FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ytoh_FTNT
Staff
Staff
Description
This article shows the cipher suites offered by the FortiGate firewall when 'strong-crypto' is disabled and when it is enabled.

By default, the command 'strong-crypto' is in a disabled status.  However, it is recommended to enable 'strong-crypto', this will enforce the FortiGate to use strong encryption and only allow strong ciphers.

Solution
'strong-crypto' can only be enabled via the command line.  SSH into the FortiGate via SSH client (For example Putty) and type in the commands:
# config system global
# set strong-crypto enable
# end
The following cipher suites are offered by the FortiGate when 'strong-crypto' is DISABLED:

|   SSLv3:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)

TLSv1.0:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)

TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 1024)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 1024)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)

TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256)
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 1024)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 1024)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)

TLSv1.3
|     ciphers
|      TLS_AES_256_GCM_SHA384
|      TLS_CHACHA20_POLY1305_SHA256
|      TLS_AES_128_GCM_SHA256

The following cipher suites are offered by the FortiGate when 'strong-crypto' is ENABLED:

TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)

TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)

TLSv1.3
|     ciphers
|      TLS_AES_256_GCM_SHA384
|      TLS_CHACHA20_POLY1305_SHA256
|      TLS_AES_128_GCM_SHA256

Cryptographic protocols SSLv3 and TLSv1.0 will not be offered by the FortiGate when 'strong-crypto' is enabled.

Cryptographic protocols TLSv1.1 and TLSv1.2 will be offered by the FortiGate when 'strong-crypto' is enabled.

Contributors