Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AndrewX
Staff
Staff

Created on ‎01-27-2025 04:30 AM

Article Id 372755

Troubleshooting Tip: Fix the vulnerability by changing global DH parameters

Description

This article describes how to handle an issue where using Diffie-Hellman (DH) parameters as 2048 does not fix a vulnerability.
Scope

FortiGate OS.
Solution

Background:

  • Upon setting up 2048 DH parameters, the following alert information is still received about a vulnerability:


11.png

 

Check the DH parameters under the global configuration:

 

22.png

 

Conclusion:

Increasing DH Parameters to 8192 Bits not only fixes the issue, but impacts the FortiGate firewall in the following ways:

  1. Enhanced Security:
  • Increased computational complexity: Larger DH parameters require significantly more computational power to break, making it much harder for attackers to compromise the security of the VPN.
  • Resistance to future attacks: As computing power grows, increasing the key size helps future-proof security infrastructure.
  1. Potential Performance Impact:
  • Increased CPU usage: Larger DH parameters can lead to slightly increased CPU usage during the key exchange process. However, modern hardware can typically handle this overhead without significant performance degradation.
  • Increased network traffic: The larger key exchange messages may result in slightly increased network traffic.
515
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.