Technical Tip: How to block insecure TLS/SSL traffic

Rosalyn · ‎06-01-2022

Description

This article describes how to block insecure TLS/SSL connections.

Scope

FortiGate, FortiProxy.

Solution

By default, FortiGate (up to v7.0.4)/FortiProxy will allow TLS 1.0 (or SSL) via SSL certificate or deep inspection.

It is possible to block insecure TLS/SSL connections via the command 'set unsupported-ssl block'.

Here is an example:

config firewall ssl-ssh-profile
   edit "test"
        config https
        set ports 443
        set unsupported-ssl block <----- Default action: bypass.
        end
end

Note:

FortiGate has this option available only for deep-inspection profiles.
The unsupported versions are hardcoded up to v7.0.4 where it is adjustable via new CLI syntax:

config firewall ssl-ssh-profile
edit "test"
   config https
   set status deep-inspection
       set unsupported-ssl block (new default)
       set min-allowed-ssl-version tls-1.1 (new option, default value is 'tls-1.1')

end
end

Related article:

config firewall policy
edit 0
set srcintf "Internal"
set dstintf "Internet"
set srcaddr "10.10.10.0/24"
set internet-service enable
set internet-service-id 10617015 65539
set status enable
set schedule "always"
set logtraffic all
set logtraffic-start enable
set ssl-ssh-profile "test" << Assign the SSL inspection profile.
end

Related documents

SSL traffic over TLS 1.0 will not be checked and will be bypassed by default

Changes in CLI

Technical Tip: How to block lower TLS version for pass-through traffic

Technical Tip: How to block insecure TLS/SSL traffic

You are leaving our website