Global commands for stronger and more secure encryption
This section describes some best practices for employing stronger and more secure encryption.
Turn on global strong encryption
Enter the following command to configure FortiOS to use only strong encryption and allow only strong ciphers (AES, 3DES) and digest (SHA1) for HTTPS, SSH, TLS, and SSL functions.
config sys global
set strong-crypto enable
end
Disable MD5 and CBC for SSH
In some cases, you may not be able to enable strong encryption. For example, your FortiGate may be communicating with a system that does not support strong encryption. With strong-crypto
disabled you can use the following options to prevent SSH sessions with the FortiGate from using less secure MD5 and CBC algorithms:
config sys global
set ssh-hmac-md5 disable
set ssh-cbc-cipher disable
end
Disable static keys for TLS
You can use the following command to prevent TLS sessions from using static keys (AES128-SHA, AES256-SHA, AES128-SHA256, AES256-SHA256):
config sys global
set ssl-static-key-ciphers disable
end
Require larger values for Diffie-Hellman exchanges
Larger Diffie-Hellman values result in stronger encryption. Use the following command to force Diffie-Hellman exchanges to use 8192 bit values (the highest configurable DH value).
config sys global
set dh-params 8192
end
![]() |
Setting higher DH but values may not be compatible with some systems that the FortiGate is communicating with. For example, some versions of FortiClient SSL VPN may not support 8192 DH bit values. Make sure the DH bit value setting that you choose is compatible with the systems that your FortiGate will be communicating with. |