Description
Starting with FortiOS release 5.2.2 a new global system parameter is added.
This parameter, with default setting, restricts access to TLS V 1.1 and TLS V 1.2 only.
Therefore, if the browser uses TLS v 1.0 or SSL v3 CLI configuration change is required for HTTPS GUI access.
New default setting with FortiOS release 5.2.2 :
FGT-1 #
config system global
FGT-1 (global) # get admin-concurrent : enable admin-console-timeout: 0 admin-https-pki-required: disable
admin-https-redirect: disable
admin-https-ssl-versions: tlsv1-1 tlsv1-2 <--- new default setting
admin-lockout-duration: 60
admin-lockout-threshold: 3
Available options :
HTTPS SSL available versions are : TLS 1.0, TLS 1.1, TLS 1.2, SSLV3
Configuration changes :
To allow TLS 1.0 for FortiGate management access the require config change are :
FGT-1 # config system global
FGT-1(global) # append admin-https-ssl-versions tlsv1-0
End
Example :
Sniffer trace in case of incorrect setting :
Packet 4 : The browser send handshake as TLS 1.0
Packet 6 : The FortiGate refuse the connection and close it with a reset packet.
Solution
Adjust the FortiGate setting according to SSL version used by the browser with command "set admin-https-ssl version" or "append admin-https-ssl version ".
