Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fortilover
New Contributor III

Created on ‎05-15-2023 02:28 AM

Increasing SSL VPN Security (SSL Minimum Protokoll Version)

Dear Fortinet Community.

 

I have a question regarding the "hardening" of SSL VPN connections. I would like to increase the security by increasing the minimum TLS protocol version.

 

Last week I have tried this via CLI. Just to let you know. After the change I could not login to SSL VPN anymore. But I could switch back to the old configuration and then it worked again.

 

What did I do? I have used this command on cli:

config vpn ssl setting
set ssl-min-proto-ver tls1-2
end

 

After the change via cli my config looked different. The line that shows the minimum protocol version just disapeard. When using the Fortinet VPN Client it stopped the connection at 40%. Did I do something wrong? Have I missed something? Probably some of you have done this in your environment and can explain me what to do in order to use a higher TLS version.

 

FYI: we use tunnel-mode. Fortigate is on newest version 7.2.4. I can confirm that TLS 1.3 should be possible.

 

These are our vpn ssl settings. I have removed informations for security reasons.

vpnconfig.jpg

 

I would be super happy for any kind of help so that I can understand why I could not connect after my change. :)

Have a wonderful day.

 

With kindest Regards

FortiLover

Labels:
1960
0 Kudos
1 Solution
Fortilover
New Contributor III

Created on ‎05-15-2023 07:20 AM Edited on ‎05-15-2023 07:24 AM

Now it worked. So the problem by setting/increasing the minimum supported TLS version must be related to the fact that the Fortigate OS version was not uptodate.

 

Nevertheless. The bug, that the info for the minimum supported TLS version is not shown in the config via cli should be corrected by a new update for the Fortigate. Dear Fortinet Support. Please be so kind and address this behavior that the minimum supported TLS version is not shown after updating/configuring it manually via the cli to a new update. If possible I would like to have it as an option via the GUI as well. That would be awesome! :)

 

With kindest regards

FortiLover

View solution in original post

1911
0 Kudos
7 REPLIES 7
sjoshi
Staff
Staff

Created on ‎05-15-2023 02:47 AM

Dear Fortilover,

 

Thank you for posting to the Fortinet Community Forum.

 

Problem Description:-

Increasing SSL VPN Security

 

As per the case description I believe you are trying to use tls 1.3 for ssl vpn connectivity and post changes you were not able to connect the vpn. After you changed it to tls 1.2 it is working again.

 

Can you let me know the OS of the PC from where you are trying to connect.

Tls 1.3 is support for win 11 and other OS

Please check below link for your ref.

https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#tls-pro...

 

Let us know if this helps.

Thanks

Salon Raj Joshi
1954
0 Kudos
Fortilover
New Contributor III
In response to sjoshi

Created on ‎05-15-2023 03:48 AM Edited on ‎05-15-2023 03:50 AM

Dear @sjoshi.

 

Thank you very much for your reply. I want to use TLS1.2 and TLS 1.3. So the minimum should be TSL1.2. Therefore I have posted the code that shows you that I wanted to config the SSL VPN settings via cli.

 

I have confirmed that my OS can use TLS 1.2 and TLS 1.3. So we can be sure that this is first of all no OS issue. What I was really wondering was the fact, that after entering this in the cli:

config vpn ssl setting
set ssl-min-proto-ver tls1-2
end

the first line in my pcture in my initial post was removed from the "show settings" dialog. The FortClient VPN just stops at 40% after the change via the CLI. when I change it back via cli with this command:

config vpn ssl setting
set ssl-min-proto-ver tls1-1
end

it starts working again AND I can see the line again when I use the "show vpn sll settings" command.

vpnconfig2.jpg

1946
0 Kudos
Yurisk
SuperUser
SuperUser

Created on ‎05-15-2023 03:42 AM

Hi, I am seeing this too, and Windows (10/11) is not the culprit here - if you leave only TLS 1.3 on Fortigate, you WILL connect using Web SSL i.e. browser connection (Edge/Chrome), but at the same time the Forticlient (FC) attempt from the same PC will fail.  On the surface, FC takes TLS settings from the settings of OS, but no matter how I tweaked TLS settings for Edge browser (read Windows OS), nothing helped. I will wait for the FC version that will work with TLS 1.3, until then, just TLS 1.2.

P.S. I tried this about 2 months ago, so may be newest FC version solves this, I do not follow closely.

Fortigate VPN SSL Hardening Guide 

 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
1946
Fortilover
New Contributor III
In response to Yurisk

Created on ‎05-15-2023 03:58 AM

Just to be clear at this point again. I do not want to force TLS1.3. I know that our Fortigate support TLS1.3. I have checked this. But witj SSL VPN I want to set TLS1.2 as minimum supportet version. And at the moment it works only with TLS1.1 as minimum version. When I change the setting via cli to TLS minimum version 1.2 then the line in the ssl settings for the minimum version (please see my screenshot) just dissapears. I have updated the FortiGate to the newest version like mentioned in the first post. It is version 7.2.4.

1944
0 Kudos
Fortilover
New Contributor III
In response to Yurisk

Created on ‎05-15-2023 04:07 AM Edited on ‎05-15-2023 04:09 AM

Aaaah thanky @Yurisk I had to read you post 2 times. OK I see. The FortiClient just do not support TLS 1.2 at the moment. That could explain why I could not establish a VPN connection. But it does not explain why the line just dissapears from the show config dialog. Probably as we only use tunnelmode it dissapears because it knows that with only tunnelmode the FortiClient needs to be used and this does not support the current configuration... This could be... But I don't know it.

 

At the moment I am using FortiClient VPN Version 7.0.6.0290

1941
0 Kudos
Yurisk
SuperUser
SuperUser
In response to Fortilover

Created on ‎05-15-2023 05:32 AM

Actually you were correct the 1st time - I misunderstood what you are trying to do. So

 

  1. Disappearing ssl-min-proto-ver tls1-2 is a thing, I just verified on few FGTs, back to FortiOS 6.4.11. Indeed strange, but a cosmetic bug - changing the TLS to 1.2 indeed sets 1.2 as the minimal version supported, even though it is not shown in the configuration. 
  2. In my tests Forticlient with TLS 1.2 DID work (FortiOS 7.2.1), but didn't with TLS 1.3. So what you are seeing - FC fails with 1.2 is not normal. May be worth running on FGT side 
    diagnose debug app sslvpn -1
    dia deb enable
    And try connecting with the FC and TLS 1.2 - this will show the TLS negotiations, not always helpful, but worth trying. 
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
1928
Fortilover
New Contributor III

Created on ‎05-15-2023 07:20 AM Edited on ‎05-15-2023 07:24 AM

Now it worked. So the problem by setting/increasing the minimum supported TLS version must be related to the fact that the Fortigate OS version was not uptodate.

 

Nevertheless. The bug, that the info for the minimum supported TLS version is not shown in the config via cli should be corrected by a new update for the Fortigate. Dear Fortinet Support. Please be so kind and address this behavior that the minimum supported TLS version is not shown after updating/configuring it manually via the cli to a new update. If possible I would like to have it as an option via the GUI as well. That would be awesome! :)

 

With kindest regards

FortiLover

1912
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.