FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the difference between min-allowed-ssl-version and unsupported-ssl-version that can be found in the firewall ssl-ssh-profile section.
Scope
FortiGate, FortiProxy.
Solution
The unsupported SSL version option handles cases, where the TLS version is not supported by FortiGate. Since v6.4.3, if strong-crypto is enabled, TLS 1.0 is not supported. Due to this change, the following actions for unsupported TLS versions were added:
config firewall ssl-ssh-profile edit deep-inspection config https set ? unsupported-ssl-version Action based on the SSL version used being unsupported.
set unsupported-ssl-version [allow* | block | inspect] allow Bypass the session when the version is not supported. block Block the session when the version is not supported. inspect Inspect the session when the version is not supported.
For example, if allow action is configured, TLS 1.0 would bypass deep inspection and no certificate would be resigned in case of a deep inspection.
The min-allowed-ssl-version checks whether the minimum allowed TLS version is met. If in a ClientHello or a ServerHello, the minimum version condition is not met, the connection is blocked.
