FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.


This article describes while setting up additional SSL/TLS load balancing options, such as SSL algorithm/mode/versions, there is no option to see the following:

# config firewall vip
# edit test
new entry 'test' added
(test) # set type server-load-balance
(test) # set server-type https
(test) # set ssl?
ssl-hpkp Enable/disable including HPKP header in response.
ssl-hsts Enable/disable including HSTS header in response.


Ensure the firewall inspection mode is in Proxy mode.

# config system settings
#(settings) # set inspection-mode proxy
#(settings) # end

# config firewall vip
# edit test
(test) # set ssl?
ssl-mode                                      Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
*ssl-certificate                             The name of the SSL certificate to use for SSL acceleration.
ssl-dh-bits                                    Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
ssl-algorithm                                Permitted encryption algorithms for SSL sessions according to encryption strength.
ssl-pfs                                           Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
ssl-min-version                             Lowest SSL/TLS version acceptable from a client.
ssl-max-version                            Highest SSL/TLS version acceptable from a client.
ssl-send-empty-frags                    Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
ssl-client-fallback                         Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
ssl-client-renegotiation                 Allow, deny or require secure renegotiation of client sessions to comply with RFC 5746.
ssl-client-session-state-type          How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
ssl-client-session-state-timeout    Number of minutes to keep client to FortiGate SSL session state.
ssl-client-session-state-max          Maximum number of clients to FortiGate SSL session states to keep.
ssl-http-location-conversion         Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
ssl-hpkp                                        Enable/disable including HPKP header in the response.
ssl-hsts                                          Enable/disable including HSTS header in the response.

Related Articles

Technical Tip: How to check FortiGate cipher suite