FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
This article describes how to change the TLS version for the incoming listening port TCP/8888, TCP/8890, TCP/8891 and TCP/8900 in FortiManager and FortiAnalyzer (if applicable).
TCP/8888 : For FortiGate Web Filter queries, AV & IPS updates.
TCP/8890 : For FortiGate Registration for license validation and UTM updates (AV, IPS).
TCP/8891 : FortiManager listens to FortiGuard for FortiClient AV/IPS database and Web Filter database updates.
TCP/8900 : For FortiGate FortiGuard Web Filter and Email Filter.
Applies only when FortiManager is acting as a local FortiGuard server.
By default all the said listening ports are set to TLSv1.2, to change to different TLS version for those ports, it is possible set via CLI as follows, example below was based on version 7.0.
# config fmupdate fds-settin set fds-ssl-protocol <version> sslv3 set SSLv3 as the lowest version. tlsv1.0 set TLSv1.0 as the lowest version. tlsv1.1 set TLSv1.1 as the lowest version. tlsv1.2 set TLSv1.2 as the lowest version (default). tlsv1.3 set TLSv1.3 as the lowest version. end
Note.
fds-ssl-protocol - The SSL protocols version for receiving FortiGate connection (default = tlsv1.2).
