Fortinet black logo

Handbook

Configuring encryption key algorithms

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:447972
Download PDF

Configuring encryption key algorithms

The FortiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers. The web browser and the FortiGate unit negotiate a cipher suite before any information (for example, a user name and password) is transmitted over the SSL link. You can only configure encryption key algorithms for SSL VPN in the CLI.

To configure encryption key algorithms - CLI:

Use the following CLI command,

config vpn ssl settings

set algorithm <cipher_suite>

end

where one of the following variables replaces <cipher_suite>:

Variable

Description

low

Use any cipher suite; AES, 3DES, RC4, DES, or ChaCha.

medium

Use a 128-bit or greater cipher suite; AES, 3DES, RC4, or ChaCha.

high

Use a cipher suite greater than 128 bits; AES or ChaCha.

Note that the algorithm <cipher_suite> syntax is only available when the sslvpn-enable attribute is set to enable.

Controlling the use of specific cipher suites

Administrators can ban the use of specific cipher suites in the CLI for SSL VPN, so PCI-DSS (Payment Card Industry Data Security Standard) certification can be met.

To ban the use of specific cipher suites for SSL VPN - CLI:

config vpn ssl settings

set banned-cipher [RSA | DH | DHE | ECDH | ECDHE | DSS | ECDSA | AES | AESGCM | CAMELLIA | 3DES | SHA1 | SHA256 | SHA384 | STATIC]

Configuring encryption key algorithms

The FortiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers. The web browser and the FortiGate unit negotiate a cipher suite before any information (for example, a user name and password) is transmitted over the SSL link. You can only configure encryption key algorithms for SSL VPN in the CLI.

To configure encryption key algorithms - CLI:

Use the following CLI command,

config vpn ssl settings

set algorithm <cipher_suite>

end

where one of the following variables replaces <cipher_suite>:

Variable

Description

low

Use any cipher suite; AES, 3DES, RC4, DES, or ChaCha.

medium

Use a 128-bit or greater cipher suite; AES, 3DES, RC4, or ChaCha.

high

Use a cipher suite greater than 128 bits; AES or ChaCha.

Note that the algorithm <cipher_suite> syntax is only available when the sslvpn-enable attribute is set to enable.

Controlling the use of specific cipher suites

Administrators can ban the use of specific cipher suites in the CLI for SSL VPN, so PCI-DSS (Payment Card Industry Data Security Standard) certification can be met.

To ban the use of specific cipher suites for SSL VPN - CLI:

config vpn ssl settings

set banned-cipher [RSA | DH | DHE | ECDH | ECDHE | DSS | ECDSA | AES | AESGCM | CAMELLIA | 3DES | SHA1 | SHA256 | SHA384 | STATIC]