Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tana
Staff
Staff

Created on ‎03-08-2021 07:13 PM Edited on ‎12-15-2021 08:33 AM By Anonymous

Article Id 190687

Technical Tip: SSL/TLS Load balancing options are missing

Description

This article describes while setting up additional SSL/TLS load balancing options, such as SSL algorithm/mode/versions, there is no option to see the following:
 

# config firewall vip
# edit test
new entry 'test' added
(test) # set type server-load-balance
(test) # set server-type https
(test) # set ssl?
ssl-hpkp Enable/disable including HPKP header in response.
ssl-hsts Enable/disable including HSTS header in response.

Solution:

Ensure the firewall inspection mode is in Proxy mode.
 

# config system settings
#(settings) # set inspection-mode proxy
#(settings) # end

# config firewall vip
# edit test
(test) # set ssl?
ssl-mode                                      Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
*ssl-certificate                             The name of the SSL certificate to use for SSL acceleration.
ssl-dh-bits                                    Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
ssl-algorithm                                Permitted encryption algorithms for SSL sessions according to encryption strength.
ssl-pfs                                           Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
ssl-min-version                             Lowest SSL/TLS version acceptable from a client.
ssl-max-version                            Highest SSL/TLS version acceptable from a client.
ssl-send-empty-frags                    Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
ssl-client-fallback                         Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
ssl-client-renegotiation                 Allow, deny or require secure renegotiation of client sessions to comply with RFC 5746.
ssl-client-session-state-type          How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
ssl-client-session-state-timeout    Number of minutes to keep client to FortiGate SSL session state.
ssl-client-session-state-max          Maximum number of clients to FortiGate SSL session states to keep.
ssl-http-location-conversion         Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
ssl-hpkp                                        Enable/disable including HPKP header in the response.
ssl-hsts                                          Enable/disable including HSTS header in the response.

Related Articles

Technical Tip: How to check FortiGate cipher suite

Labels:
1195
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.