FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to set global commands for stronger and more secure encryption.
Solution Turn on global strong encryption.
Enter the following command to configure FortiOS to use only strong encryption and allow only strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS, SSH, TLS, and SSL functions.
# config system global set strong-crypto enable end
Disable MD5 and CBC for SSH.
In some cases, it will maybe not possible to enable strong encryption. For example, the FortiGate may be communicating with a system that does not support strong encryption. With strong-crypto disabled it is possible to use the following options to prevent SSH sessions with the FortiGate from using less secure MD5 and CBC algorithms:
# config system global set ssh-hmac-md5 disable set ssh-cbc-cipher disable end
Disable static keys for TLS.
Use the following command to prevent all TLS sessions that are terminated by FortiGate from using static keys (AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256):
# config system global set ssl-static-key-ciphers disable end
Require larger values for Diffie-Hellman exchanges.
Larger Diffie-Hellman values result in stronger encryption. Use the following command to force Diffie-Hellman exchanges to use 8192 bit values (the highest configurable DH value).