FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
chall_FTNT
Staff
Staff
Article Id 191627

Description


This article explains how to configure SSL Protocol Version and Encryption Levels on FortiManager.

This can be important for achieving PCI compliance and for addressing vulnerability concerns that arise.

 

Scope

 

FortiManager.

Solution

 

As a rule, newer SSL protocol versions are more secure and should be preferred.
It is possible to control the SSL protocol version used for encrypted communications on FortiManager as follows:
The commands and command options shown below are available for FortiManager v6.0.7:
 
config sys global
set ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}  <- For administrative login.
set webservice-proto {sslv2 | sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- If web services are enabled (for API use).
set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- For use with FGFM tunnel with FortiGate.
set oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- When FortiManager is receiving logs (FortiAnalyzer feature).
set ssl-low-encryption disable <----- Ensures that SSL low-grade encryption is disabled for the GUI.
set enc-algorithm {high|medium|low} 
 
  • For services like FGFM, web services, FortiGuard.
  • 'high' recommended to restrict Cipher Suites to address CVE-2016-2183 (Sweet32), removing Triple DES in CBC mode
 
SSL settings for FortiGuard Services.

The settings below are only applicable if the FortiManager is being used to provide FortiGuard Services to other Fortinet products such as FortiGates.
 
This controls the version used for encrypting FortiGuard communications ...
 
config fmupdate fds-setting
set fds-ssl-protocol       {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}  <- Downstream with FortiGates & upstream with FortiGuard servers.
set fds-clt-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}   <- Downstream with FortiClients.
 
Earlier versions of FortiManager may have some of these commands and some of these configurable options. For more details, see the FortiManager CLI Reference Guide corresponding to the version of FortiManager.