Fortinet Document Library

Version:

6.4.0
6.2.0
6.0.0

Version:

5.6.0

Table of Contents

Hardening your FortiGate

6.0.0
6.4.0
6.2.0
6.0.0
5.6.0
Download PDF
Copy Link

Global commands for stronger and more secure encryption

This section describes some best practices for employing stronger and more secure encryption.

Turn on global strong encryption

Enter the following command to configure FortiOS to use only strong encryption and allow only strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS, SSH, TLS, and SSL functions.

config sys global

set strong-crypto enable

end

Disable MD5 and CBC for SSH

In some cases, you may not be able to enable strong encryption. For example, your FortiGate may be communicating with a system that does not support strong encryption. With strong-crypto disabled you can use the following options to prevent SSH sessions with the FortiGate from using less secure MD5 and CBC algorithms:

config sys global

set ssh-hmac-md5 disable

set ssh-cbc-cipher disable

end

Disable static keys for TLS

You can use the following command to prevent TLS sessions from using static keys (AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256):

config sys global

set ssl-static-key-ciphers disable

end

Require larger values for Diffie-Hellman exchanges

Larger Diffie-Hellman values result in stronger encryption. Use the following command to force Diffie-Hellman exchanges to use 8192 bit values (the highest configurable DH value).

config sys global

set dh-params 8192

end

Note

Setting higher DH but values may not be compatible with some systems that the FortiGate is communicating with. For example, some versions of FortiClient SSL VPN may not support 8192 DH bit values. Make sure the DH bit value setting that you choose is compatible with the systems that your FortiGate will be communicating with.

Global commands for stronger and more secure encryption

This section describes some best practices for employing stronger and more secure encryption.

Turn on global strong encryption

Enter the following command to configure FortiOS to use only strong encryption and allow only strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS, SSH, TLS, and SSL functions.

config sys global

set strong-crypto enable

end

Disable MD5 and CBC for SSH

In some cases, you may not be able to enable strong encryption. For example, your FortiGate may be communicating with a system that does not support strong encryption. With strong-crypto disabled you can use the following options to prevent SSH sessions with the FortiGate from using less secure MD5 and CBC algorithms:

config sys global

set ssh-hmac-md5 disable

set ssh-cbc-cipher disable

end

Disable static keys for TLS

You can use the following command to prevent TLS sessions from using static keys (AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256):

config sys global

set ssl-static-key-ciphers disable

end

Require larger values for Diffie-Hellman exchanges

Larger Diffie-Hellman values result in stronger encryption. Use the following command to force Diffie-Hellman exchanges to use 8192 bit values (the highest configurable DH value).

config sys global

set dh-params 8192

end

Note

Setting higher DH but values may not be compatible with some systems that the FortiGate is communicating with. For example, some versions of FortiClient SSL VPN may not support 8192 DH bit values. Make sure the DH bit value setting that you choose is compatible with the systems that your FortiGate will be communicating with.