FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 216028
Description This article describes how to control insecure ciphers entering the network through explicit DoT and DoH traffic.
Scope FortiGate.

On FortiOS 7.0, 'ssl-ssh-profile' added 'min-allowed-ssl-version' per protocol, and it's applied to DoT and DoH.

This option limits the minimum allowed SSL version but 'ssl-ssh-profile' does not have control to filter static key ciphers.


Hence the following global commands were introduced to control explicit DoT handshake in 7.0.6 and 7.2.0 onward.


# config system global
    set ssl-min-proto-version           <SSLv3|TLSv1|TLSv1-1|*TLSv1-2|TLSv1-3>
    set ssl-static-key-ciphers <*enable|disable>
    set strong-crypto <*enable|disable>


DoT can use a pre-filtered cipher list now.