Description
This article explains how to configure SSL Protocol Version and Encryption Levels on FortiManager.
This can be important for achieving PCI compliance and for addressing vulnerability concerns that arise.
Scope
FortiManager.
Solution
As a rule, newer SSL protocol versions are more secure and should be preferred.
It is possible to control the SSL protocol version used for encrypted communications on FortiManager as follows:
The commands and command options shown below are available for FortiManager v6.0.7:
config sys global
set ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For administrative login
set webservice-proto {sslv2 | sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- If web services areenabled (for API use)
set fgfm-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For use with FGFM tunnel with FortiGate.
set oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <------ When FMG is receiving logs (FAZ feature)
set ssl-low-encryption disable <----- Ensures that SSL low-grade encryption is disabled for the GUI.
set enc-algorithm {high|medium|low}
- For services like FGFM, web services, FortiGuard.
- 'high' recommended to restrict Cipher Suites to address CVE-2016-2183 (Sweet32), removing Triple DES in CBC mode
# SSL settings for FortiGuard Services.
The settings below are only applicable if the FortiManager is being used to provide FortiGuard Services to other Fortinet products such as FortiGates.
This controls the version used for encrypting FortiGuard communications ...
config fmupdate fds-setting
set fds-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- Downstream with FortiGates & upstream with FortiGuard servers.
set fds-clt-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- Downstream with FortiClients
Earlier versions of FortiManager may have some of these commands and some of these configurable options. For more details, see the FortiManager CLI Reference Guide corresponding to the version of FortiManager.
