| Description | This article describes how to identify via PowerShell all the TLS cipher suites offered by a Windows device to cross-check with the cipher suites supported by the FortiGate. |
| Scope | FortiGate and Windows. |
| Solution |
In FortiGate, there are options to control the allowed TLS versions for HTTPS (GUI) access and SSL VPN, but on top of this, banning specific ciphers can also be configured. Normally, FortiGate is set up to only allow specific TLS versions and disable insecure ciphers for security purposes.
How to control the SSL/TLS versions supported by FortiGate for HTTPS (GUI) access How to control the SSL/TLS versions supported by FortiGate for SSL-VPN How to ban specific ciphers in FortiGate for HTTPS (GUI) access
The SSL/TLS versions enabled in a Windows device can be checked by going to Internet Options -> Advanced -> Security and verify what are the ticked SSL/TLS versions. More information in this KB article: Technical Tip: How to limit the SSL and TLS versions of connections initiated by FortiClient
To determine the specific TLS cipher suites being offered by a Windows device, the command below can be executed in PowerShell:
Get-TlsCipherSuite | Format-Table -Property Exchange, Certificate, Cipher, CipherLength, Hash, Name
There needs to be at least one cipher suite in the client's Windows device that matches what the FortiGate allows and supports to establish a successful connection. |
