- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Cipher suites offered by FortiGate
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article shows the cipher suites offered by the FortiGate firewall when 'strong-crypto' is disabled and when it is enabled.
By default, the command 'strong-crypto' is in a disabled status. However, it is recommended to enable 'strong-crypto', this will enforce the FortiGate to use strong encryption and only allow strong ciphers.
By default, the command 'strong-crypto' is in a disabled status. However, it is recommended to enable 'strong-crypto', this will enforce the FortiGate to use strong encryption and only allow strong ciphers.
Solution
'strong-crypto' can only be enabled via the command line. SSH into the FortiGate via SSH client (For example Putty) and type in the commands:
config system global
set strong-crypto enable
end
set strong-crypto enable
end
The following cipher suites are offered by the FortiGate when 'strong-crypto' is DISABLED:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 1024)
| TLS_RSA_WITH_RC4_128_SHA (rsa 1024)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256)
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 1024)
| TLS_RSA_WITH_RC4_128_SHA (rsa 1024)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLSv1.3
| ciphers
| TLS_AES_256_GCM_SHA384
| TLS_CHACHA20_POLY1305_SHA256
| TLS_AES_128_GCM_SHA256
The following cipher suites are offered by the FortiGate when 'strong-crypto' is ENABLED:
TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
TLSv1.3
| ciphers
| TLS_AES_256_GCM_SHA384
| TLS_CHACHA20_POLY1305_SHA256
| TLS_AES_128_GCM_SHA256
Cryptographic protocols SSLv3 and TLSv1.0 will not be offered by the FortiGate when 'strong-crypto' is enabled.
Cryptographic protocols TLSv1.2 and TLSv1.3 will be offered by the FortiGate when 'strong-crypto' is enabled.
When FortiGate's 'strong-crypto' is enabled, the aim is to ensure that only cryptographic protocols deemed currently strong and secure are offered. Since SSLv3 and TLSv1.0 have recognized vulnerabilities, they are disabled in 'strong-crypto' mode, while the more secure TLSv1.2 and TLSv1.3 are enabled.
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.