Note that the encryption algorithms used by SSL VPNs on FortiGate are typically determined by the capabilities of the client device, and not by the configuration of the FortiGate firewall. When a client connects to an SSL VPN, the client and the FortiGate firewall negotiate a common encryption algorithm based on the capabilities of both devices.
The SSL/TLS provide a mechanism for negotiating the cipher suite used for a secure connection between a client and a server. During the negotiation process, the client and server agree on a common cipher suite that they both support and use that cipher suite to secure the data transmitted between them.
A cipher suite is a combination of encryption algorithms used to secure the data that is being transmitted over a network. In the case of SSL/TLS connections, the cipher suite defines the key exchange algorithm, the bulk data encryption algorithm, and the message authentication code (MAC) algorithm used for a secure connection.
For example, if the client supports AES-256 encryption and the FortiGate firewall supports AES-256 encryption, then AES-256 encryption will be used for the SSL VPN connection.
If you need to modify the cipher suite used by an SSL VPN, refer to the below commands;
config vpn ssl settings
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-2
set ciphersuite TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
Technical Tip: How to control the SSL version and cipher suite for SSL VPN
When FIPS mode is enabled on a FortiGate firewall, the firewall will only use approved encryption algorithms and protocols for VPN connections, system authentication, and data encryption.
Refer to the below KB article for more information: