Staff

Technical Tip: Disable weak ciphers monitored on SAML port used for IPsec dial-up VPN

Forum|Forum|1 month ago
April 27, 2026
0 replies
72 views

Description

This article describes how to restrict cipher suites on SAML port used for IPsec dial-up VPN.

Scope

FortiGate.

Solution

The IKE SAML port can be modified by using the following CLI configuration:

config system global
    set auth-ike-saml-port <integer>
end

Once the ike-saml-server has been attached on the WAN interface, weak cipher suites may be detected on the ike saml port.

To configure the cipher suites used on FortiGate for HTTPS connections, including those on SAML port, the following settings can be adjusted:

config system global
set admin-https-ssl-ciphersuites {<cipher_1> ... <cipher_n>} 
set admin-https-ssl-banned-ciphers {<cipher_1> ... <cipher_n>} 
end

For example, see the configuration below to allow only TLSv1.3 AES128-GCM-SHA256,AES256-GCM-SHA384,CHACHA20_POLY1305_SHA256.

config system global
set admin-https-ssl-banned-ciphers SHA1 SHA256 SHA384
set admin-https-ssl-ciphersuites TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
set admin-https-ssl-versions tlsv1-3
set ssl-min-proto-version TLSv1-3
end

To test if TLSv1.2 AES128-SHA256 is not negotiated on IKE-SAML port 1001, see below:

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded