TLS configuration

The minimum TLS version that is used for local out connections from the FortiGate can be configured in the CLI:

config system global
    set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2 | TLSv1-3}
end

By default, the minimum version is TLSv1.2. The FortiGate will try to negotiate a connection using the configured version or higher. If the server that FortiGate is connecting to does not support the version, then the connection will not be made. Some FortiCloud and FortiGuard services do not support TLSv1.3.

Minimum SSL/TLS versions can also be configured individually for the following settings, not all of which support TLSv1.3:

Setting

CLI

Email server

config system email-server

Certificate

config vpn certificate setting

FortiSandbox

config system fortisandbox

FortiGuard

config log fortiguard setting

FortiAnalyzer

config log fortianalyzer setting

Syslog