Fortinet Document Library

Version:


Table of Contents

On This Page

SSL VPN
Deep inspection (flow-based)

Related Videos

Support TLS 1.3 in Flow Based Deep Inspection

  • 496 views
  • 6 months ago

Cookbook

6.2.0
Download PDF
Copy Link

TLS 1.3 support

SSL VPN

FortiOS supports TLS 1.3 for SSL VPN.

Note

TLS 1.3 support requires IPS engine 4.205 or later and endpoints running FortiClient 6.2.0 or later.

To establish a client SSL VPN connection with TLS 1.3 to the FortiGate:
  1. Enable TLS 1.3 support using the CLI:

    config vpn ssl setting

    set tlsv1-3 enable

    end

  2. Configure the SSL VPN and firewall policy:
    1. Configure the SSL VPN settings and firewall policy as needed.
  3. For Linux clients, ensure OpenSSL 1.1.1a is installed:
    1. Run the following commands in the Linux client terminal:

      root@PC1:~/tools# openssl

      OpenSSL> version

      If OpenSSL 1.1.1a is installed, the system displays a response like the following:

      OpenSSL 1.1.1a 20 Nov 2018

  4. For Linux clients, use OpenSSL with the TLS 1.3 option to connect to SSL VPN:
    1. Run the following command in the Linux client terminal:

      #openssl s_client -connect 10.1.100.10:10443 -tls1_3

  5. Ensure the SSL VPN connection is established with TLS 1.3 using the CLI:

    # diagnose debug application sslvpn -1

    # diagnose debug enable

    The system displays a response like the following:

    [207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

Deep inspection (flow-based)

FortiOS supports TLS 1.3 for policies that have the following security profiles applied:

  • Web filter profile with flow-based inspection mode enabled.
  • Deep inspection SSL/SSH inspection profile.

For example, when a client attempts to access a website that supports TLS 1.3, FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3 and the client is able to access the website.

On This Page

Related Videos

Support TLS 1.3 in Flow Based Deep Inspection

  • 496 views
  • 6 months ago

TLS 1.3 support

SSL VPN

FortiOS supports TLS 1.3 for SSL VPN.

Note

TLS 1.3 support requires IPS engine 4.205 or later and endpoints running FortiClient 6.2.0 or later.

To establish a client SSL VPN connection with TLS 1.3 to the FortiGate:
  1. Enable TLS 1.3 support using the CLI:

    config vpn ssl setting

    set tlsv1-3 enable

    end

  2. Configure the SSL VPN and firewall policy:
    1. Configure the SSL VPN settings and firewall policy as needed.
  3. For Linux clients, ensure OpenSSL 1.1.1a is installed:
    1. Run the following commands in the Linux client terminal:

      root@PC1:~/tools# openssl

      OpenSSL> version

      If OpenSSL 1.1.1a is installed, the system displays a response like the following:

      OpenSSL 1.1.1a 20 Nov 2018

  4. For Linux clients, use OpenSSL with the TLS 1.3 option to connect to SSL VPN:
    1. Run the following command in the Linux client terminal:

      #openssl s_client -connect 10.1.100.10:10443 -tls1_3

  5. Ensure the SSL VPN connection is established with TLS 1.3 using the CLI:

    # diagnose debug application sslvpn -1

    # diagnose debug enable

    The system displays a response like the following:

    [207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

Deep inspection (flow-based)

FortiOS supports TLS 1.3 for policies that have the following security profiles applied:

  • Web filter profile with flow-based inspection mode enabled.
  • Deep inspection SSL/SSH inspection profile.

For example, when a client attempts to access a website that supports TLS 1.3, FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3 and the client is able to access the website.