Help
FortiPAM
FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
jie
Staff
Staff

Created on ‎12-03-2024 09:59 PM

Article Id 361585

Technical Tip: Disable TLS 1.0 and TLS 1.1 in FortiPAM

Description This article explains how to disable TLS 1.0 and TLS 1.1 in FortiPAM.
Scope FortiPAM v1.3 and v1.4.
Solution
  1. General:


config system global
    set ssl-min-proto-version  <------- Default TLS 1.2 and above.
end

This is a general TLS version control configuration, which controls LDAP-based authentication, password-changer, and secret discovery. Also controls general communications with FortiToken Cloud, FortiGuard, FortiAnalyzer, etc.

 

  1. GUI access, Tunnel Encryption:

 

config firewall VIP
    set ssl-min-version   <----- Default TLS 1.1 and above.
end

 

This is the TLS version control for FortiPAM GUI access as well as ZTNA tunnel under Secrets -> Secret Setting -> Tunnel Encryption TLS version of native secret launchers.

 

  1. LDAPs-based password changer and discovery (configured from both CLI and GUI available):

 

From GUI:

Go under Advanced Domain Setting -> LDAPS Minimum SSL Version (default follow system global setting, TLS 1.2 and above).

 

From CLI

 

config secret target
    edit xxx
      set ldaps-min-ssl-version  <-----
    end

end

 

Controls the LDAPs-based password-changer, discovery etc. This config could overwrite the System -> Global -> ssl-min-proto-version config.

 

  1. FortiPAM User authentication

 

config user ldap -> set ssl-min-proto-version  <----- Default follow system global setting, which is tls 1.2 and above.

 

Controls the LDAP-based FortiPAM users authentication. This config could overwrite the System -> Global -> ssl-min-proto-version config.

 

  1. Native launchers: Remote Desktop and SQL Server Management Studio (SSMS). When proxy-mode enabled, for native launchers which use TLS (RDP and SSMS), the TLS version between FortiPAM and the secret server is controlled by firewall Policy -> ssl-ssh-profile.

 

To change this config, go to:

 

config firewall ssl-ssh-profile
    edit custom-deep-inspection
      config https
         set min-allowed-ssl-version  <----- Default tls 1.1.
     end
   end
 end

 

  config firewall policy
    edit 1
      set xxx ...
      set ssl-ssh-profile "custom-deep-inspection"  <----- Note might incur multiple confirmation warning.
    end
  end

 

  1. Web-RDP. This is currently unable to be controlled. The default is set to use TLS 1.0 to TLS 1.3 based on the negotiation with the server. If the server supports TLS 1.2 above, it will use TLS 1.2 and above.
Labels:
55
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.