Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
davbu
New Contributor

Created on ‎10-21-2024 07:10 AM

FortiGate TLSv1.3 upgrade

Hello,

 

I recently was testing the upgrade of TLS1.2 to TLS1.3 VPN SSL settings on a 40F.  I enabled TLS 1.3 support using the following CLI commands:

 

config vpn ssl setting

set ssl-max-proto-ver tls1-3

set ssl-min-proto-ver tls1-3

end

 

Now, I am unable to VPN using the FortiClient  v7.0.9.0493.  It should be noted that I am using Azure MFA for 2-factor authentication.

 

I am guessing it is a incompatibility between the VPN client and the new TLS version. TLS 1.3??  Are there any prerequisites, i.e. certificates, etc. that should be done before enforcing TLS1.3?  Any thoughts and suggestions are welcomed.

Labels:
1126
0 Kudos
7 REPLIES 7
AEK
SuperUser
SuperUser

Created on ‎10-21-2024 07:45 AM

Hello Dav

Any error message?

AEK
AEK
1115
davbu
New Contributor
In response to AEK

Created on ‎10-21-2024 11:13 AM

This is the basic error I get when trying:

Capture.PNG

1065
0 Kudos
kumarh
Staff
Staff

Created on ‎10-21-2024 07:50 AM

Hello,

Kindly check and edit the computer registry to enable TLS 1.3:
Go to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

If 'TLS 1.3' is not displaying as a child path under 'Protocols', create it. 'Right-click' 'Protocols', create 'new key', and name it 'TLS 1.3' as mentioned in following document : https://community.fortinet.com/t5/FortiClient/Troubleshooting-Tip-Windows-10-11-unable-to-connect-to...

1106
davbu
New Contributor
In response to kumarh

Created on ‎10-21-2024 11:13 AM

I'll have to try that on my personal PC as my enterprise PC locks out editing the registry.

1064
0 Kudos
davbu
New Contributor
In response to kumarh

Created on ‎10-22-2024 11:32 AM

No luck changing the registry settings.  I am receiving error message:  Unable to establish the VPN connection.  The VPN server may be unreachable or your identity certificate is not trusted. (-5)

986
0 Kudos
RinoBroer
New Contributor III

Created on ‎10-22-2024 12:36 PM

Why do you want to use TLS 1.3 exclusively? You might also consider using only modern cipher suites.

config vpn ssl settings
set banned-cipher RSA DHE SHA1 SHA256 SHA384 ARIA
end

Do you also have the problem with FortiClient 7.2.5.1053?

Rino Broer
Rino Broer
975
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.