Dear Fortinet Community.
I have a question regarding the "hardening" of SSL VPN connections. I would like to increase the security by increasing the minimum TLS protocol version.
Last week I have tried this via CLI. Just to let you know. After the change I could not login to SSL VPN anymore. But I could switch back to the old configuration and then it worked again.
What did I do? I have used this command on cli:
config vpn ssl setting
set ssl-min-proto-ver tls1-2
end
After the change via cli my config looked different. The line that shows the minimum protocol version just disapeard. When using the Fortinet VPN Client it stopped the connection at 40%. Did I do something wrong? Have I missed something? Probably some of you have done this in your environment and can explain me what to do in order to use a higher TLS version.
FYI: we use tunnel-mode. Fortigate is on newest version 7.2.4. I can confirm that TLS 1.3 should be possible.
These are our vpn ssl settings. I have removed informations for security reasons.
I would be super happy for any kind of help so that I can understand why I could not connect after my change. :)
Have a wonderful day.
With kindest Regards
FortiLover
Solved! Go to Solution.
Now it worked. So the problem by setting/increasing the minimum supported TLS version must be related to the fact that the Fortigate OS version was not uptodate.
Nevertheless. The bug, that the info for the minimum supported TLS version is not shown in the config via cli should be corrected by a new update for the Fortigate. Dear Fortinet Support. Please be so kind and address this behavior that the minimum supported TLS version is not shown after updating/configuring it manually via the cli to a new update. If possible I would like to have it as an option via the GUI as well. That would be awesome! :)
With kindest regards
FortiLover
Dear Fortilover,
Thank you for posting to the Fortinet Community Forum.
Problem Description:-
Increasing SSL VPN Security
As per the case description I believe you are trying to use tls 1.3 for ssl vpn connectivity and post changes you were not able to connect the vpn. After you changed it to tls 1.2 it is working again.
Can you let me know the OS of the PC from where you are trying to connect.
Tls 1.3 is support for win 11 and other OS
Please check below link for your ref.
Let us know if this helps.
Thanks
Created on 05-15-2023 03:48 AM Edited on 05-15-2023 03:50 AM
Dear @sjoshi.
Thank you very much for your reply. I want to use TLS1.2 and TLS 1.3. So the minimum should be TSL1.2. Therefore I have posted the code that shows you that I wanted to config the SSL VPN settings via cli.
I have confirmed that my OS can use TLS 1.2 and TLS 1.3. So we can be sure that this is first of all no OS issue. What I was really wondering was the fact, that after entering this in the cli:
config vpn ssl setting
set ssl-min-proto-ver tls1-2
end
the first line in my pcture in my initial post was removed from the "show settings" dialog. The FortClient VPN just stops at 40% after the change via the CLI. when I change it back via cli with this command:
config vpn ssl setting
set ssl-min-proto-ver tls1-1
end
it starts working again AND I can see the line again when I use the "show vpn sll settings" command.
Hi, I am seeing this too, and Windows (10/11) is not the culprit here - if you leave only TLS 1.3 on Fortigate, you WILL connect using Web SSL i.e. browser connection (Edge/Chrome), but at the same time the Forticlient (FC) attempt from the same PC will fail. On the surface, FC takes TLS settings from the settings of OS, but no matter how I tweaked TLS settings for Edge browser (read Windows OS), nothing helped. I will wait for the FC version that will work with TLS 1.3, until then, just TLS 1.2.
P.S. I tried this about 2 months ago, so may be newest FC version solves this, I do not follow closely.
Fortigate VPN SSL Hardening Guide
Just to be clear at this point again. I do not want to force TLS1.3. I know that our Fortigate support TLS1.3. I have checked this. But witj SSL VPN I want to set TLS1.2 as minimum supportet version. And at the moment it works only with TLS1.1 as minimum version. When I change the setting via cli to TLS minimum version 1.2 then the line in the ssl settings for the minimum version (please see my screenshot) just dissapears. I have updated the FortiGate to the newest version like mentioned in the first post. It is version 7.2.4.
Created on 05-15-2023 04:07 AM Edited on 05-15-2023 04:09 AM
Aaaah thanky @Yurisk I had to read you post 2 times. OK I see. The FortiClient just do not support TLS 1.2 at the moment. That could explain why I could not establish a VPN connection. But it does not explain why the line just dissapears from the show config dialog. Probably as we only use tunnelmode it dissapears because it knows that with only tunnelmode the FortiClient needs to be used and this does not support the current configuration... This could be... But I don't know it.
At the moment I am using FortiClient VPN Version 7.0.6.0290
Actually you were correct the 1st time - I misunderstood what you are trying to do. So
Now it worked. So the problem by setting/increasing the minimum supported TLS version must be related to the fact that the Fortigate OS version was not uptodate.
Nevertheless. The bug, that the info for the minimum supported TLS version is not shown in the config via cli should be corrected by a new update for the Fortigate. Dear Fortinet Support. Please be so kind and address this behavior that the minimum supported TLS version is not shown after updating/configuring it manually via the cli to a new update. If possible I would like to have it as an option via the GUI as well. That would be awesome! :)
With kindest regards
FortiLover
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1759 | |
1116 | |
766 | |
447 | |
242 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.