I believe that these are only for IPSEC. I have not been able to find a way to set the encryption for my SSL connection. Thought it might be CLI but the only thing I saw was " set algorithm high" ....

Have you tried with the command " show full-config" at the ssl vpn configuration to see if there is a hidden command applied by default regarding the encryption used in the negotiations?

good idea but no hidden commands.

Have you exported the cfg in forticlient and looked at the options in the forticlient cfg? Also use a test cipher script to check the ciphers support. #!/usr/bin/env bash # SERVER=$1:443 DELAY=1 ciphers=$(openssl ciphers ' ALL:eNULL' | sed -e ' s/:/ /g' ) echo Obtaining cipher list from $(openssl version). for cipher in ${ciphers[@]} do echo -n Testing $cipher... result=$(echo -n | openssl s_client -cipher " $cipher" -connect $SERVER 2>&1) if [[ " $result" =~ " Cipher is ${cipher}" ]] ; then echo YES else if [[ " $result" =~ " :error:" ]] ; then error=$(echo -n $result | cut -d' :' -f6) echo NO \($error\) else echo UNKNOWN RESPONSE echo $result fi fi sleep $DELAY done you would have some ideal as to what ciphers are supported by the sslvpn daemon

being bored I' ve tested a few FGT appliances; Testing DHE-RSA-AES256-SHA...YES Testing DHE-RSA-CAMELLIA256-SHA...YES Testing AES256-SHA...YES Testing CAMELLIA256-SHA...YES Testing EDH-RSA-DES-CBC3-SHA...YES Testing DES-CBC3-SHA...YES Testing DHE-RSA-AES128-SHA...YES Testing DHE-RSA-SEED-SHA...YES Testing DHE-RSA-CAMELLIA128-SHA...YES Testing AES128-SHA...YES Testing SEED-SHA...YES Testing CAMELLIA128-SHA...YES Testing RC4-SHA...YES Testing RC4-MD5...YES So for bulk encryption we have support for RC4/SEED/AE128&256/CAMELLLA 128 &256 and finally DES

I found info which explains that FortiNet uses encryption above 128 bits when you specify algorithm = high. Unfortunately, it shows multiple choices (AES128/256, etc) but doesn' t provide a way to determine which one is in use. Maybe wireshark will show me something....

http://docs-legacy.fortinet.com/cb/html/index.html#page/FOS_Cookbook/Install_advanced/cb_ts_debug.html diag debug application sslvpn -1 should show something like this:

[282:root]SSL established: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1

received this as the result: USPASGFW # diag debug info debug output: disable console timestamp: enable console no user log message: disable CLI debug level: 3 USPASGFW # diag debug application sslvpn -1 USPASGFW # diag debug enable USPASGFW # 2014-09-04 09:51:33 LCP terminated by peer 2014-09-04 09:51:33 ipcp: down ppp:0x2a98d04000 tun: 0x2a98c69470 ref 2 2014-09-04 09:51:54 lcp_reqci: returning CONFREJ. 2014-09-04 09:51:54 lcp_reqci: returning CONFACK. 2014-09-04 09:51:54 lcp_up: with mtu 1354 2014-09-04 09:51:54 ipcp: returning Configure-REJ 2014-09-04 09:51:54 ipcp: returning Configure-NAK 2014-09-04 09:51:54 ipcp: returning Configure-ACK 2014-09-04 09:51:54 ipcp: up ppp:0x2a98d04000 tun:0x2a98c69470 ref 2 2014-09-04 09:51:54 Cannot determine ethernet address for proxy ARP 2014-09-04 09:51:54 local IP address xxx.xxx.xxx.xxx 2014-09-04 09:51:54 remote IP address 192.168.1.66 No info about encryption type.