Technical Tip: Setting SSL Protocol Version

Description

This article describes how to configure SSL Protocol Version on FortiManager and FortiAnalyzer. This can be important for achieving PCI compliance and for addressing vulnerability concerns that arise.

Scope

FortiAnalyzer.

Solution

config sys global
    set strong-crypto enable <----- Impact all SSL layer.
    set ssl-static-key-ciphers disable <----- Impact all ssl layer.
    set admin-https-ssl-versions tlsv1-2 <----- Only GUI web service.
    set dh-params 2048 <----- Impact all SSL layers.
    set enc-algorithm high <----- Impacts all SSL layer ('high' excludes weaker cipher suites e.g.,Triple DES in CBC mode).
    set ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For administrative login.
    set webservice-proto {sslv2 | sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- If web services are enabled (for API use).
    set ssl-low-encryption disable <----- Ensures that SSL low-grade encryption is disabled.
end

Commands specific to FortiManager:

config system global
    set fgfm-ssl-protocol tlsv1.3 <----- Only impact FGFM.
end

config fmupdate fds-setting
    set fds-ssl-protocol tlsv1.3 <----- Only impact FDS update connection.
end

Commands specific to FortiAnalyzer:

set oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For use with OFTP tunnel with FortiGates.

Notes:

Earlier versions of FortiManager and FortiAnalyzer may have some of these commands and some of these configurable options.
For more details, see the FortiManager and FortiAnalyzer CLI Reference Guide corresponding to the version.