Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jlim11
Staff
Staff

Created on ‎05-30-2024 10:32 PM

Article Id 318313

Technical Tip: How to check TLS Version used by FortiClient machine when trying to connect to FortiGate using SSL VPN

Description

This article describes how to check the TLS version negotiated by a client machine trying to connect to an SSL VPN using FortiClient.
Some FortiClient machines may experience the following error below when trying to connect:

mismatch TLS version.PNG
It indicates that the TLS version between the client and FortiGate does not match.

Even running the debug for SSL VPN on the FortiGate, will show an 'unsupported protocol' for the connection that the client machine is trying to initiate.

 

unsupported protocol.PNG
The default minimum TLS version on the FortiGate to accept SSL VPN connections is tls1.2:

 

sslvpn default settings.PNG
Scope FortiGate.
Solution

To check the TLS version negotiated by the client machine, Perform packet capture on FortiGate's external interface where it accepts SSLVPN connections

 

From GUI:

Go to Network -> Packet Capture and select 'Create new'. Filter the interface and the port used by SSL VPN.

 

pcapgui.PNG

 

  • Run the packet capture then initiate the connection from the FortiClient.
  • Stop the debug then download the .pcap file
  • Open the .pcap file using the Wireshark application

 

tlspcap10.PNG

  • Look for the TLS Client hello with the source IP(Public IP in most cases) of the FortiClient machine after the TCP three-way handshake.
  • Select the TLS Client Hello, Then expand the 'Transport Layer Security'

The TLS version is shown after.
It is possible to filter TLS client hello on Wireshark using the following:


_ws.col.info == "Client Hello" or tls


wireshark filter.PNG
On the windows machines, It is possible to check the available TLS versions that the machine will use to negotiate, Open 'Internet Options' and then the 'Advance' tab:

 

internet options.PNG

 

TLS versions.PNG

Related articles:
How to control the SSL version and cipher... - Fortinet Community
Technical Tip: The use of TLS 1.3 Protocol on Wind... - Fortinet Community

 

 

-

274
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.