Articles > Information Security
disable SSLv3 for SSL VPN:
config vpn ssl settings
set sslv3 disable
Disable SSLv3 for Admin HTTPS management access:
conf sys global
set strong-crypto enable
this is what the fortinet CLI guide says about this setting:
Enable to use strong encryption and only allow strong ciphers
(AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access.
When strong encryption is enabled, HTTPS is supported by the
following web browsers: Netscape 7.2, Netscape 8.0, Firefox,
and Microsoft Internet Explorer 7.0 (beta).
Note that Microsoft Internet Explorer 5.0 and 6.0 are not
supported in strong encryption.
Disable SSLv3 for Fortimail
conf sys global
set strong-crypto enable
Related Info / Sources:
FortiGuard.com | SSL v3 "POODLE" Vulnerability
http://www.fortiguard.com/advisory/SSL-v3--POODLE--Vulnerability/
FYI: I disable TLS within Firefox and confirmed that I could not access the Fortigate admin page (thus confirming that SSLv3 was disabled). Also, interesting is that when I configured firefox to only support TLS 1.1+ I could not reach the Fortigate admin page. Apparently FortiOS 4.3 uses TLS 1.0. FortiOS 5.2.x appears to use TLS 1.2.
Protect your Fortinet (Fortigate and Fortimail) from SSLv3 POODLE exploit
Last Updated: 10/15/14disable SSLv3 for SSL VPN:
config vpn ssl settings
set sslv3 disable
Disable SSLv3 for Admin HTTPS management access:
conf sys global
set strong-crypto enable
this is what the fortinet CLI guide says about this setting:
Enable to use strong encryption and only allow strong ciphers
(AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access.
When strong encryption is enabled, HTTPS is supported by the
following web browsers: Netscape 7.2, Netscape 8.0, Firefox,
and Microsoft Internet Explorer 7.0 (beta).
Note that Microsoft Internet Explorer 5.0 and 6.0 are not
supported in strong encryption.
Disable SSLv3 for Fortimail
conf sys global
set strong-crypto enable
Related Info / Sources:
FortiGuard.com | SSL v3 "POODLE" Vulnerability
http://www.fortiguard.com/advisory/SSL-v3--POODLE--Vulnerability/
FYI: I disable TLS within Firefox and confirmed that I could not access the Fortigate admin page (thus confirming that SSLv3 was disabled). Also, interesting is that when I configured firefox to only support TLS 1.1+ I could not reach the Fortigate admin page. Apparently FortiOS 4.3 uses TLS 1.0. FortiOS 5.2.x appears to use TLS 1.2.
Keywords: none