Since the firewall is accessed on the browser using the HTTPS protocol, the web browser client and server uses a certificate to build a trust relationship.For the browser to trust, the certificate needs to be signed from an authority that is trusted globally (Example: GoDaddy). However, FortiGate presents a self-signed certificate as shown in below image:Solution:
To avoid this error, get the firewall public IP address signed by an external authority.
- Generate a CSR on FortiGate for WAN IP
For reference: https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/645186/generating-a-csr-on-a-fortigate
- Export the CSR
- Get it signed by external CA (certificate authority)
- Import it back to the firewallNote: Make sure to get the certificate signed using strong authentication and encryption algorithms.2) SSL Certificate Signed Using Weak Hashing AlgorithmSolution:
Sometimes the certificate signed by external CA uses less secure or weak hashing algorithm.In that case, reach out to the CA authority to use stronger algorithms.
3) SSH Weak MAC Algorithms EnabledSSL Medium Strength Cipher Suites Supported (SWEET32)
SSH Server CBC Mode Ciphers Enabled
SSL Version 2 and 3 Protocol DetectionSolution:
There are possibilities when FortiGate might use weak algorithms for authentication or encryption.
By default, the command 'strong-crypto' is in a disabled status. However, it is recommended to enable 'strong-crypto', this will enforce the FortiGate to use strong encryption and only allow strong ciphers. 'strong-crypto' can only be enabled via the command line.SSH into the FortiGate via SSH client (For example Putty) and type in the commands:# config system global
# set strong-crypto enable
# end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.