Fortinet black logo

New Features

TLS 1.3 Support

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:35927
Download PDF

TLS 1.3 Support

SSL VPN

TLS 1.3 support has been added for SSL VPN. The following steps are required for a client to establish an SSL VPN connection with TLS 1.3 to the FortiGate:

  1. Configure TLS 1.3 support using the FortiOS CLI.
  2. Configure the SSL VPN and firewall policy.
  3. For Linux clients, ensure OpenSSL 1.1.1a is installed.
  4. Use OpenSSL with the TLS 1.3 option to connect to SSL VPN.
  5. Ensure that the SSL VPN connection has been established with TLS 1.3.
Note

This feature can only be used with endpoints that have FortiClient 6.2.0 or a later version installed. Earlier FortiClient versions do not support TLS 1.3.

To configure TLS 1.3 support using the FortiOS CLI:

A new command for TLS 1.3 has been added under config vpn ssl setting. By default, TLS 1.3 support is enabled. You can enable TLS 1.3 support using the following FortiOS CLI command:

config vpn ssl setting

set tlsv1-3 enable

end

To configure SSL VPN and the firewall policy:

Configure the SSL VPN settings and firewall policy as required.

To ensure OpenSSL 1.1.1a is installed on the Linux client:

Run the following commands in the terminal on the Linux client:

root@PC1:~/tools# openssl

OpenSSL> version

If OpenSSL 1.1.1a is installed, the system displays a response like the following:

OpenSSL 1.1.1a 20 Nov 2018

To connect to SSL VPN using OpenSSL with TLS 1.3:

On the Linux client, use OpenSSL to connect to FortiGate SSL VPN with TLS 1.3 by running the following command:

#openssl s_client -connect 10.1.100.10:10443 -tls1_3

To ensure that SSL VPN connection is established with TLS 1.3:

Run the following commands in the FortiOS CLI to ensure that the SSL VPN connection has been established with TLS 1.3:

# diagnose debug application sslvpn -1

# diagnose debug enable

The system should display a response like the following:

[207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

Deep Inspection (Flow Based)

FortiOS now supports TLS 1.3 for policies that have the following security profiles applied:

  • Web Filter profile with flow-based inspection mode enabled
  • Deep inspection SSL/SSH Inspection profile

Consider that a policy with the above Web Filter and SSL/SSH Inspection profiles applied is enabled. A client attempts to access a website that supports TLS 1.3. FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3, and the client is able to access the website.

Note

TLS 1.3 support is only available for IPS engine 4.205 and later versions.

On This Page

Related Videos

sidebar video

Support TLS 1.3 in Flow Based Deep Inspection

  • 1,734 views
  • 5 years ago

TLS 1.3 Support

SSL VPN

TLS 1.3 support has been added for SSL VPN. The following steps are required for a client to establish an SSL VPN connection with TLS 1.3 to the FortiGate:

  1. Configure TLS 1.3 support using the FortiOS CLI.
  2. Configure the SSL VPN and firewall policy.
  3. For Linux clients, ensure OpenSSL 1.1.1a is installed.
  4. Use OpenSSL with the TLS 1.3 option to connect to SSL VPN.
  5. Ensure that the SSL VPN connection has been established with TLS 1.3.
Note

This feature can only be used with endpoints that have FortiClient 6.2.0 or a later version installed. Earlier FortiClient versions do not support TLS 1.3.

To configure TLS 1.3 support using the FortiOS CLI:

A new command for TLS 1.3 has been added under config vpn ssl setting. By default, TLS 1.3 support is enabled. You can enable TLS 1.3 support using the following FortiOS CLI command:

config vpn ssl setting

set tlsv1-3 enable

end

To configure SSL VPN and the firewall policy:

Configure the SSL VPN settings and firewall policy as required.

To ensure OpenSSL 1.1.1a is installed on the Linux client:

Run the following commands in the terminal on the Linux client:

root@PC1:~/tools# openssl

OpenSSL> version

If OpenSSL 1.1.1a is installed, the system displays a response like the following:

OpenSSL 1.1.1a 20 Nov 2018

To connect to SSL VPN using OpenSSL with TLS 1.3:

On the Linux client, use OpenSSL to connect to FortiGate SSL VPN with TLS 1.3 by running the following command:

#openssl s_client -connect 10.1.100.10:10443 -tls1_3

To ensure that SSL VPN connection is established with TLS 1.3:

Run the following commands in the FortiOS CLI to ensure that the SSL VPN connection has been established with TLS 1.3:

# diagnose debug application sslvpn -1

# diagnose debug enable

The system should display a response like the following:

[207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

Deep Inspection (Flow Based)

FortiOS now supports TLS 1.3 for policies that have the following security profiles applied:

  • Web Filter profile with flow-based inspection mode enabled
  • Deep inspection SSL/SSH Inspection profile

Consider that a policy with the above Web Filter and SSL/SSH Inspection profiles applied is enabled. A client attempts to access a website that supports TLS 1.3. FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3, and the client is able to access the website.

Note

TLS 1.3 support is only available for IPS engine 4.205 and later versions.