Fortinet black logo

Cookbook

TLS configuration

Copy Link
Copy Doc ID 9bd2f947-ece6-11ec-bb32-fa163e15d75b:45329
Download PDF

TLS configuration

The minimum TLS version that is used for local out connections from the FortiGate can be configured in the CLI:

config system global
    set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2 | TLSv1-3}
end

By default, the minimum version is TLSv1.2. The FortiGate will try to negotiate a connection using the configured version or higher. If the server that FortiGate is connecting to does not support the version, then the connection will not be made. Some FortiCloud and FortiGuard services do not support TLSv1.3.

Minimum SSL/TLS versions can also be configured individually for the following settings, not all of which support TLSv1.3:

Setting

CLI

Email server

config system email-server

Certificate

config vpn certificate setting

FortiSandbox

config system fortisandbox

FortiGuard

config log fortiguard setting

FortiAnalyzer

config log fortianalyzer setting

Syslog

config log syslogd setting

User Authentication

config user setting

LDAP server

config user ldap

POP3 server

config user pop3

Exchange server

config user exchange

A minimum (ssl-min-proto-ver) and a maximum (ssl-max-proto-ver) version can be configured for SSL VPN. See TLS 1.3 support

TLS configuration

The minimum TLS version that is used for local out connections from the FortiGate can be configured in the CLI:

config system global
    set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2 | TLSv1-3}
end

By default, the minimum version is TLSv1.2. The FortiGate will try to negotiate a connection using the configured version or higher. If the server that FortiGate is connecting to does not support the version, then the connection will not be made. Some FortiCloud and FortiGuard services do not support TLSv1.3.

Minimum SSL/TLS versions can also be configured individually for the following settings, not all of which support TLSv1.3:

Setting

CLI

Email server

config system email-server

Certificate

config vpn certificate setting

FortiSandbox

config system fortisandbox

FortiGuard

config log fortiguard setting

FortiAnalyzer

config log fortianalyzer setting

Syslog

config log syslogd setting

User Authentication

config user setting

LDAP server

config user ldap

POP3 server

config user pop3

Exchange server

config user exchange

A minimum (ssl-min-proto-ver) and a maximum (ssl-max-proto-ver) version can be configured for SSL VPN. See TLS 1.3 support