Fortinet black logo

SSL traffic over TLS 1.0 will not be checked and will be bypassed by default

FortiOS 6.2.6 and 6.4.3 ended support for TLS 1.0 when strong-crypto is enabled under system global. With this change, SSL traffic over TLS 1.0 will not be checked so it will be bypassed by default.

To examine and/or block TLS 1.0 traffic, an administrator can either:

  • Disable strong-crypto under config system global. This applies to FortiOS 6.2.6 and 6.4.3, or later versions.

  • Under config firewall ssl-ssh-profile, set the following to block in the SSL protocol settings:

    • in FortiOS 6.2.6 and later:

      config firewall ssl-ssh-profile
          edit <name>
              config ssl
                  set unsupported-ssl block
              end
          next
      end
    • in FortiOS 6.4.3 and later:

      config firewall ssl-ssh-profile
          edit <name>
              config ssl
                  set unsupported-ssl-negotiation block
              end
          next
      end

FortiOS 6.2.6 and 6.4.3 ended support for TLS 1.0 when strong-crypto is enabled under system global. With this change, SSL traffic over TLS 1.0 will not be checked so it will be bypassed by default.

To examine and/or block TLS 1.0 traffic, an administrator can either:

  • Disable strong-crypto under config system global. This applies to FortiOS 6.2.6 and 6.4.3, or later versions.

  • Under config firewall ssl-ssh-profile, set the following to block in the SSL protocol settings:

    • in FortiOS 6.2.6 and later:

      config firewall ssl-ssh-profile
          edit <name>
              config ssl
                  set unsupported-ssl block
              end
          next
      end
    • in FortiOS 6.4.3 and later:

      config firewall ssl-ssh-profile
          edit <name>
              config ssl
                  set unsupported-ssl-negotiation block
              end
          next
      end