Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Anonymous
Not applicable

Created on ‎11-01-2022 04:41 AM Edited on ‎01-11-2024 09:44 PM By Community Manager

Article Id 228553

Technical Tip: Retrieving a list of SSH algorithms and TLS/SSL Ciphers supported by FortiNAC appliances

Description This article lists the SSH algorithms and TLS ciphers supported by FNAC appliances and explains how to retrieve them.
Scope FortiNAC v8.8.x, v9.x.
Solution

To retrieve the list of algorithms and ciphers used by FortiNAC, use the nmap tool in Linux distributions with the FortiNAC management IP.

  

To retrieve a list of supported SSH algorithms, run the following command in the CLI:

 

# nmap -p22 -n -sV --script ssh2-enum-algos 192.168.200.200

Starting Nmap 7.80 ( https://nmap.org ) at 2022-10-17 13:00 CEST
Nmap scan report for 192.168.200.200
Host is up (0.00030s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9 (protocol 2.0)
| ssh2-enum-algos:
| kex_algorithms: (10)
| curve25519-sha256
| curve25519-sha256@libssh.org
| ecdh-sha2-nistp256
| ecdh-sha2-nistp384
| ecdh-sha2-nistp521
| sntrup761x25519-sha512@openssh.com
| diffie-hellman-group-exchange-sha256
| diffie-hellman-group16-sha512
| diffie-hellman-group18-sha512
| diffie-hellman-group14-sha256
| server_host_key_algorithms: (4)
| rsa-sha2-512
| rsa-sha2-256
| ecdsa-sha2-nistp256
| ssh-ed25519
| encryption_algorithms: (6)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes192-ctr
| aes256-ctr
| aes128-gcm@openssh.com
| aes256-gcm@openssh.com
| mac_algorithms: (10)
| umac-64-etm@openssh.com
| umac-128-etm@openssh.com
| hmac-sha2-256-etm@openssh.com
| hmac-sha2-512-etm@openssh.com
| hmac-sha1-etm@openssh.com
| umac-64@openssh.com
| umac-128@openssh.com
| hmac-sha2-256
| hmac-sha2-512
| hmac-sha1
| compression_algorithms: (2)
| none
|_ zlib@openssh.com

This is broken down into the following algorithms by type:


Kex:


------------------------------------------------
curve25519-sha256
curve25519-sha256@libssh.org
curve448-sha512
ecdh-sha2-nistp521
ecdh-sha2-nistp384
ecdh-sha2-nistp256
diffie-hellman-group-exchange-sha256
diffie-hellman-group18-sha512
diffie-hellman-group17-sha512
diffie-hellman-group16-sha512
diffie-hellman-group15-sha512
diffie-hellman-group14-sha256

 

Ciphers:


------------------------------------------------
chacha20-poly1305@openssh.com
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
aes128-cbc
aes192-cbc
aes256-cbc

 

MACs:


------------------------------------------------
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha2-256
hmac-sha2-512
hmac-sha1

 

To retrieve a list of supported TLS/SSL Ciphers, run the following command in the CLI:

 

# nmap --script ssl-enum-ciphers -p 8443 192.168.40.110

Starting Nmap 7.40 ( https://nmap.org ) at 2021-08-10 20:02 CEST
Stats: 0:00:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 100.00% done; ETC: 20:02 (0:00:00 remaining)
Nmap scan report for fnac-latest.forti.lab (192.168.40.110)
Host is up (0.000058s latency).
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: client
|_ least strength: A
2338
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.