chall_FTNT
Staff
Created on
05-31-2017
10:13 AM
Edited on
06-16-2024
03:31 PM
By
Stephen_G
Article Id
191627
Description
This article explains how to configure SSL Protocol Version and Encryption Levels on FortiManager.
This can be important for achieving PCI compliance and for addressing vulnerability concerns that arise.
Scope
FortiManager.
Solution
As a rule, newer SSL protocol versions are more secure and should be preferred.
It is possible to control the SSL protocol version used for encrypted communications on FortiManager as follows:
The commands and command options shown below are available for FortiManager v6.0.7:
config sys global
set ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- For administrative login.
set webservice-proto {sslv2 | sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- If web services are enabled (for API use).
set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- For use with FGFM tunnel with FortiGate.
set oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- When FortiManager is receiving logs (FortiAnalyzer feature).
set ssl-low-encryption disable <----- Ensures that SSL low-grade encryption is disabled for the GUI.
set enc-algorithm {high|medium|low}
- For services like FGFM, web services, FortiGuard.
- 'high' recommended to restrict Cipher Suites to address CVE-2016-2183 (Sweet32), removing Triple DES in CBC mode
SSL settings for FortiGuard Services.
The settings below are only applicable if the FortiManager is being used to provide FortiGuard Services to other Fortinet products such as FortiGates.
This controls the version used for encrypting FortiGuard communications ...
config fmupdate fds-setting
set fds-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- Downstream with FortiGates & upstream with FortiGuard servers.
set fds-clt-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- Downstream with FortiClients.
Earlier versions of FortiManager may have some of these commands and some of these configurable options. For more details, see the FortiManager CLI Reference Guide corresponding to the version of FortiManager.
Labels: