Additional SSL load balancing options
The following SSL load balancing and SSL offloading options are only available from the CLI:
ssl-client-session-state-max <sessionstates_int>
Enter the maximum number of SSL session states to keep for the segment of the SSL connection between the client and the FortiGate unit.
ssl-client-session-state-timeout <timeout_int>
Enter the number of minutes to keep the SSL session states for the segment of the SSL connection between the client and the FortiGate unit.
ssl-client-session-state-type {both | client | disable | time}
Select which method the FortiGate unit should use when deciding to expire SSL sessions for the segment of the SSL connection between the client and the FortiGate unit.
• both: Select to expire SSL session states when either ssl-client-session-state-max or ssl-client-session-state-timeout is exceeded, regardless of which occurs first.
• count: Select to expire SSL session states when ssl-client-session-state-max is exceeded.
• disable: Select to keep no SSL session states.
• time: Select to expire SSL session states when ssl-client-session-state-timeout is exceeded.
ssl-dh-bits <bits_int>
Enter the number of bits of the prime number used in the Diffie-Hellman exchange for RSA encryption of the SSL connection. Larger prime numbers are associated with greater cryptographic strength.
ssl-http-location-conversion {enable | disable}
Select to replace http with https in the reply’s Location HTTP header field. For example, in the reply, Location: http://example.com/ would be converted to Location: https://example.com/
ssl-http-match-host {enable | disable}
Select to apply Location conversion to the reply’s HTTP header only if the host name portion of Location matches the request’s Host field, or, if the Host field does not exist, the host name portion of the request’s URI. If disabled, conversion occurs regardless of whether the host names in the request and the reply match.
For example, if host matching is enabled, and a request contains Host: example.com and the reply contains Location: http://example.cc/, the Location field does not match the host of the original request and the reply’s Location field remains unchanged. If the reply contains Location: http://example.com/, however, then the FortiGate unit detects the matching host name and converts the reply field to Location: https://example.com/.
This option appears only if ssl-http-location-conversion is enable.
ssl-max-version {ssl-3.0 | tls-1.0}
Enter the maximum version of SSL/TLS to accept in negotiation.
ssl-min-version {ssl-3.0 | tls-1.0}
Enter the minimum version of SSL/TLS to accept in negotiation.
ssl-send-empty-frags {enable | disable}
Select to precede the record with empty fragments to thwart attacks on CBC IV. You might disable this option if SSL acceleration will be used with an old or buggy SSL implementation which cannot properly handle empty fragments.
ssl-server-session-state-max <sessionstates_int>
Enter the maximum number of SSL session states to keep for the segment of the SSL connection between the server and the FortiGate unit.
ssl-server-session-state-timeout <timeout_int>
Enter the number of minutes to keep the SSL session states for the segment of the SSL connection between the server and the FortiGate unit. This option appears only if ssl-mode is full.
ssl-server-session-state-type {both | count | disable | time}
Select which method the FortiGate unit should use when deciding to expire SSL sessions for the segment of the SSL connection between the server and the FortiGate unit. This option appears only if ssl-mode is full.
• both: Select to expire SSL session states when either ssl-server-session-state-max or ssl-server-session-state-timeout is exceeded, regardless of which occurs first.
• count: Select to expire SSL session states when ssl-server-session-state-max is exceeded.
• disable: Select to keep no SSL session states.
• time: Select to expire SSL session states when ssl-server-session-state-timeout is exceeded.