Description
This article describes how to verify FortiGate to FortiManager (FGFM) protocol TLS version.
Scope
FortiGate
Solution
1) Port 541 is the default port for FGFM protocol. To verify the TLS version, it is possible to run FortiGate build-in packet sniffer on port541 with verbose 3. The output can then convert into a file readable by Wireshark.
2) On Wireshark, locate the Client Hello packet. It will be possible to see the TLS protocol version number that the client (FortiGate) wants to use under handshake protocol.
3) Locate the Server Hello packet. The highest TLS protocol version supported will be found by the server (FortiManager) which is also supported by the client (FortiGate).
4) To enforce a higher TLS version negotiation. It is possible to apply the following CLI configuration on FortiGate and FortiManager.
FortiGate:
FGT01 # config system global
FGT01 (global) # set ssl-min-proto-version
SSLv3 SSLv3.
TLSv1 TLSv1.
TLSv1-1 TLSv1.1.
TLSv1-2 TLSv1.2.
TLSv1-3 TLSv1.3.
FGT01 (global) # set ssl-min-proto-version TLSv1-2
FGT01 (global) # end
FortiManager:
FMG01 # config system global
(global)# set fgfm-ssl-protocol
sslv3 set SSLv3 as the lowest version.
tlsv1.0 set TLSv1.0 as the lowest version.
tlsv1.1 set TLSv1.1 as the lowest version.
tlsv1.2 set TLSv1.2 as the lowest version (default).
tlsv1.3 set TLSv1.3 as the lowest version.
(global)# set fgfm-ssl-protocol tlsv1.2
(global)# end
5) After apply the cli configuration, FortiGate and FortiManager is now negotiating in TLS 1.2.
Client Hello (FortiGate):
Server Hello (FortiManager):
Related link:
Troubleshooting Tip: How to troubleshoot connectivity issues between FortiGate and FortiManager
