wanopt : ssl-server
 
ssl-server
Use this command to add one or more SSL servers to support WAN optimization SSL offloading. You enable WAN optimization SSL offloading by enabling the ssl field in a WAN optimization rule. WAN optimization supports SSL encryption/decryption offloading for HTTP servers.
SSL offloading uses the FortiGate unit to encrypt and decrypt SSL sessions.The FortiGate unit intercepts HTTPS traffic from clients and decrypts it before sending it as clear text to the HTTP server. The clear text response from the HTTP server is encrypted by the FortiGate unit and returned to the client. The result should be a performance improvement because SSL encryption is offloaded from the server to the FortiGate unit FortiASIC SSL encryption/decryption engine.
You must add one WAN optimization SSL server configuration to the FortiGate unit for each HTTP server that you are configuring SSL offloading for. This SSL server configuration must also include the HTTP server CA. You load this certificated into the FortiGate unit as a local certificate using the config vpn certification local command and then add the certificate to the SSL server configuration using the ssl-cert field. The certificate key size must be 1024 or 2048 bits. 4096-bit keys are not supported.
You can configure one WAN optimization rule to offload SSL encryption/decryption for multiple HTTP servers. To do this, the WAN optimization rule source and destination addresses must be configured so that the rule accepts packets destined for all of the HTTP servers that you want offloading for. Then you must add one SSL server configuration for each of the HTTP servers.
Syntax
config wanopt ssl-server
edit <ssl-server-name>
set add-header-x-forwarded-proto {enable | disable}
set ip <ssl_server_ip_ipv4>
set port <port_int>
set ssl-mode {full | half}
set ssl-algorithm {low | medium | high}
set ssl-cert <certificate_name>
set ssl-client-renegotiation {allow | deny | secure}
set ssl-dh-bits {1024 | 1536 | 2048 | 768}
set ssl-min-version {ssl‑3.0 | tls‑1.0}
set ssl-max-version {ssl‑3.0 | tls‑1.0}
set ssl-send-empty-frags {disable | enable}
set url-rewrite {enable | disable}
end
Variable
Description
Default
edit <ssl-server-name>
Enter a name for the SSL server. It can be any name and this name is not used by other FortiGate configurations.
 
add-header-x-forwarded-proto {enable | disable}
Optionally add X-Forwarded-Proto header. This is available when ssl-mode is half.
enable
ip <ssl_server_ip_ipv4>
Enter an IP address for the SSL server. This IP address should be the same as the IP address of the HTTP server that this SSL server will be offloading for. When a session is accepted by a WAN optimization rule with SSL offloading enabled, the destination IP address of the session is matched with this IP address to select the SSL server configuration to use.
0.0.0.0
port <port_int>
Enter a port number to be used by the SSL server. Usually this would be port 443 for an HTTPS server. When a session is accepted by a WAN optimization rule with SSL offloading enabled, the destination port of the session is matched with this port to select the SSL server configuration to use.
0
ssl-mode {full | half}
Configure the SSL server to operate in full mode or half mode. Half mode offloads SSL from the backend server to the server-side FortiGate unit.
full
ssl-algorithm {low | medium | high}
Set the permitted encryption algorithms for SSL sessions according to encryption strength:
low   —   AES, 3DES, RC4, DES
medium — AES, 3DES, RC4
high  —   AES, 3DES
high
ssl-cert <certificate_name>
Select the certificate to be used for this SSL server. The certificate should be the HTTP server CA used by the HTTP server that this SSL server configuration will be offloading for.
The certificate must be a local certificate added to the FortiGate unit using the config vpn certificate local command. For more information, see vpn certificate local.
The certificate key size must be 1024 or 2048 bits. 4096‑bit keys are not supported.
 
ssl-client-renegotiation {allow | deny | secure}
Select whether client renegotiation is allowed.
The deny option aborts any SSL connection that attempts to renegotiate.
The secure option rejects any SSL connection that does not offer an RFC 5746 Secure Renegotiation Indication.
allow
ssl-dh-bits {1024 | 1536 | 2048 | 768}
Select the size of the Diffie-Hellman prime used in DHE_RSA negotiation. Larger primes may cause a performance reduction but are more secure.
1024
ssl-min-version {ssl‑3.0 | tls‑1.0}
Select the lowest or oldest SSL/TLS version to offer when negotiating. You can set the minimum version to SSL 3.0 or TLS 1.0. TLS 1.0 is more secure that SSL 3.0.
ssl-3.0
ssl-max-version {ssl‑3.0 | tls‑1.0}
Select the highest or newest SSL/TLS version to offer when negotiating. You can set the maximum version to SSL 3.0 or TLS 1.0. TLS 1.0 is more secure that SSL 3.0.
tls-1.0
ssl-send-empty-frags {disable | enable}
Enable or disable sending empty fragments before sending the actual payload. Sending empty fragments is a technique used to avoid cipher-block chaining (CBC) plaintext attacks if the initiation vector (IV) is known. Also called the CBC IV. Some SSL implementations are not compatible with sending empty fragments. Change ssl-send-empty-frags to disable if required by your SSL implementation.
enable
url-rewrite {enable | disable}
Enable to rewrite Location header of HTTP redirection response(3XX response). This is available when ssl‑mode is half.
disable