Recently my firewall was scaned by PCIDSS auditors, and they recommends to turn off 3DES in SSL VPN.
Is it possible to turn off it on 5.2.11 firmware ?
Is it safe to use 3DES in IPSEC VPN ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
it's not possible to disable 3DES in SSL VPN on a fortigate running forti os prior to 5.4.
http://kb.fortinet.com/kb/documentLink.do?externalID=FD39819
if it's possible you should use AES in IPSEC VPN
regards,
Fortigate 500E HA Fortimail 200 Fortimanager
FortiEMS
FortiSandbox 1000D
FortiSwitch Network Some other Models in use :-) ---------------------------------------------------- FCSE ----------------------------------------------------
I hope this feature will be enabled in future 5.2 firmware versions.
I have some 60d firewalls, with 5.4 firmware, but 5.2 looks much better, and i don't want to upgrade my 600c firewall cluster to 5.4 or 5.6 firmware.
Yes it is doable in 5.2.11
config vpn ssl settings set sslv3 disable set algorithm high set port 443 end
test with openssl
1: list the ciphers
openssl ciphers MEDIUM
openssl ciphers HIGH
Use the 3DES ciphers in the s_client before and after the change
e.g
;
openssl s_client -connect 1.1.1.2:443 -cipher DES-CBC3-SHA1
openssl s_client -connect 1.1.1.2:443 -cipher DES-CBC3-MD5
and so on
PCNSE
NSE
StrongSwan
emnoc wrote:Yes it is doable in 5.2.11
config vpn ssl settings set sslv3 disable set algorithm high set port 443 end
test with openssl
1: list the ciphers
openssl ciphers MEDIUM
openssl ciphers HIGH
Use the 3DES ciphers in the s_client before and after the change
e.g
;
openssl s_client -connect 1.1.1.2:443 -cipher DES-CBC3-SHA1
openssl s_client -connect 1.1.1.2:443 -cipher DES-CBC3-MD5
and so on
This did not work for me. I am still able to connect with:
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, and
TLS_RSA_WITH_3DES_EDE_CBC_SHA
Open a ticket with support. I would disable all SSLv3 and TLSv1-0 and 1-1 protocols and retest and enable high algorithims
Ken
PCNSE
NSE
StrongSwan
Thanks, Right now TLS 1.0 and 1.1 are still enabled. I'll try turning those off first and if that doesn't work open a ticket with Fortinet and report back.
I turned off TLS 1.0 and TLS 1.1 but that did not turn off the 3DES ciphers. Even the FortiOS™ Handbook - SSL VPN v5.2.12 states 3DES would still be be enabled. This does not look possible in 5.2. I will open a ticket to confirm.
https://docs.fortinet.com...ortigate-sslvpn-52.pdf
high - Use a ciper suite grather than 128 bits; AES or 3DES
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, and TLS_RSA_WITH_3DES_EDE_CBC_SHA
I'll test this later in FortiOSv6.0 , this why you need to stay up to date in firmware. 5.2.x is nowhere considered most current and new release would be better and more secured. If your going thru any security audit, than the 1st thing looked at would be why are you on 5.2.11 imho
Ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.