Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Removing TLS1.0 on Fortigate for SMTP port 25 traffic

Hi. Had an open ticket with FortiNet support on this forever it would seem, and not getting very far so I put this out to anyone with a fortigate who is PCI DSS compliant. Our Security ASV detects TLS1.0 on port 25 of our Fortigate (a 200E). I have had this problem for years, originally with a Fortigate 110c and was told that upgrading to 5.4.x would resolve it - Our 110c did not support 5.4.x so we bought a 200E now running 5.4.5 and it still hasn't been fixed. If we don't use deep scanning on the port, it goes straight through to the Exchange server and TLS1.0 has been disabled on there so it isn't a problem. If we use deep scanning for the anti-virus however, it fails so it is definitely the fortigate at issue. I have been told to try a load balance server but we only use port 25 for SMTP. There is no "TCPS" option on the load balance server, the only protocol which works in the LB server is TCP and this doesn't allow protocol choosing.

So, how have you guys got PCI DSS compliant with SMTP and TLS through your fortigates?


Note: TLS1.0 has been successfully blocked at all other ports/protocols, it is just SMTP/TLS left unresolved.

Top Kudoed Authors