Description
This article describes how to change the TLS version via CLI when accessing the GUI.
Scope
FortiGate.
Solution
By default, TLS 1.1 and TLS 1.2 are enabled when accessing to the FortiGate GUI via a web browser.
To verify what version is enabled:
config system global
show full-config | grep 'min-proto'
end
The output screenshot below is an example from version 7.2.8 firmware:
if VDOMs are enabled, enter this again:
config system global
get | grep 'min-proto'
To change this setting from the CLI:
config system global
set admin-https-ssl-versions (shift + ?) <- To list the available TLS version.
tlsv1-0 TLS 1.0.
tlsv1-1 TLS 1.1.
tlsv1-2 TLS 1.2.
set admin-https-ssl-versions tlsv1-2 <- With this setting, only TLS 1.2 is allowed.
end
From v6.4, tlsv1-0 is no longer supported and instead, tlsv1-3 was introduced:
config system global
set admin-https-ssl-versions
tlsv1-1 TLS 1.1.
tlsv1-2 TLS 1.2.
tlsv1-3 TLS 1.3.
TLS 1.3 is not available in Low-Encryption(LENC) FortiGates.
Related documents:
System administrator best practices - FortiGate documentation
TLS configuration - FortiGate v7.2.9 administration guide
TLS configuration - FortiGate v7.4.5 administration guide
Technical Tip Low Encryption LENC device FAQ
Technical Tip: How to prove TLS 1.1 is disabled in FortiGate access
