Description | This article describes the approach to allow only TLS1.2/TLS1.3 through traffic and block lower version SSL traffic. |
Scope | FortiGate . |
Solution |
Most TLS traffic today is run on TLS1.2+ as the modern browser by default supports TLS1.2+. However, there are still legacy applications that may only run on earlier TLS versions.
Approach 1: Use Application Control, the example below is created from new/default and only blocks TLSv1.1/TLSv1.0/SSLv3.0 Apply it on an Firewall policy, supported under both inspection modes (flow or proxy), supported under certificate inspection or deep inspection.
config application list edit "Default_BlockTLS1.1-" set other-application-log enable config entries edit 1 set application 41542 41541 41543 <----- TLSv1.0/TLSv1.1/SSLv3. next edit 2 set category 2 6 next end next end
Below certificate inspection is pretty much default if created in v7.0+, highly suggest not using the default 'Read-only' Certificate-Inspection. Not only because a new one can be customized, but more importantly, the default value from the newly generated entry would be correct.
Note: To use an existing profile, make sure the unsupported-ssl-version is set to block. This needs to be watched out especially if the running config was from an earlier version such as 6.x and upgraded up).
config firewall ssl-ssh-profilev edit "TLS1.2Plus-Certificate-Inspection" config https set ports 443 end set status disable end set status disable end set status disable end set status disable end set ports 22 end set status disable end next end
Applies it on a Firewall Policy:
config firewall policy edit 64 set name "test" set srcintf "lan" next end
Check Log:
Approach 2:
config firewall ssl-ssh-profile edit "TLS1.2-Deep-Inspection" config https set ports 443 end set ports 990 end set ports 993 end set ports 995 end set ports 465 end set ports 22 end set status disable end edit 1 set fortiguard-category 31 next set fortiguard-category 33 next edit 3 set fortiguard-category 87 next end next end
config firewall policy edit 64 set name "t450" next end
Check Log:
|