| Description | This article describes how to remove cipher suites which are shown as weak on a Qualys SSL scan from VIP. |
| Scope | FortiGate. |
| Solution |
If an SSL server shows weak cipher suites from an SSL test as below and if the SSL server must be compliant with a Qualys SSL scan, it will be necessary to allow only cipher suites which do not test as weak.
config firewall vip edit "Test" set uuid 5a1c82a6-8e34-71ee-e583-29390aeab4b1 set type server-load-balance set server-type https set extip <IP_address> set extintf "<Port_number" set http-ip-header enable set extport 443 config realservers edit 1 set ip <IP_address> set port 443 next end set ssl-mode full set ssl-certificate "<Certificate_name" set ssl-min-version tls-1.2 next end
Execute the following commands on the VIP in order to allow only the cipher suites which are not shown as weak on the Qualys scan above. The configuration above is used as an example.
config firewall vip edit "Test" set ssl-algorithm custom config ssl-cipher-suites edit 1 set cipher TLS-AES-128-GCM-SHA256 next edit 2 set cipher TLS-CHACHA20-POLY1305-SHA256 next edit 3 set cipher TLS-AES-256-GCM-SHA384 next edit 4 set cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256 next edit 5 set cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384 next end next end
After running the above commands, the SSL scan will show only the cipher suites which are not categorized as weak, as below.
Now, the SSL server is compliant with Qualys SSL scan standards. |
