This is a work in progress, I will be... Full Story
By Manny Fernandez
April 14, 2019
Disabling Weak Ciphers on Fortigate Firewalls
A customer of mine sent me an email after having a vulnerability assessment done against his environment. He got back some issues with weak ciphers and only scored a ‘B’ using Qualys’ SSL Test site. Even though the global setting called for ‘strong crypto enabled’ (which is the default in 5.4 and above), it was still accepting weaker cyphers.
FIRST STEPS
Ensure that the global command for strong cypher is enabled.
config system global set strong-crypto enable end
This is the “default’ish” configuration on the SSL VPN
config vpn ssl settings set reqclientcert disable set tlsv1-0 disable set tlsv1-1 enable set tlsv1-2 enable unset banned-cipher set ssl-insert-empty-fragment enable set algorithm high set idle-timeout 300 end
I removed some of the output for brevity.
CHANGES I MADE
Here are the changes I made to my configuration.
config vpn ssl settings set reqclientcert disable set tlsv1-0 disable #Should be disabled set tlsv1-1 disable #Disable this one set tlsv1-2 enable set banned-cipher RSA #This is what I disabled to get passed the SSL test end
The ‘set banned-cipher’ command disables the entire cipher. In my case, I disabled all the RSA ciphers. This gave me a pass on the cypher side. I still found another chain certificate issues which will get me the ‘A’ rating I am looking for.
NOTE: This configuration is ONLY for the SSL VPN. Use the ‘trusted hosts’ configuration to block access to the GUI admin side of the Fortigate.
From the following Fortinet KB Article.
The following cipher suites are offered by the FortiGate when ‘strong-crypto’ is ENABLED:
TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 128)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 128)
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
Recent posts
-
-
I have been playing with the free version of... Full Story
-
In my day job, I am on a lot... Full Story