Capture the packet by filtering source ip open the connection to test TLS 1.1, command as below:

# diagnose sniffer packet any "host <source ip> and port 443" 6 0

<source ip> is the IP address that tries to connect to the FortiGate using service port number tcp-443(https).

After capturing the packet, convert the file into .pcap format and open using Wireshark.

It is possible to filter TLS version by using 'tls.record.version == 0x0302' to observe the packet.

For example, SSL handshakes from client have initiated TLSv1.1 but it has been rejected with the description 'Handshake Failure' as shown in the screenshot below:

It is also possible to use 'nmap' to directly scan the FortiGate's public IP and port to verify if TLS1.1 is even an available option (ensure this is permitted). The full command would be as follows:

nmap -v -p yyy --script ssl-enum-ciphers x.x.x.x  (yyy is the port, x.x.x.x is the FortiGate IP)

The following output indicates that only TLS1.2 and TLS1.3 are available: