FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ckhyun_FTNT
Staff
Staff
Article Id 193230

Description

 

This article describes how to check the supporting FortiGate cipher suite.
FortiOS uses cipher suites to select encryption and authentication algorithms for SSL VPN, IPSec VPN, SSL inspection, SSL offloading, administrator authentication, user authentication, and secure communication with FortiGuard.


This article describes how to check the FortiGate cipher suite.

 

Scope

 

FortiGate.

Solution


Use the following command to view the complete list of cipher suites available for SSL offloading:

 

config firewall vip
    edit <vip-name>
        set type server-load-balance
        set server-type https
        set ssl-algorithm custom
            config ssl-cipher-suites
                edit 0
                    set cipher ?

 

The list of ciphers available is as follows:

TLS-AES-128-GCM-SHA256.
TLS-AES-256-GCM-SHA384.
TLS-CHACHA20-POLY1305-SHA256. 
TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256. 
TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256.
TLS-DHE-RSA-WITH-AES-128-CBC-SHA.
TLS-DHE-RSA-WITH-AES-256-CBC-SHA.
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256. 
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256. 
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256.
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384. 
TLS-DHE-DSS-WITH-AES-128-CBC-SHA.
TLS-DHE-DSS-WITH-AES-256-CBC-SHA. 
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256. 
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256. 
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256.
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384. 
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA.
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256.
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256.
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA.
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384. 
TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384.
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA.
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256.
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256.
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA.
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384.
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384.
TLS-RSA-WITH-AES-128-CBC-SHA.
TLS-RSA-WITH-AES-256-CBC-SHA. 
TLS-RSA-WITH-AES-128-CBC-SHA256. 
TLS-RSA-WITH-AES-128-GCM-SHA256. 
TLS-RSA-WITH-AES-256-CBC-SHA256.
TLS-RSA-WITH-AES-256-GCM-SHA384.
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA. 
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA.
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256.
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256. 
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA. 
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA. 
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA. 
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA. 
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA.
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256. 
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256.
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256. 
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256.
TLS-DHE-RSA-WITH-SEED-CBC-SHA.
TLS-DHE-DSS-WITH-SEED-CBC-SHA.
TLS-DHE-RSA-WITH-ARIA-128-CBC-SHA256. 
TLS-DHE-RSA-WITH-ARIA-256-CBC-SHA384. 
TLS-DHE-DSS-WITH-ARIA-128-CBC-SHA256.
TLS-DHE-DSS-WITH-ARIA-256-CBC-SHA384.
TLS-RSA-WITH-SEED-CBC-SHA. 
TLS-RSA-WITH-ARIA-128-CBC-SHA256. 
TLS-RSA-WITH-ARIA-256-CBC-SHA384. 
TLS-ECDHE-RSA-WITH-ARIA-128-CBC-SHA256.
TLS-ECDHE-RSA-WITH-ARIA-256-CBC-SHA384. 
TLS-ECDHE-ECDSA-WITH-ARIA-128-CBC-SHA256.
TLS-ECDHE-ECDSA-WITH-ARIA-256-CBC-SHA384.
TLS-ECDHE-RSA-WITH-RC4-128-SHA. 
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA. 
TLS-RSA-WITH-3DES-EDE-CBC-SHA.
TLS-RSA-WITH-RC4-128-MD5.
TLS-RSA-WITH-RC4-128-SHA.
TLS-DHE-RSA-WITH-DES-CBC-SHA. 
TLS-DHE-DSS-WITH-DES-CBC-SHA.
TLS-RSA-WITH-DES-CBC-SHA. 

 

The same cipher suite is available for branches v7.2, v7.4, and v7.6.

The same configuration is valid for FortiProxy as well or can also be checked on the CLI Reference: www.docs.fortinet.com --> FortiGate --> Under Reference Manuals select the Firmware version on the CLI Reference -> Firewall -> config firewall vip and search for 'config ssl-server-cipher-suites'.

 

Related document:

FortiOS 7.6.1