FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rahulkaushik-22
Article Id 268929
Description This article describes the likely outcome of using Cipher suites and TLS version with a virtual server in FIPS-CC mode.
Scope All supported versions of FortiGate.
Solution

Example topology:

 

Client -> Internet -> (wan)FortiGate(LAN) -> Real server

  

Note: TLS 1.3 is not supported by virtual servers in FIPS-CC mode.

Also, the following ciphers are not supported.

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

 

Example configuration:

 

config firewall vip

edit "<Virtual server name>"

set type server-load-balance

set extip x.x.x.x <- Wan IP address.

set extintf "any"

set server-type https

set extport 443

config realservers

edit 1

set ip y.y.y.y <-- Real server IP.
set port 443

next

end

set http-supported-max-version http1

set ssl-mode full

config ssl-cipher-suites

edit 1

set cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

next

edit 2

set cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

next

end
        

When the above ciphers are used, the client-to-FortiGate handshake will fail.

 

For more details on the cipher suite, see Technical Tip: Understanding the cipher suite 1.2 supported by Fortinet devices.