config system global set strong-crypto enable endAccording to the cli manual this enforces
use strong encryption and only allow strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access.My question is twofold: 1. How does this prove or imply that SSLv3 is disabled? 2. Are there any other side effects to making this change (ssh key change or otherwise)?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
we have implemented the fix on some Fortigates and haven't seen any side effects or issues after this. SSH is still working, the access to the GUI and SSL VPN via FortiClient as well.
Hello, it is possible to filter SSLv3 packets via Fortigate?
you can test if sslv3 is disabled by :
logging in from a linux-box > openssl s_client -connect <IP>:443 -ssl3
Hello, it is possible to filter SSLv3 packets via Fortigate?
There's a few snort rules that you can use but YMMV , in reality you should disable sslv3 support at the host:services. Within most case it a cfg line ( i.e apache2 ) or a software upgrade and disable via the software. Or if it's linux you can deploy a iptable rules once again YMMV and your success will vary.
If it's a fortigate (service) the only option is to look for a command configuration in the sys global or upgrade the unit fortiOS. You might get away with running FIPS mode of operation.
Do a search for SSLv3 iptables and/or SNORT and look at what it would take to convert the rules to a fortigate custom IPS sensor and test. I just did a SSLv3 identify and squash project like 3 months ago and we audit all inbound hosts and disable all services that support SSLv3, BUT we never did our outbound clients which is probably going to be the big threat. So the client browser is the weak spot.
So keep us update on what you do & the approach that you take.
ken
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.