Created on
08-15-2023
09:13 AM
Edited on
08-12-2025
08:29 AM
By
Stephen_G
Description | This article describes the likely outcome of using Cipher suites and TLS version with a virtual server in FIPS-CC mode. |
Scope | All supported versions of FortiGate. |
Solution |
Example topology:
Client -> Internet -> (wan)FortiGate(LAN) -> Real server
Note: TLS 1.3 is not supported by virtual servers in FIPS-CC mode. Also, the following ciphers are not supported.
Example configuration:
config firewall vip edit "<Virtual server name>" set type server-load-balance set extip x.x.x.x <- Wan IP address. set extintf "any" set server-type https set extport 443 config realservers edit 1 set ip y.y.y.y <-- Real server IP. next end set http-supported-max-version http1 set ssl-mode full config ssl-cipher-suites edit 1 set cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 next edit 2 set cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 next end When the above ciphers are used, the client-to-FortiGate handshake will fail.
For more details on the cipher suite, see Technical Tip: Understanding the cipher suite 1.2 supported by Fortinet devices. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.