Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vishal1
New Contributor II

Fortigate VA Points

Hi All,

 

My organisation send some VA Points of fortinet firewall. Can anyone help me how to mitigate/resolve this.

 

Diffie-Hellman group smaller than 2048 bits

1

ICMP Timestamp Request

1

Obsolete Version of HP-UX

1

OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224)

1

Self-signed TLS/SSL certificate

1

SHA-1-based Signature in TLS/SSL Server X.509 Certificate

1

SSH Birthday attacks on 64-bit block ciphers (SWEET32)

1

SSH CBC vulnerability

1

SSH Server Supports diffie-hellman-group1-sha1

1

SSH Server Supports RC4 Cipher Algorithms

1

SSH Server Supports Weak Key Exchange Algorithms

1

SSH Weak Message Authentication Code Algorithms

8

TLS RC4 Stream Cipher Key Invariance (Bar Mitzvah)

1

TLS Server Supports TLS version 1.0

1

TLS Server Supports TLS version 1.1

1

TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)

1

TLS/SSL Server is enabling the BEAST attack

1

TLS/SSL Server is enabling the POODLE attack

1

TLS/SSL Server Is Using Commonly Used Prime Numbers

41

TLS/SSL Server Supports DES and IDEA Cipher Suites

1

TLS/SSL Server Supports RC4 Cipher Algorithms (CVE-2013-2566)

1

TLS/SSL Server Supports SSLv3

1

TLS/SSL Server Supports The Use of Static Key Ciphers

1

TLS/SSL Weak Message Authentication Code Cipher Suites

6

Untrusted TLS/SSL server X.509 certificate

42

Weak Cryptographic Key

1

 

3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello Vishal,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Vishal,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards.

Anthony-Fortinet Community Team.
ede_pfau
Esteemed Contributor III

Hi,

 

it looks like you are dealing with a Fortigate B-model, like 60B from around 2010...there has been some development (in terms of tightening security) since.

Please state the version of FortiOS you are using. The settings to mediate those security holes depend on that.

Generally, in "config system global", "config system setting" and some other contexts you can set parameters to enforce a minimum level of security - mainly the minimum version of SSL used (today: TLS 1.2), in "config vpn ipsec" the ciphes offered (DH group > 14) etc. etc.

 

There is a lot of explanations and advice into this direction in the Fortigate Handbook, and probably the Knowledgebase as well.

So, in short, you can tighten security on a contemporary FortiOS version significantly - many of the problem points you mention in your post are about 10 years old. But the appropriate settings depend on the version you use.

 

One caveat: there will be no easy recipe like "if you set this to x and that to y, your FGT will withstand all audits". It takes thorough analysis of the way the FGT is set up, the features used etc. and some seasoned experience in the field of IT security to make the setup safer but not cripple the firewall.  Maybe you should consider hiring a Fortinet partner to assist you in this.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors