This article shows how to control the SSL version and the Cipher Suites used in the SSL Handshake for the SSL VPN configured on FortiGate Firewalls.
# config vpn ssl settingsOn 6.2 or above you should use the following to change the SSL version for the SSL VPN:
set sslv3 {enable | disable} sslv3
set tlsv1-0 {enable | disable} Enable/disable TLSv1.0.
set tlsv1-1 {enable | disable} Enable/disable TLSv1.1.
set tlsv1-2 {enable | disable} Enable/disable TLSv1.2.
# config vpn ssl setting- Use the following commands to change the SSL Cipher Suite for the SSL VPN:
ssl-max-proto-ver xxx
tls1-0 TLS version 1.0.
tls1-1 TLS version 1.1.
tls1-2 TLS version 1.2.
tls1-3 TLS version 1.3.
ssl-min-proto-ver xxx
tls1-0 TLS version 1.0.
tls1-1 TLS version 1.1.
tls1-2 TLS version 1.2.
tls1-3 TLS version 1.3.
# config vpn ssl settingsPre FortiOS 5.4, the cipher suites options are only "low, medium, high" or " low, medium, default"
set banned-cipher {option} Select one or more cipher technologies that cannot be used in SSL-VPN negotiations.
RSA Ban the use of cipher suites using RSA key.
DH Ban the use of cipher suites using DH.
DHE Ban the use of cipher suites using authenticated ephemeral DH key agreement.
ECDH Ban the use of cipher suites using ECDH key exchange.
ECDHE Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
DSS Ban the use of cipher suites using DSS authentication.
ECDSA Ban the use of cipher suites using ECDSA authentication.
AES Ban the use of cipher suites using either 128 or 256 bit AES.
AESGCM Ban the use of cipher suites AES in Galois Counter Mode (GCM).
CAMELLIA Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
3DES Ban the use of cipher suites using triple DES
SHA1 Ban the use of cipher suites using SHA1.
SHA256 Ban the use of cipher suites using SHA256.
SHA384 Ban the use of cipher suites using SHA384.
STATIC Ban the use of cipher suites using static keys.
# config vpn ssl settingswhere one of the following variables replaces <cipher_suite>:
set algorithm <cipher_suite>
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.