Technical Tip: Disable TLS 1.0 and TLS 1.1 on FortiADC Server Load Balance

Description

This article describes how to disable TLS 1.0 and TLS 1.1 on FortiADC.

Scope

FortiADC.

Solution

For the FortiADC to stop accepting TLS 1.0 and TLS 1.1, both the front-end and back-end need to be configured to reject these versions. In the configuration, this is normally referred to as the 'Virtual Server' and 'Real Server Pool'.

To disable TLS 1.0 and TLS 1.1 on the real server pool, follow these steps:

1. Go to Server Load Balance -> Real Server Pool -> Server SSL and create a new real server SSL profile.

2. In the new real server SSL profile, disable TLS 1.0 and TLS 1.1, and save the SSL Profile. 

3. Assign the new real server SSL profile to any real server pool. 

To disable TLS 1.0 and TLS 1.1 on the virtual server, follow these steps:

1. Go to Server Load Balance -> Application Resources -> Client SSL and create a new Client SSL profile.

2. In the new Client SSL profile, disable TLS 1.0 and TLS 1.1, and save the SSL Profile.

3. Go to Server Load Balance -> Virtual Server and either edit an existing virtual server or create a new one.

4. Go to General and make sure the correct profile is selected for HTTPS.

5. Once the HTTPS profile is selected, the field Client SSL Profile will appear. Select the Client SSL Profile created with only TLS 2.0 and TLS 3.0.

Related documents:

Configuring real server SSL profiles 

Configuring real servers 

Configuring virtual servers 

Configuring client SSL profiles