Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mattchow_FTNT
Staff
Staff

Created on ‎01-04-2023 11:57 PM Edited on ‎01-04-2023 11:58 PM By Community Manager

Article Id 242035

Technical Tip: How to prove TLS 1.1 is disabled in FortiGate access

Description This article describes how to prove transport layer security version 1.1 is already disabled in FortiGate administrative access using Wireshark.
Scope FortiGate.
Solution

Capture the packet by filtering source ip open the connection to test TLS 1.1, command as below:

 

# diagnose sniffer packet any "host <source ip> and port 443" 6 0

 

<source ip> is the IP address that tries to connect to the FortiGate using service port number tcp-443(https).

 

After capturing the packet, convert the file into .pcap format and open using Wireshark.

 

It is possible to filter TLS version by using 'tls.record.version == 0x0302' to observe the packet.

For example, SSL handshakes from client have initiated TLSv1.1 but it has been rejected with the description 'Handshake Failure' as shown in the screenshot below:

 

mattchow_FTNT_1-1672901591700.png
853
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.