| Description | This article describes how to remove cipher suites which are shown as weak on a Qualys SSL scan from VIP. |
| Scope | FortiGate. |
| Solution |
If an SSL server shows weak cipher suites from an SSL Server Test as below and if the SSL server must be compliant with a Qualys SSL scan, it will be necessary to allow only cipher suites that do not test as weak.
Note that while this configuration shows up under 'config firewall vip' in the CLI, the following configuration only applies to Virtual servers. If a regular VIP is being used and facing this issue, it must be switched to a virtual server instead. Only then will the fix indicated in this article apply.
config firewall vip edit "Test" set uuid 5a1c82a6-8e34-71ee-e583-29390aeab4b1 set type server-load-balance set server-type https set extip <IP_address> set extintf "<Port_number" set http-ip-header enable set extport 443 config realservers edit 1 set ip <IP_address> set port 443 next end set ssl-mode full set ssl-certificate "<Certificate_name" set ssl-min-version tls-1.2 next end
Execute the following commands on the VIP to allow only the cipher suites that are not shown as weak on the Qualys scan above. The configuration above is used as an example.
config firewall vip edit "Test" set ssl-algorithm custom config ssl-cipher-suites edit 1 set cipher TLS-AES-128-GCM-SHA256 next edit 2 set cipher TLS-CHACHA20-POLY1305-SHA256 next edit 3 set cipher TLS-AES-256-GCM-SHA384 next edit 4 set cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 next edit 5 set cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 next end next end
After running the above commands, the SSL scan will show only the cipher suites that are not categorized as weak, as below.
Now, the SSL server is compliant with Qualys SSL scan standards.
For more details on the cipher suite, see Technical Tip: Understanding the cipher suite 1.2 supported by Fortinet devices. |
