FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vhitnal
Staff
Staff
Description
This article describes how to set global commands for stronger and more secure encryption.

Solution
Turn on global strong encryption.

Enter the following command to configure FortiOS to use only strong encryption and allow only strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS, SSH, TLS, and SSL functions.
# config system global
    set strong-crypto enable
end
Disable MD5 and CBC for SSH.

In some cases, it will maybe not possible to enable strong encryption.
For example, the FortiGate may be communicating with a system that does not support strong encryption.
With strong-crypto disabled it is possible to use the following options to prevent SSH sessions with the FortiGate from using less secure MD5 and CBC algorithms:

# config system global
    set ssh-hmac-md5 disable
    set ssh-cbc-cipher disable
end
Disable static keys for TLS.

Use the following command to prevent all TLS sessions that are terminated by FortiGate from using static keys (AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256):
# config system global
    set ssl-static-key-ciphers disable
end
Require larger values for Diffie-Hellman exchanges.

Larger Diffie-Hellman values result in stronger encryption.
Use the following command to force Diffie-Hellman exchanges to use 8192 bit values (the highest configurable DH value).

# config system global
    set dh-params 8192
end

Contributors