Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ytoh_FTNT
Staff
Staff

Created on ‎08-12-2015 12:26 AM Edited on ‎06-25-2024 12:52 AM By Moderator

Article Id 192331

Technical Tip: Cipher suites offered by FortiGate

Description

 

This article shows the cipher suites offered by the FortiGate firewall when 'strong-crypto' is disabled and when it is enabled.

By default, the command 'strong-crypto' is in a disabled status.  However, it is recommended to enable 'strong-crypto', this will enforce the FortiGate to use strong encryption and only allow strong ciphers.


Solution

 

'strong-crypto' can only be enabled via the command line. SSH into the FortiGate via SSH client (For example Putty) and type in the commands:
 
config system global
    set strong-crypto enable
end

The following cipher suites are offered by the FortiGate when 'strong-crypto' is DISABLED:
 

|   SSLv3:
|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)

 

TLSv1.0:


|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)

 

TLS v1.1:


|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 1024)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 1024)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)

 

TLS v1.2:


|     ciphers:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256)
|       TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 1024)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 1024)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
|       TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)

 

TLS v1.3:


|     ciphers
|      TLS_AES_256_GCM_SHA384
|      TLS_CHACHA20_POLY1305_SHA256
|      TLS_AES_128_GCM_SHA256

 

The following cipher suites are offered by the FortiGate when 'strong-crypto' is ENABLED:

TLS v1.1:


|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)

 

TLS v1.2:


|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256)
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)

 

TLS v1.3:


|     ciphers
|      TLS_AES_256_GCM_SHA384
|      TLS_CHACHA20_POLY1305_SHA256
|      TLS_AES_128_GCM_SHA256

 

Cryptographic protocols SSLv3 and TLSv1.0 will not be offered by the FortiGate when 'strong-crypto' is enabled.

Cryptographic protocols TLSv1.1, TLSv1.2 and TLSv1.3 will be offered by the FortiGate when 'strong-crypto' is enabled.

 

When FortiGate's 'strong-crypto' is enabled, the aim is to ensure that only cryptographic protocols deemed currently strong and secure are offered. Since SSLv3 and TLSv1.0 have recognized vulnerabilities, they are disabled in 'strong-crypto' mode, while the more secure TLSv1.2 and TLSv1.3 are enabled.

39686
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.