Technical Tip: Counter measures for external audit(s) failure

Since the firewall is accessed on the browser using the HTTPS protocol, the web browser client and server uses a certificate to build a trust relationship.

For the browser to trust, the certificate needs to be signed from an authority that is trusted globally (Example: GoDaddy). However, FortiGate presents a self-signed certificate as shown in below image:

Solution:
To avoid this error, get the firewall public IP address signed by an external authority.
- Generate a CSR on FortiGate for WAN IP
For reference: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/645186/generating-a-csr-on-a-fortigate
- Export the CSR
- Get it signed by external CA (certificate authority)
- Import it back to the firewall

Note: Make sure to get the certificate signed using strong authentication and encryption algorithms.

2) SSL Certificate Signed Using Weak Hashing Algorithm

Solution:
Sometimes the certificate signed by external CA uses less secure or weak hashing algorithm.

In that case, reach out to the CA authority to use stronger algorithms.

3) SSH Weak MAC Algorithms Enabled

    SSL Medium Strength Cipher Suites Supported (SWEET32)
    SSH Server CBC Mode Ciphers Enabled
    SSL Version 2 and 3 Protocol Detection

Solution:
There are possibilities when FortiGate might use weak algorithms for authentication or encryption.
By default, the command 'strong-crypto' is in a disabled status. However, it is recommended to enable 'strong-crypto', this will enforce the FortiGate to use strong encryption and only allow strong ciphers. 'strong-crypto' can only be enabled via the command line.

SSH into the FortiGate via SSH client (For example Putty) and type in the commands:

# config system global
# set strong-crypto enable
# end