Created on 03-08-2021 07:13 PM Edited on 12-15-2021 08:33 AM By Anonymous
Description
# config firewall vip
# edit test
new entry 'test' added
(test) # set type server-load-balance
(test) # set server-type https
(test) # set ssl?
ssl-hpkp Enable/disable including HPKP header in response.
ssl-hsts Enable/disable including HSTS header in response.
Solution:
# config system settings
#(settings) # set inspection-mode proxy
#(settings) # end
# config firewall vip
# edit test
(test) # set ssl?
ssl-mode Apply SSL offloading between the client and the FortiGate (half) or from the client to the FortiGate and from the FortiGate to the server (full).
*ssl-certificate The name of the SSL certificate to use for SSL acceleration.
ssl-dh-bits Number of bits to use in the Diffie-Hellman exchange for RSA encryption of SSL sessions.
ssl-algorithm Permitted encryption algorithms for SSL sessions according to encryption strength.
ssl-pfs Select the cipher suites that can be used for SSL perfect forward secrecy (PFS). Applies to both client and server sessions.
ssl-min-version Lowest SSL/TLS version acceptable from a client.
ssl-max-version Highest SSL/TLS version acceptable from a client.
ssl-send-empty-frags Enable/disable sending empty fragments to avoid CBC IV attacks (SSL 3.0 & TLS 1.0 only). May need to be disabled for compatibility with older systems.
ssl-client-fallback Enable/disable support for preventing Downgrade Attacks on client connections (RFC 7507).
ssl-client-renegotiation Allow, deny or require secure renegotiation of client sessions to comply with RFC 5746.
ssl-client-session-state-type How to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate.
ssl-client-session-state-timeout Number of minutes to keep client to FortiGate SSL session state.
ssl-client-session-state-max Maximum number of clients to FortiGate SSL session states to keep.
ssl-http-location-conversion Enable to replace HTTP with HTTPS in the reply's Location HTTP header field.
ssl-hpkp Enable/disable including HPKP header in the response.
ssl-hsts Enable/disable including HSTS header in the response.
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.