Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
chall_FTNT
Staff
Staff

Created on ‎05-31-2017 10:13 AM Edited on ‎07-29-2025 08:56 AM By Staff

Article Id 191627

Technical Tip: Configuring SSL Protocol Version and Encryption Levels

Description


This article explains how to configure SSL Protocol Version and Encryption Levels on FortiManager.

This can be important for achieving PCI compliance and for addressing vulnerability concerns that arise.
For enhanced reliability, please check the FortiManager recommended version.

 

Scope

 

FortiManager.

Solution

 

As a rule, newer SSL protocol versions are more secure and should be preferredIt is possible to set up different SSL versions used for encrypted communications on FortiManager, as follows: 
 
config sys global
set ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}  <- For administrative login.
set webservice-proto {sslv2 | sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- If web services are enabled (for API use).
set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- For use with FGFM tunnel with FortiGate.
set oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3} <- When FortiManager is receiving logs (FortiAnalyzer feature).
set ssl-low-encryption disable <----- Ensures that SSL low-grade encryption is disabled for the GUI.
set enc-algorithm {high|medium|low} 
 
  • For services like FGFM, web services, FortiGuard.
  • 'high' is recommended to restrict Cipher Suites used ( addressing CVE-2016-2183 [Sweet32]) by removing Triple DES in CBC mode
 
SSL settings for FortiGuard Services.
The settings below are applied only if FortiManager is being used to provide FortiGuard Services to other Fortinet products, such as FortiGates.
 
This controls the version used for encrypting FortiGuard communications:
 
config fmupdate fds-setting
set fds-ssl-protocol       {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}  <- Downstream with FortiGates & upstream with FortiGuard servers.
set fds-clt-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2 | tlsv1.3}   <- Downstream with FortiClients.
 
Earlier versions of FortiManager may have some of these commands and some of these configurable options. For more details, see the FortiManager CLI Reference Guide corresponding to the version of FortiManager.

Related article:
Technical Tip: Setting SSL Protocol Version
Labels:
12803
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.