firewall : ssl setting
 
ssl setting
Use this command to configure SSL proxy settings so that you can apply antivirus scanning, web filtering, FortiGuard web filtering, spam filtering, data leak prevention (DLP), and content archiving to HTTPS, IMAPS, POP3S, and SMTPS traffic by using the config firewall profile command.
To perform SSL content scanning and inspection, the FortiGate unit does the following:
intercepts and decrypts HTTPS, IMAPS, POP3S, and SMTPS sessions between clients and servers (FortiGate SSL acceleration speeds up decryption)
applies content inspection to decrypted content, including:
HTTPS, IMAPS, POP3S, and SMTPS Antivirus, DLP., and content archiving
HTTPS web filtering and FortiGuard web filtering
IMAPS, POP3S, and SMTPS spam filtering
re-encrypts the sessions and forwards them to their destinations.
Syntax
config firewall ssl setting
set cert-cache-capacity <capacity_integer>
set cert-cache-timeout <timeout_integer>
set no-matching-cipher-action {bypass | drop}
set proxy-connect-timeout <timeout_integer>
set session-cache-capacity <capacity_integer>
set session-cache-timeout <port_int>
set ssl-dh-bits {1024 | 1536 | 2048 | 768}
set ssl-send-empty-frags {enable | disable}
end
Variable
Description
Default
cert-cache-capacity <capacity_integer>
Enter the capacity of the host certificate cache. The range is from 0 to 200.
100
cert-cache-timeout <timeout_integer>
Enter the time limit to keep the certificate cache. The range is from 1 to 120 minutes.
10
no-matching-cipher-action {bypass | drop}
Bypass or drop SSL traffic when unsupported cipher is being used by the server.
bypass
proxy-connect-timeout <timeout_integer>
Enter the time limit to make an internal connection to the appropriate proxy process (1 - 60 seconds).
30
session-cache-capacity <capacity_integer>
Enter the capacity of SSL session cache (0 - 1000).
500
session-cache-timeout <port_int>
Enter the time limit in minutes to keep the SSL session.
20
ssl-dh-bits {1024 | 1536 | 2048 | 768}
Select the size of Diffie-Hellman prime used in DHE_RSA negotiation.
1024
ssl-send-empty-frags
{enable | disable}
Enable or disable sending empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).
enable