in case anyone else has trouble there is two ways to do this. the first is from the front end the alternative is globally.
1. front end - edit - advanced settings - advanced pass thru
2. settings - Global Advanced pass through - custom options
I also have a rule in my global advanced pass through settings to explicitly deny SSL 3.0 and TLS1.0.
ssl-default-bind-options no-sslv3 no-tlsv10
even with that I was not getting good results when I would scan my subdomains using https://www.ssllabs.com/ssltest. it noted many deprecated ciphers were in use. I found some posts by others who were doing something close to what i wanted to do.
Ex: http://wolfspyre.com/?p=207
This was close but I still found that I was having trouble with the 3DES cipher on TLS 1.1 and 1.2.
https://www.ssllabs.com/ssltest, directed me to use the cipher list that mozilla outlined (https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations). Because all of my remote devices are newer i opted to use the Modern cipher assortment. I added a lin underneath my default bind options eliminating support for SSL 3.0 and TLS1.0. it is the following:
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Currently, these ciphers seem to rule out TLS 1.0 and force TLS1.2 only. This could be a problem for older browsers and smart devices. SSLLabs' ssltest does a pretty good job of enumerating which systems are likely to have trouble. I have confirmed that all my devices work without issue given my configuration.