Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Which SSL/TLS protocols are supported by FortiGate 5.2.2 SSL full inspection?

How can I determine if a site will play nice with FortiGate SSL full inspection?  SSL inspection works well for us most of the time, but we will occasionally happen upon sites which do not seem to respond during SSL protocol negotiations.  I'm wondering if it is sometimes due to the FG and the sites not having an SSL protocol in common which they both support.


For example, SSL Labs shows that does not support TLS 1.2, TLS 1.1, SSL 3 or SSL 2; it only supports TLS 1.0.

When I try to go to, a packet capture on my workstation shows a couple of Client Hello attempts in the SSL handshake, but there are no SSL handshake responses. 


Could it be that our FortiGate 5.2.2 does not support TLS 1.0?  If so, can that be changed?

Esteemed Contributor III

What did you client supported  in the ssl hello? Did you try a alternative client? Did you run a debug diag flow and analyze the failure






diag debug reset

diag debug enable

diag debug flow filter

diag debug flow show console enable

diag debug flow trace start 100



And then run your request cycling thru the  ssl/tls versions that you suspect.



openssl s_client -connect -tls1


or even better by using curl and specifying the tls1 minor version


curl -k -tlsv1.2 -I


curl -k -tlsv1 -I




The diag debug flow is your best friend. I don't believe you can disable the types of ssl/tls version in  the protocol decoders.









PCNSE NSE StrongSwan

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors