Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mdibaee
Staff
Staff

Created on ‎07-28-2024 02:39 PM

Article Id 328646

Technical Tip: How to restrict SSL ciphers for DNS over TLS on FortiGate

Description

 

This article describes how to restrict the SSL ciphers provided by FortiGate for DNS over TLS communications when using FortiGate as a DNS server. 

 

Scope

 

FortiOS 7.0.6+, 7.2.0+.

 

Solution

 

Starting from FortiOS 7.0.6 and 7.2.0, disabling ssl-static-key-ciphers will prevent all TLS sessions that are terminated by FortiGate from using static keys (AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256). For additional information, refer to: New features or enhancements.

config system global 

    set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2* | TLSv1-3} 

    set ssl-static-key-ciphers {enable* | disable} 

    set strong-crypto {enable* | disable} 

end 

 

Note: The default setting has been marked with *.

It is possible to see the effect of the above commands by running an SSL scan. See below:

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES256-GCM-SHA384 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-CHACHA20-POLY1305 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES128-GCM-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES256-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-CAMELLIA256-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES128-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-CAMELLIA128-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: AES256-GCM-SHA384 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: AES256-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: CAMELLIA256-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: AES128-SHA256 

[+] 192.168.2.10:853      - Connected with SSL Version: TLSv1.2, Cipher: CAMELLIA128-SHA256 

 

Unlike other TLS services on FortiGate such as SSL VPN, currently, it is not possible to allow or ban a specific cipher suite for DNS over TLS (DoT) but the SSL static ciphers highlighted above in red are restricted by FortiGate when ssl-static-key-ciphers are disabled. 

1095
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.