FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
ckarwei
Staff
Staff
Article Id 213707

Description

 

This article describes how to verify FortiGate to FortiManager (FGFM) protocol TLS version.

 

Scope


FortiGate

 

Solution


1) Port 541 is the default port for FGFM protocol. To verify the TLS version, it is possible to run FortiGate build-in packet sniffer on port541 with verbose 3. The output can then convert into a file readable by Wireshark.

 

2) On Wireshark, locate the Client Hello packet. It will be possible to see the TLS protocol version number that the client (FortiGate) wants to use under handshake protocol.

 

tls_1.JPG

 

3) Locate the Server Hello packet. The highest TLS protocol version supported will be found by the server (FortiManager) which is also supported by the client (FortiGate).

 

tls_2.JPG

 

4) To enforce a higher TLS version negotiation. It is possible to apply the following CLI configuration on FortiGate and FortiManager.

 

FortiGate:

 

FGT01 # config system global

 

FGT01 (global) # set ssl-min-proto-version

SSLv3      SSLv3.

TLSv1      TLSv1.

TLSv1-1    TLSv1.1.

TLSv1-2    TLSv1.2.

TLSv1-3    TLSv1.3.

 

FGT01 (global) # set ssl-min-proto-version TLSv1-2

 

FGT01 (global) # end

 

FortiManager:

 

FMG01 # config system global

 

(global)# set fgfm-ssl-protocol

 sslv3      set SSLv3 as the lowest version.

 tlsv1.0    set TLSv1.0 as the lowest version.

 tlsv1.1    set TLSv1.1 as the lowest version.

 tlsv1.2    set TLSv1.2 as the lowest version (default).

 tlsv1.3    set TLSv1.3 as the lowest version.

 

(global)# set fgfm-ssl-protocol tlsv1.2

 

(global)# end

 

5) After apply the cli configuration, FortiGate and FortiManager is now negotiating in TLS 1.2.

 

Client Hello (FortiGate):

 

TLS1_2.JPG

 

Server Hello (FortiManager):

 

TLS1_2_2.JPG

 

Related link:

Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager