Description
This article describes how to configure SSL Protocol Version on FortiManager and FortiAnalyzer. This can be important for achieving PCI compliance and for addressing vulnerability concerns that arise.
Scope
FortiAnalyzer.
Solution
As a rule, newer SSL protocol versions are more secure and should be preferred. The administrator can control the SSL protocol version used for encrypted communications on FortiManager (FMG) and FortiAnalyzer (FAZ) as follows:
Commands applicable to both FortiManager and FortiAnalyzer:
config sys global
set strong-crypto enable <----- Impact all SSL layer.
set ssl-static-key-ciphers disable <----- Impact all ssl layer.
set admin-https-ssl-versions tlsv1-2 <----- Only GUI web service.
set dh-params 2048 <----- Impact all SSL layers.
set enc-algorithm high <----- Impacts all SSL layer ('high' excludes weaker cipher suites e.g.,Triple DES in CBC mode).
set ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For administrative login.
set webservice-proto {sslv2 | sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- If web services are enabled (for API use).
set ssl-low-encryption disable <----- Ensures that SSL low-grade encryption is disabled.
end
Commands specific to FortiManager:
config system global
set fgfm-ssl-protocol tlsv1.3 <----- Only impact FGFM.
end
config fmupdate fds-setting
set fds-ssl-protocol tlsv1.3 <----- Only impact FDS update connection.
end
Commands specific to FortiAnalyzer:
set oftp-ssl-protocol {sslv3 | tlsv1.0 | tlsv1.1 | tlsv1.2} <----- For use with OFTP tunnel with FortiGates.
Notes:
Earlier versions of FortiManager and FortiAnalyzer may have some of these commands and some of these configurable options.
For more details, see the FortiManager and FortiAnalyzer CLI Reference Guide corresponding to the version.
