DescriptionThis article shows the cipher suites offered by the FortiGate firewall when 'strong-crypto' is disabled and when it is enabled.
By default, the command 'strong-crypto' is in a disabled status. However, it is recommended to enable 'strong-crypto', this will enforce the FortiGate to use strong encryption and only allow strong ciphers.
Solution'strong-crypto' can only be enabled via the command line. SSH into the FortiGate via SSH client (For example Putty) and type in the commands:
# config system global
# set strong-crypto enable
# end
The following cipher suites are offered by the FortiGate when 'strong-crypto' is DISABLED:
| SSLv3:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 1024)
| TLS_RSA_WITH_RC4_128_SHA (rsa 1024)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_DES_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_SEED_CBC_SHA (dh 128)
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256)
| TLS_ECDHE_RSA_WITH_RC4_128_SHA (dh 256)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 1024)
| TLS_RSA_WITH_RC4_128_SHA (rsa 1024)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_DES_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_RC4_128_MD5 (rsa 2048)
| TLS_RSA_WITH_RC4_128_SHA (rsa 2048)
| TLS_RSA_WITH_SEED_CBC_SHA (rsa 2048)
TLSv1.3
| ciphers
| TLS_AES_256_GCM_SHA384
| TLS_CHACHA20_POLY1305_SHA256
| TLS_AES_128_GCM_SHA256
The following cipher suites are offered by the FortiGate when 'strong-crypto' is ENABLED:
TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (dh 256)
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (dh 256)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 1024)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 1024)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
TLSv1.3
| ciphers
| TLS_AES_256_GCM_SHA384
| TLS_CHACHA20_POLY1305_SHA256
| TLS_AES_128_GCM_SHA256
Cryptographic protocols SSLv3 and TLSv1.0 will not be offered by the FortiGate when 'strong-crypto' is enabled.
Cryptographic protocols TLSv1.1 and TLSv1.2 will be offered by the FortiGate when 'strong-crypto' is enabled.