FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JianWu
Staff
Staff
Article Id 340444
Description This article describes the approach to allow only TLS1.2/TLS1.3 through traffic and block lower version SSL traffic.
Scope FortiGate .
Solution

Most TLS traffic today is run on TLS1.2+ as the modern browser by default supports TLS1.2+. However, there are still legacy applications that may only run on earlier TLS versions. 
A common practice in Enterprise is to block earlier TLS versions while making exceptions for needed applications with dedicated policies (Narrowed src/dst IP range along with other restrictions).

 

Approach 1:

Use Application Control, the example below is created from new/default and only blocks TLSv1.1/TLSv1.0/SSLv3.0

Apply it on an Firewall policy,  supported under both inspection modes (flow or proxy), supported under certificate inspection or deep inspection.

 

AppCtrl-Block-TLS1.1_n_Below.PNG

 

config application list

    edit "Default_BlockTLS1.1-"

        set other-application-log enable

            config entries

                edit 1

                    set application 41542 41541 41543    <----- TLSv1.0/TLSv1.1/SSLv3.

                next

                    edit 2

                        set category 2 6

                    next

                end

            next

        end

 

Below certificate inspection is pretty much default if created in v7.0+, highly suggest not using the default 'Read-only' Certificate-Inspection. Not only because a new one can be customized, but more importantly, the default value from the newly generated entry would be correct. 

 

Note:

To use an existing profile, make sure the unsupported-ssl-version is set to block. This needs to be watched out especially if the running config was from an earlier version such as 6.x and upgraded up).

 

config firewall ssl-ssh-profilev

edit "TLS1.2Plus-Certificate-Inspection"

config https

set ports 443
set status certificate-inspection

end
config ftps

set status disable

end
config imaps

set status disable

end
config pop3s

set status disable

end
config smtps

set status disable

end
config ssh

set ports 22
set status disable

end
config dot

set status disable

end

next

end

 

Applies it on a Firewall Policy:

 

config firewall policy

edit 64

set name "test"

set srcintf "lan"
set dstintf "WAN-Zone"
set action accept
set srcaddr "Host-192.168.1.23"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "TLS1.2Plus-Certificate-Inspection"
set av-profile "g-default"
set application-list "Default_BlockTLS1.1-"
set logtraffic all
set logtraffic-start enable
set nat enable

next

end

 

Check Log:
It is possible to see the block from the Traffic log and App Control log from the screenshot below:

 

TLS-Block-TrafficLog.PNG

 

TLS-Block-AppCtrlLog.PNG

 

 

Approach 2:
This requires BOTH proxy inspection mode AND deep inspection:

 

 config firewall ssl-ssh-profile

edit "TLS1.2-Deep-Inspection"

config https

set ports 443
set status deep-inspection
set unsupported-ssl-negotiation block  <----- Set to block.
set min-allowed-ssl-version tls-1.2   <----- Desired version.

end
config ftps

set ports 990
set status deep-inspection

end
config imaps

set ports 993
set status deep-inspection

end
config pop3s

set ports 995
set status deep-inspection

end
config smtps

set ports 465
set status deep-inspection

end
config ssh

set ports 22
set status disable

end
config dot

set status disable

end
config ssl-exempt

edit 1

set fortiguard-category 31

next
edit 2

set fortiguard-category 33

next

edit 3

set fortiguard-category 87

next

end
set ssl-negotiation-log enable           <----- Enable.
set ssl-handshake-log enable

next

end

 

config firewall policy

edit 64

set name "t450"
set uuid 89ab1b40-1489-51ee-e88b-ce36489b0d2b
set srcintf "lan"
set dstintf "WAN-Zone"
set action accept
set srcaddr "Host-192.168.1.23"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy
set ssl-ssh-profile "TLS1.2-Deep-Inspection"
set av-profile "g-default"
set logtraffic all
set logtraffic-start enable
set nat enable

next

end

 

Check Log:

 

TLSBlock-SSHProfile-TrafficLog.PNG

 

TLSBlock-SSHProfile-SSLLog.PNG

Contributors