Skip to main content
sebastan_bach
sebastan_bach
New Member
April 27, 2018
Question

Only allowing TLSv1.2 ssl connections to the internet

  • April 27, 2018
  • 1 reply
  • 12373 views

Hi, 

 

I have enabled deep inspection ssl inspection profile on the firewall. We want to control all outbound SSL traffic to use only TLS v1.2 and should drop traffic if any other TLS version is negotiated. 

 

I could find application ID's related to TLS version and I have created a policy to block TLSv1.0 and TLSv1.1 as application. I modified the TLS min and max version in firefox to TLSv1.0 to test. But looks like this is not working. I am not even able to see these application ids in the logs. The websites are working just fine not being blocked. 

 

is it possible to achieve what we are trying to do?

 

Regards

 

Sebastan

    1 reply

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    April 27, 2018

    I found this thread from 3 years back.

    [link]https://forum.fortinet.com/tm.aspx?m=126854[/link]

    sebastan_bach
    sebastan_bachAuthor
    New Member
    April 27, 2018

    Thanks looks like the functionality is clearly missing just like it was 3 years ago. 

     

    Regards

     

    Sebastan

    hmtay_FTNT
    Staff
    hmtay_FTNT
    Staff
    May 28, 2018

    Hello Sebastan,

     

    Can you add the following custom app control signatures and set them to Block?

     

    F-SBID( --name "SSL.SSLv3"; --protocol tcp; --app_cat 15; --service SSL; --flow from_server; --seq =,1,relative; --pattern "|16 03 00|"; --within 3, packet; --pattern "|02|"; --context packet; --distance 2; --within 1; --pattern "|03 00|"; --distance 3; --within 2; --weight 30; )

     

    F-SBID( --name "SSL.TLSv1.0"; --protocol tcp; --app_cat 15; --service SSL; --flow from_server; --seq =,1,relative; --pattern "|16 03 01|"; --within 3, packet; --pattern "|02|"; --context packet; --distance 2; --within 1; --pattern "|03 01|"; --distance 3; --within 2; --weight 30; )

     

    F-SBID( --name "SSL.TLSv1.1"; --protocol tcp; --app_cat 15; --service SSL; --flow from_server; --seq =,1,relative; --pattern "|16 03 02|"; --within 3, packet; --pattern "|02|"; --context packet; --distance 2; --within 1; --pattern "|03 02|"; --distance 3; --within 2; --weight 30; )

     

    Let me know how it goes. Thanks.

     

    Homing

    Terms & ConditionsAccessibility statement