allow |
||||||||
|
|
|||||||||||
cert-validation-timeout |
Action based on certificate validation timeout. |
option |
- |
allow |
||||||||
|
|
|||||||||||
cert-validation-failure |
Action based on certificate validation failure. |
option |
- |
block |
||||||||
|
|
|||||||||||
sni-server-cert-check |
Check the SNI in the client hello message with the CN or SAN fields in the returned server certificate. |
option |
- |
enable |
||||||||
|
|
config ssl-client-certificate
Parameter |
Description |
Type |
Size |
Default |
||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
status |
Configure SSL client certificate status. |
option |
- |
do-not-offer |
||||||||||
|
|
|||||||||||||
keyring-list |
Keyring list used to find client certificate. |
string |
Maximum length: 35 |
|
||||||||||
caname |
CA certificate used to sign client certificate. |
string |
Maximum length: 35 |
Fortinet_CA_SSL |
||||||||||
cert |
Client certificate. |
string |
Maximum length: 35 |
Fortinet_CA_SSL |
config ssl-exempt
Parameter |
Description |
Type |
Size |
Default |
||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
id |
ID number. |
integer |
Minimum value: 0 Maximum value: 512 |
0 |
||||||||||||||||||||
type |
Type of address object (IPv4 or IPv6) or FortiGuard category. |
option |
- |
fortiguard-category |
||||||||||||||||||||
|
|
|||||||||||||||||||||||
fortiguard-category |
FortiGuard category ID. |
integer |
Minimum value: 0 Maximum value: 255 |
0 |
||||||||||||||||||||
address |
IPv4 address object. |
string |
Maximum length: 79 |
|
||||||||||||||||||||
address6 |
IPv6 address object. |
string |
Maximum length: 79 |
|
||||||||||||||||||||
wildcard-fqdn |
Exempt servers by wildcard FQDN. |
string |
Maximum length: 79 |
|
||||||||||||||||||||
regex |
Exempt servers by regular expression. |
string |
Maximum length: 255 |
|
||||||||||||||||||||
finger-print-category |
Finger print platform. |
option |
- |
android |
||||||||||||||||||||
|
|
config ech-outer-sni
Parameter |
Description |
Type |
Size |
Default |
---|---|---|---|---|
name |
ClientHelloOuter SNI name. |
string |
Maximum length: 79 |
|
sni |
ClientHelloOuter SNI to be blocked. |
string |
Maximum length: 255 |
|
config ssl-server
Parameter |
Description |
Type |
Size |
Default |
||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
id |
SSL server ID. |
integer |
Minimum value: 0 Maximum value: 4294967295 |
0 |
||||||||
ip |
IPv4 address of the SSL server. |
ipv4-address-any |
Not Specified |
0.0.0.0 |
||||||||
https-client-certificate |
Action based on received client certificate during the HTTPS handshake. |
option |
- |
bypass |
||||||||
|
|
|||||||||||
smtps-client-certificate |
Action based on received client certificate during the SMTPS handshake. |
option |
- |
bypass |
||||||||
|
|
|||||||||||
pop3s-client-certificate |
Action based on received client certificate during the POP3S handshake. |
option |
- |
bypass |
||||||||
|
|
|||||||||||
imaps-client-certificate |
Action based on received client certificate during the IMAPS handshake. |
option |
- |
bypass |
||||||||
|
|
|||||||||||
ftps-client-certificate |
Action based on received client certificate during the FTPS handshake. |
option |
- |
bypass |
||||||||
|
|
|||||||||||
ssl-other-client-certificate |
Action based on received client certificate during an SSL protocol handshake. |
option |
- |
bypass |
||||||||
|
|