Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Frosty
Contributor

PCI DSS Compliance with FortiOS v6.0

Wondering if anyone can help with a PCI DSS Compliance issue.

Firewall running FortiOS v6.0.12

External vulnerability scan is showing "Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Server Supports Transport Layer Security (TLSv1.1) port 443/udp over SSL"

We do have SSL VPN running on port 443.

I've done the following to try to disable TLS v1.1:

config system global   set admin-https-ssl-versions tlsv1-2

config vpn ssl settings   set tlsv1-1 disable

The issue on the external vulnerability scan keeps coming up.

Any suggestions?  Have I missed another setting somewhere?

1 REPLY 1
Frosty
Contributor

Well, well, well ...

Just on a whim I decided to try a third-party test:  https://www.cdn77.com/tls-test

That site reports that TLS 1.3 and 1.2 are Enabled ... and TLS 1.1 and 1.0 are Disabled.

Which is what I expected from my config.

So perhaps my regular Qualys Vulnerability Scan is reporting a False Positive on TLS 1.1 ?

Anyone else using Qualys for external vulnerability scans? 

Any issues with false positives with Fortigate units?