|
In some situations and in some environments, it is maybe necessary to disable or control the cipher suites to use to access FortiGate as admin user account.
To do this, consider banning the cipher suites via HTTPS by using the CLI commands as below.
To fix the issue.
In the CLI commands of FortiGate:
FGT # config system global
FGT # set admin-https-ssl-banned-ciphers XXX <----- XXX is cipher suite wanted.
FGT # end
XXX can be any item listed below:
- RSA: Ban the use of cipher suites using RSA key.
- DHE: Ban the use of cipher suites using authenticated ephemeral DH key agreement.
- ECDHE: Ban the use of cipher suites using authenticated ephemeral ECDH key agreement.
- DSS: Ban the use of cipher suites using DSS authentication.
- ECDSA: Ban the use of cipher suites using ECDSA authentication.
- AES: Ban the use of cipher suites using either 128 or 256 bit AES.
- AESGCM: Ban the use of cipher suites using AES in Galois Counter Mode (GCM).
- CAMELLIA: Ban the use of cipher suites using either 128 or 256 bit CAMELLIA.
- 3DES: Ban the use of cipher suites using triple DES.
- SHA1: Ban the use of cipher suites using HMAC-SHA1.
- SHA256: Ban the use of cipher suites using HMAC-SHA256.
- SHA384: Ban the use of cipher suites using HMAC-SHA384.
- STATIC: Ban the use of cipher suites using static keys.
- CHACHA20: Ban the use of cipher suites using ChaCha20.
- ARIA: Ban the use of cipher suites using ARIA.
- AESCCM: Ban the use of cipher suites using AESCCM.
Example:
To disable or ban cipher suites with 3DES, AES ,and SHA1; use the CLI commands below.
FGT # config system global
FGT # set admin-https-ssl-banned-ciphers 3DES AES SHA1
FGT # end
For more details on the cipher suite, see Technical Tip: Understanding the cipher suite 1.2 supported by Fortinet devices.
|
