PCI Non Compliance HTTP/1.0 Protocol Downgrade Detected

One of our customers reported the same pentest failed report due to the same "HTTP/1.0" issue (the report says HTTP/1.1 is still unacceptable, while only HTTP/2 and /3 are acceptable) against their VDOM serving SSL VPN with 7.2.12. Since I couldn't find a good way to "silence" this, we opened a TAC case 10 days ago. TAC's initial response was:
"The reported behavior has been escalated to our PSIRT team, and we are currently awaiting a status update. Any feedback received from then will be shared through this ticket."
And, we still haven't gotten any update from them yet. Since they didn't come back and say "you have to upgrade to 7.4.x or 7.6.x", I'm assuming upgrading it to a newer generation wouldn't resolve this issue. 

Toshi

Is there an update on this issue?  We are experiencing the same issue.  We are running on a Fortigate 400F ver7.2.11 Build 1740.  Thanks

Just had our monthly Pen test fail on the same issue. HTTP/1.0 Protocol Downgrade Detected found at PORT: 10443. v 7.0.18 build 0695. 200E

Any update from the PSIRT team?

Same issue here. “HTTP/1.0 Protocol Downgrade Detected found at PORT: 443”

100f v7.4.9 build2829.

Qualsys added and updated some signatures in November 2025, see QID 530600 in their bulletin here https://notifications.qualys.com/product/2025/11/28/application-security-detections-published-in-november-2025.

SSLVPN/Agentless VPN on all current FortiOS versions including v7.2.12, v7.4.9, and v7.6.5 would be affected by the signature change and start to show warnings on any PCI Compliance scan using Qualsys or tools with similar signatures.

While 1240901 is an internal issue number requesting an update to SSL VPN to allow blocking HTTP/1.0 requests, there is no current schedule to include a fix in v7.2 or v7.4. If there will be a FOS-side change to resolve the fix these branches, it is likely not soon. I mention those branches specifically since SSL VPN tunnel mode is removed in FortiOS v7.6.3 SSL VPN tunnel mode replaced with IPsec VPN.

For any of my customers who are able, I'm recommending expedited migration to IPsec VPN in order to disable SSL VPN and avoid this issue. Obviously that's not an appropriate solution for all environments.

My scan reported the same thing. So looking to see if there might be an ETA to Fortinet rolling a fix as I know removing SSL VPN isn't exactly an option for my company at this time. 

If you are hosting a webserver behind a FortiGate.

Create an IPS signature

F-SBID(--attack_id 9999; --name "Block_HTTP_1.0"; --protocol tcp; --flow from_client; --pattern "HTTP/1.0"; --service HTTP;)

Add that to your Intrusion Protection

Configure that under your destination virtual server on the Firewall policy page

If PCI compliance is your only pentest, could you NAT your PCI device(s) to another, external IP address that is not used by SSL/WEB VPN and have your PCI compliance only check that address?

Has anyone confirmed if the rushed 7.4.11 contains the fix for this. I read the release notes and did not see anything jump out for this. Assuming this may have been a rush release just for the other CVE so may not have all the other fixes etc.

Yesterday we ran new PCI DSS scans, and without having done anything, the HTTP 1.0 non-compliance for the Fortinet VPN client is no longer present. Do you know if Qualys or some other tool has removed these checks and made them non-mandatory for PCI DSS? I haven't found any official communication from Fortinet or Qualys.