Technical Tip: How to strengthen SSL security of Virtual Server
Description
This article describes how to strengthen the SSL security of a Virtual Server.
Client == (Virtual Server) FortiWeb == Server.
Scope
FortiWeb.
Solution
Configuration GUI.
Configure Server Policy, where one can use the Virtual Server for which want to strengthen the SSL security, as follows:
The same can be done through CLI:
Configure Server Policy, where one can use the Virtual Server for which want to strengthen the SSL security, as follows:
config server-policy policy
edit <policy name>
set hsts-header enable
set hsts-max-age 15552000
set ssl-v3 disable
set ssl-cipher high
set ssl-pfs enable
set ssl-noreg enable
end
edit <policy name>
set hsts-header enable
set hsts-max-age 15552000
set ssl-v3 disable
set ssl-cipher high
set ssl-pfs enable
set ssl-noreg enable
end
After the changes have been made, it is possible to test the security of the Virtual Server for example on https://www.ssllabs.com/ssltest/. If everything is configured correctly the rating received should be A-.
Note:
Versions before 5.3.5 do have a memory leak in 'proxyd' caused by the Perfect Forward Secrecy feature (#0268053), workaround on those versions is to disable the feature by:
config server-policy policy
set ssl-pfs disable
end
set ssl-pfs disable
end
And restart 'proxyd' by:
diag sys kill 9
For restarting proxyd for v7.6 and later, refer to this KB article: Technical Tip: How to restart process or daemon on FortiWeb using CLI
Killing the process proxyd will cause service/current-sessions interruption for a few seconds up to a minute.