Example topology:

Client -> Internet -> (wan)FortiGate(LAN) -> Real server

Note: TLS 1.3 is not supported by virtual servers in FIPS-CC mode.

Also, the following ciphers are not supported.

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Example configuration:

config firewall vip

edit "<Virtual server name>"

set type server-load-balance

set extip x.x.x.x <- Wan IP address.

set extintf "any"

set server-type https

set extport 443

config realservers

edit 1

set ip y.y.y.y <-- Real server IP.
set port 443

next

end

set http-supported-max-version http1

set ssl-mode full

config ssl-cipher-suites

edit 1

set cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

next

edit 2

set cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

next

end
        

When the above ciphers are used, the client-to-FortiGate handshake will fail.

For more details on the cipher suite, see Technical Tip: Understanding the cipher suite 1.2 supported by Fortinet devices.