FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to control insecure ciphers entering the network through explicit DoT and DoH traffic.
Scope
FortiGate.
Solution
On FortiOS 7.0, 'ssl-ssh-profile' added 'min-allowed-ssl-version' per protocol, and it's applied to DoT and DoH.
This option limits the minimum allowed SSL version but 'ssl-ssh-profile' does not have control to filter static key ciphers.
Hence the following global commands were introduced to control explicit DoT handshake in 7.0.6 and 7.2.0 onward.
# config system global set ssl-min-proto-version <SSLv3|TLSv1|TLSv1-1|*TLSv1-2|TLSv1-3> set ssl-static-key-ciphers <*enable|disable> set strong-crypto <*enable|disable> end
