Layer 7 SSL Security (HTTPS Clusters)

Layer 7 Security allows you to configure various options that are specific to HTTPS connections.

The table below shows the parameters and values used in the configuration of HTTPS cluster security.

GUI Parameter (CLI Parameter)	Description
Cipher Suites (cipherspec)	Lists the supported cipher suites for incoming HTTPS requests. If a client request comes into FortiADC that does not use a cipher in this list, the connection is refused. FortiADC supports DHE-RSA, DHE-DSS, ECDHE-RSA, and ECDHE-ECDSA cipher suites.
Flags
Allow SSLv2 (allow_sslv2)	Enables SSLv2 for client connections.
Allow SSLv3 (allow_sslv3)	Enables SSLv3 for client connections. This option is enabled by default.
Software SSL Only (software_ssl_only)	This flag appears only on systems that are equipped with Hardware SSL Acceleration. When enabled, it specifies that all SSL operations will be performed in software, instead of being performed using the SSL accelerator hardware. This flag does not appear on systems that are not equipped with Hardware SSL Acceleration, since on these units SSL operations are always performed in software. This flag is disabled by default. Please note that enabling this option will reduce the processor and memory resources generally available for processing cluster traffic, since performing SSL operations in software requires use of the system CPU and system memory (instead of the dedicated SSL acceleration hardware CPU and memory).
Allow TLS 1.0 (allow_tls10)	This option enables and disables support for the TLSv1.0 protocol. Enabled by default. If multiple TLS versions are enabled, the first supported TLS version negotiated by a client will be used.
Allow TLS 1.1 (allow_tls11)	This option enables and disables support for the TLSv1.1 protocol. Disabled by default. If multiple TLS versions are enabled, the first supported TLS version negotiated by a client will be used.
Allow TLS 1.2 (allow_tls12)	This option enables and disables support for the TLSv1.2 protocol. Disabled by default. If multiple TLS versions are enabled, the first supported TLS version negotiated by a client will be used.

GUI Parameter (CLI Parameter)

Description

Cipher Suites

(cipherspec)

Lists the supported cipher suites for incoming HTTPS requests. If a client request comes into FortiADC that does not use a cipher in this list, the connection is refused.

FortiADC supports DHE-RSA, DHE-DSS, ECDHE-RSA, and ECDHE-ECDSA cipher suites.

Flags

Allow SSLv2

(allow_sslv2)

Enables SSLv2 for client connections.

Allow SSLv3

(allow_sslv3)

Enables SSLv3 for client connections. This option is enabled by default.

Software SSL Only

(software_ssl_only)

This flag appears only on systems that are equipped with Hardware SSL Acceleration. When enabled, it specifies that all SSL operations will be performed in software, instead of being performed using the SSL accelerator hardware. This flag does not appear on systems that are not equipped with Hardware SSL Acceleration, since on these units SSL operations are always performed in software. This flag is disabled by default.

Please note that enabling this option will reduce the processor and memory resources generally available for processing cluster traffic, since performing SSL operations in software requires use of the system CPU and system memory (instead of the dedicated SSL acceleration hardware CPU and memory).

Allow TLS 1.0

(allow_tls10)

This option enables and disables support for the TLSv1.0 protocol. Enabled by default. If multiple TLS versions are enabled, the first supported TLS version negotiated by a client will be used.

Allow TLS 1.1

(allow_tls11)

This option enables and disables support for the TLSv1.1 protocol. Disabled by default. If multiple TLS versions are enabled, the first supported TLS version negotiated by a client will be used.

Allow TLS 1.2

(allow_tls12)

This option enables and disables support for the TLSv1.2 protocol. Disabled by default. If multiple TLS versions are enabled, the first supported TLS version negotiated by a client will be used.

Configuring Layer 7 SSL Security Using the CLI

Layer 7 HTTPS Security can be configured in the CLI either globally or in cluster context. Enter parameters using the following format.

eqcli > cluster clustername parameter value flags flag

Use the table above for descriptions of the parameters and values.

Where:

clustername - is the the name fo the cluster.

parameter - is the parameter.

value - is the value associated with the parameter.

flag - is the flag to be associated with the cluster.

Use the table above for parameters and values .

Refer to Cluster and Match Rule Commands for additional information on using cluster commands in the CLI.