Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JTMarcure
New Contributor

SSL renegotiation

Hi, I have a FortiWiFi 60 C v4.0,build0672,130904 (MR3 Patch 15) and I' m trying to get it to pass PCI intrusion detection. It has been suggested that I disable TLS renegotiation but how? The What' s new FortiOS 4.0 MR3 documnet says the following to disable config firewall vip set ssl-client-renegotiation {allow | deny} end The problem is that I get an Unknown action 0 error when I try the command. Any suggestions?
15 REPLIES 15
rwpatterson
Valued Contributor III

Are you sure that command is available in V4 firmware? From V4.3.14:
 FORTIGATE $ conf firewall vip
 
 FORTIGATE (vip) $ set
 command parse error before ' set' 
 
 FORTIGATE (vip) $ edit " VIP_Definition" 
 
 FORTIGATE (VIP_Definition) $ set ssl-client-renegotiation
 
 command parse error before ' ssl-client-renegotiation' 
 Command fail. Return code -61
 
 FORTIGATE (VIP_Definition) $ set ?
 id                         custom defined id
 comment                    comments
 type                       vip type: static NAT, load balance, server load balance
 src-filter                 source IP filter (x.x.x.x/x x.x.x.x-y.y.y.y)
 *extip                      start-external-IP [-end-external-IP]
 *mappedip                   start-mapped-IP [-end mapped-IP]
 *extintf                    external interface
 arp-reply                  enable ARP reply
 nat-source-vip             whether to force NAT as VIP when server goes out
 portforward                enable port forward
 gratuitous-arp-interval    interval between sending gratuitous arps (seconds)(0 to disable)
 color                      Set GUI icon color.
 
 FORTIGATE (VIP_Definition) $ end

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
JTMarcure

Hi, Thanks for the reply. So I' m not crazy? I also didn' t see the command in the CLI help so I figured I was doing something wrong. I have version 4 MR3 This is a link for the What' s new in version 4 MR3 http://docs.fortinet.com/uploaded/files/1054/fortigate-whatsnew-40-mr3.pdf On page 98 it states SSL renegotiation for SSL offloading provides allow/deny client renegotiation and has the example. The configuration is in the CLI: config firewall vip set ssl-client-renegotiation {allow | deny} end As you know it doesn' t seem to be there. I guess it' s time to contact support. Thanks again.
rwpatterson
Valued Contributor III

With the word offloading in there, perhaps you need an NP chip to do that. Our units don' t have the chip to offload to... hence no menu option.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ShrewLWD
Contributor

Just curious (for both of you); is your Fortinet set up for SSL/TLS offloading? Those commands only become available after the Fortinet has been set up (and rebooted, if I recall correctly, in 4.0, don' t believe so in 5.0). Here is a discussion specific to disabling that due to a vulnerability... http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/ldb.134.29.html
JTMarcure

Well I' m new to all this firewall stuff but I looked up the off loading and I' m sure we are not setup for it or have the hardware in place for it. What' s happening is that I' m failing a PCI audit scan for the renegotiation and I have over 100 60 B & Cs in a POS environment that I have to make pass the scan. Any ideas of how I can approach this would be very welcome.
ShrewLWD
Contributor

I have over 200 forti-devices that get audited quarterly, so I can assist. 1) Are you sure it was the IP address of the Fortinet itself that failed SSL (and specifically port 443)? 2) If yes, do you have the admin/login page set to allow access from all IPs (unrestricted)? 3) Or have you remapped the login page' s HTTPS to another port, and VIP' d 443 into an internal device? I' d like to start by determining it is actually the Fortinet' s SSL implementation itself that is being flagged.
JTMarcure

My background is software development so firewall configs are a BIG mystery for me at this point. I' m also new to the company/industry and I' m replacing the network expert that left for greener pastures. (I really didn' t expect to be doing this stuff) Okay end of whining. I just wanted to establish my cluelessness. The ISP IP address is failing. It' s a cable modem connected directly to Wan1 on the Fortinet. I have a public facing portal setup on port 10443 which is failing. Four failures on that. Specifically: tcp Self-signed TLS/SSL certificate tcp TLS Session Renegotiation Vulnerability tcp TLS/SSL Server Supports SSLv2 tcp TLS/SSL Server Supports Weak Cipher Algorithms On port 8080 I get two failures. tcp TLS Session Renegotiation Vulnerability tcp Untrusted TLS/SSL server X.509 certificate I also get these but I believe we are disputing these based on input from the audit team. port 8080 tcp X.509 Certificate Subject CN Does Not Match the Entity Name port 10443 tcp X.509 Certificate Subject CN Does Not Match the Entity Name port 22 tcp SSSD Local Handler Callback Unauthorized Login Vulnerability.
ShrewLWD
Contributor

OK, that sounds like the ISP modem is in route mode, versus PassThrough, or the security group is scanning the wrong IP. 1) go into the firewall, on the left side, click Network, then Interface. Double click the word WAN1. Under addressing mode, is it set to Manual, DHCP, or PPPoE? 2) If it is Manual (or DHCP), is the IP address in there a 192.168.x.x, 10.x.x.x or 172.16.x.x IP address? If yes, the ISP modem is in route mode. You need to ask them to put it into passthrough mode, then either get the static IP address from them for the firewall and plug it into here, or get the PPPoE login info and also plug it into here. If no, is the IP address listed the IP address that got audited? If no, give the auditors the IP address you see in this screen. We have sometimes accidently given the scanners the gateway IP instead of our firewall, which typically fails miserably. Be aware, if you do make a change, you need to then go down to the lower left corner of the webpage, click the word Router, static route, and double click the 0.0.0.0/0.0.0.0 line. Change the gateway in there to whatever your ISP says needs to be your gateway (the exception to this is if they give you PPPoE information. There will be a check box in the WAN1 area to ' Retrieve default gateway from Server' check that. Let' s see what you discover.
JTMarcure

Hi, Thanks for the reply. All our firewalls are setup for a manual IP. The listed IP in the audit report is the same as the manual IP. The gateway is set to the value provided by the ISP.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors