Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
athirat
Staff
Staff

Created on ‎06-13-2016 01:22 AM Edited on ‎07-08-2025 10:16 PM By Community Manager

Article Id 197656

Technical Tip: How to limit the SSL and TLS versions of connections initiated by FortiClient

Description

 
This article describes how to control the SSL and TLS versions used by the FortiClient when connecting to SSL VPN.


Scope

 
FortiClient.


Solution

 
FortiClient uses the Internet Explorer SSL and TLS settings to initiate the SSL connection. The versions used can be disabled and enabled by navigating to the following option in the browser: Internet options -> Advanced -> Security.
 
The options are shown in the following screenshot:
athirat_FD38852_tn_FD38852-1.jpg

CLI Configuration
Using the FortiGate CLI, the same options can be selected as follows. See the related firmware note below.
 
config vpn ssl settings
    set sslv3 disable
    set tlsv1-0 disable
    set tlsv1-1 enable
    set tlsv1-2 enable
end
 
Verification of Configuration and troubleshooting:
If there is a version mismatch, the connection would be seen to be terminating with no definite error in the SSL VPN debugs. Packet captures would show the incoming versions.
 
Note:
Changes in commands as per the firmware:
 
Use the following commands to change the SSL version for the SSL VPN before version 6.2:
 
config vpn ssl settings
    set sslv3   {enable | disable}   sslv3
    set tlsv1-0 {enable | disable}   Enable/disable TLSv1.0.
    set tlsv1-1 {enable | disable}   Enable/disable TLSv1.1.
    set tlsv1-2 {enable | disable}   Enable/disable TLSv1.2.
 
On v6.2 or above, use the following to change the SSL version for the SSL VPN:
 
config vpn ssl setting
ssl-max-proto-ver xxx
tls1-0 TLS version 1.0.
tls1-1 TLS version 1.1.
tls1-2 TLS version 1.2.
tls1-3 TLS version 1.3.

ssl-min-proto-ver xxx
tls1-0 TLS version 1.0.
tls1-1 TLS version 1.1.
tls1-2 TLS version 1.2.
tls1-3 TLS version 1.3.
 
To disable SSLv3 and tlsv1 on v7.4,  configure the SSL VPN settings to exclude SSLv3 and tlsv1.0 
 
config vpn ssl setting
    set ssl-min-proto-ver TLSv1_2
    set ssl-max-proto-ver TLSv1_3
 
Explanation:
  • ssl-min-proto-ver TLSv1_2 ensures TLS 1.2 is the lowest protocol allowed, which excludes SSLv3 and TLS 1.0
  • ssl-max-proto-ver TLSv1_3 allows up to the most secure protocol currently supported.
Labels:
81691
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.