Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alaaelrayes
New Contributor III

CMMC AC.L2-3.1.13 remote session

Hi team,

 

I need a support in CMMC AC.L2-3.1.13 remote session as in that link https://www.expertcmmc.com/cmmcPractices.php?viewPracticeID=31

 

How can I check and secure the encryption of VPN remote sessions  to meet CMMC requirement?

Thanks,

 

FortiGate FortiClient 

1 Solution
akileshc
Staff
Staff

To check and secure the encryption of VPN remote sessions on FortiGate to meet the requirements of the Cybersecurity Maturity Model Certification (CMMC), you can follow these steps:

 

1. Verify encryption settings: Ensure that the VPN connection uses strong encryption algorithms like AES-256 or higher, and secure authentication methods such as certificate-based or two-factor authentication.
2. Configure split-tunneling: Split-tunneling ensures that only the traffic that needs to be encrypted is sent through the VPN, while other traffic remains unencrypted, improving performance and reducing the risk of data breaches.
3. Enable firewall policies: Use firewall policies to restrict access to sensitive information, such as preventing incoming connections from unknown sources, and allowing only specific IP addresses or ports to be used.
4. Monitor VPN activity: Enable auditing and logging on the FortiGate firewall to monitor VPN activity, including the source and destination of VPN connections, and the time and duration of the connection.
5. Update software regularly: Regularly update the FortiGate FortiOS and Forticlient software to ensure that the latest security patches and features are in place, protecting against known and emerging threats.

 

By following these steps, you can secure the encryption of VPN remote sessions on FortiGate and meet the requirements of the CMMC.

 

 

Akilesh

View solution in original post

8 REPLIES 8
akileshc
Staff
Staff

To check and secure the encryption of VPN remote sessions on FortiGate to meet the requirements of the Cybersecurity Maturity Model Certification (CMMC), you can follow these steps:

 

1. Verify encryption settings: Ensure that the VPN connection uses strong encryption algorithms like AES-256 or higher, and secure authentication methods such as certificate-based or two-factor authentication.
2. Configure split-tunneling: Split-tunneling ensures that only the traffic that needs to be encrypted is sent through the VPN, while other traffic remains unencrypted, improving performance and reducing the risk of data breaches.
3. Enable firewall policies: Use firewall policies to restrict access to sensitive information, such as preventing incoming connections from unknown sources, and allowing only specific IP addresses or ports to be used.
4. Monitor VPN activity: Enable auditing and logging on the FortiGate firewall to monitor VPN activity, including the source and destination of VPN connections, and the time and duration of the connection.
5. Update software regularly: Regularly update the FortiGate FortiOS and Forticlient software to ensure that the latest security patches and features are in place, protecting against known and emerging threats.

 

By following these steps, you can secure the encryption of VPN remote sessions on FortiGate and meet the requirements of the CMMC.

 

 

Akilesh
alaaelrayes
New Contributor III

Thanks for your clarification.

How to check SSL VPN encryption algorithms as I don't see that in SSL VPN config like IPsec ?

Another question
I saw an article about FIPS mode, Is that mode is helpful ? 

akileshc

Note that the encryption algorithms used by SSL VPNs on FortiGate are typically determined by the capabilities of the client device, and not by the configuration of the FortiGate firewall. When a client connects to an SSL VPN, the client and the FortiGate firewall negotiate a common encryption algorithm based on the capabilities of both devices.

 

The SSL/TLS provide a mechanism for negotiating the cipher suite used for a secure connection between a client and a server. During the negotiation process, the client and server agree on a common cipher suite that they both support and use that cipher suite to secure the data transmitted between them. 

 

A cipher suite is a combination of encryption algorithms used to secure the data that is being transmitted over a network. In the case of SSL/TLS connections, the cipher suite defines the key exchange algorithm, the bulk data encryption algorithm, and the message authentication code (MAC) algorithm used for a secure connection.

 

For example, if the client supports AES-256 encryption and the FortiGate firewall supports AES-256 encryption, then AES-256 encryption will be used for the SSL VPN connection.

 

If you need to modify the cipher suite used by an SSL VPN, refer to the below commands;

 

CLI Syntax:

config vpn ssl settings
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256

end 

Technical Tip: How to control the SSL version and cipher suite for SSL VPN
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-control-the-SSL-version-and-cipher-...

 

When FIPS mode is enabled on a FortiGate firewall, the firewall will only use approved encryption algorithms and protocols for VPN connections, system authentication, and data encryption.

Refer to the below KB article for more information:

** https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-enable-FIPS-CC-mode/ta-p/196629

 

 

Akilesh
alaaelrayes
New Contributor III

 SSL VPNs on FortiGate are typically determined by the capabilities of the client device 

Client device means the device itself not Forticlient, Is it right?

akileshc

The FortiClient initiates the SSL connection by using the Internet Explorer SSL and TLS settings. So, if you wish to limit the SSL and TLS versions of FortiClient connections, you must introduce modifications on your client PC Internet Explorer.


For further details, see the Knowledge Base article linked below:
https://community.fortinet.com/t5/FortiClient/Technical-Note-How-to-limit-the-SSL-and-TLS-versions-o...

Akilesh
alaaelrayes
New Contributor III

One more question
Is the server certificate in Fortigate SSL-VPN settings plays a role in SSL connection ?

Thanks.

akileshc

Yes, the server certificate in Fortigate SSL-VPN settings plays a important role in the SSL connection. The server certificate is used to establish an encrypted connection between the client and the server. The certificate contains information about the identity of the server, including its domain name, public key, and digital signature from a trusted certificate authority.

 

When a client attempts to connect to the server using SSL, the client verifies the authenticity of the server certificate to ensure that the connection is secure. If the server certificate is invalid, expired, or not signed by a trusted certificate authority, the client will not trust the connection and the SSL connection will fail.

 

Therefore, it is important to ensure that the server certificate in the Fortigate SSL-VPN settings is valid, up-to-date, and signed by a trusted certificate authority to ensure secure and reliable SSL connections.

 

Akilesh
alaaelrayes
New Contributor III

Thank you very much for all clarifications :)

Labels
Top Kudoed Authors