Created on 03-11-2015 01:48 AM Edited on 05-26-2022 09:39 AM By Anonymous
Description
Starting with FortiOS release 5.2.2 a new global system parameter is added.
This parameter, with default setting, restricts access to TLS V 1.1 and TLS V 1.2 only.
Therefore, if the browser uses TLS v 1.0 or SSL v3 CLI configuration change is required for HTTPS GUI access.
FGT-1 #
config system global
FGT-1 (global) # get admin-concurrent : enable admin-console-timeout: 0 admin-https-pki-required: disable
admin-https-redirect: disable
admin-https-ssl-versions: tlsv1-1 tlsv1-2 <--- new default setting
admin-lockout-duration: 60
admin-lockout-threshold: 3
HTTPS SSL available versions are : TLS 1.0, TLS 1.1, TLS 1.2, SSLV3
To allow TLS 1.0 for FortiGate management access the require config change are :
FGT-1 # config system global
FGT-1(global) # append admin-https-ssl-versions tlsv1-0
End
Sniffer trace in case of incorrect setting :
Packet 4 : The browser send handshake as TLS 1.0
Packet 6 : The FortiGate refuse the connection and close it with a reset packet.
Solution
Adjust the FortiGate setting according to SSL version used by the browser with command "set admin-https-ssl version" or "append admin-https-ssl version ".
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.