FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akawade
Staff
Staff
Article Id 197230
Description
This article provides the details of TLS 1.3 support for SSL VPN.

Solution
In order to enable the TLS 1.3 it requires IPS engine 4.205 or later and FortiClient version should be 6.2.0 or later.

To establish a client SSL VPN connection with TLS 1.3 to the FortiGate.

- To enable TLS 1.3 in CLI:
# config vpn ssl setting
    set tlsv1-3 enable
end
- For Linux clients, ensure OpenSSL 1.1.1a is installed.

Run the below commands in the Linux client terminal:
root@PC1:~/tools# openssl
OpenSSL> version
If OpenSSL 1.1.1a is installed, the system displays a response like the following:
OpenSSL 1.1.1a 20 Nov 2018
- For Linux clients, use OpenSSL with the TLS 1.3 option to connect to SSL VPN.

Run the following command in the Linux client terminal:
#openssl s_client -connect 10.1.100.10:10443 -tls1_3
- Ensure the SSL VPN connection is established with TLS 1.3 using the CLI.
# diagnose debug application sslvpn -1
# diagnose debug enable
The debugs will show the below:
[207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
Deep inspection (flow-based)
FortiOS supports TLS 1.3 for policies that have the following security profiles applied:

- Web filter profile with flow-based inspection mode enabled.
- Deep inspection SSL/SSH inspection profile.

For example, when a client attempts to access a website that supports TLS 1.3, FortiOS sends the traffic to the IPS engine.
The IPS engine then decodes TLS 1.3 and the client is able to access the website.


Contributors