Fortinet black logo

Communication hardening

Copy Link
Copy Doc ID 067f5236-ca6d-11e9-8977-00505692583a:65590
Download PDF

Communication hardening

FortiManager allows you to customize the level of security and the encryption algorithms used to securely communicate with managed FortiGate devices.

FortiManager allows you to limit the cipher suites used by the device to prevent the possibility of a crypto downgrade attack such as that found in the Logjam vulnerability or other protocol downgrade attacks.

In the FortiManager CLI, you can change the supported cipher suites with the following command:

config system global

set enc-algorithm {high | medium | low}

end

The default value is high.

The following cipher suites are used for each level:

  • LOW: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA, DES-CBC-MD5
  • MEDIUM: RC4-SHA, RC4-MD5, RC4-MD
  • HIGH: ECDHE-RSA-AES256-GCM-SHA384 , DHE-RSA-AES256-GCM-SHA384 , ECDHE-RSA-AES128-GCM-SHA256

For the certificate used to encrypt communications, the FortiManager uses the BIOS certificate burned into the unit at time of manufacture in order to prevent tampering of the certificate.

Communication hardening

FortiManager allows you to customize the level of security and the encryption algorithms used to securely communicate with managed FortiGate devices.

FortiManager allows you to limit the cipher suites used by the device to prevent the possibility of a crypto downgrade attack such as that found in the Logjam vulnerability or other protocol downgrade attacks.

In the FortiManager CLI, you can change the supported cipher suites with the following command:

config system global

set enc-algorithm {high | medium | low}

end

The default value is high.

The following cipher suites are used for each level:

  • LOW: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA, DES-CBC-MD5
  • MEDIUM: RC4-SHA, RC4-MD5, RC4-MD
  • HIGH: ECDHE-RSA-AES256-GCM-SHA384 , DHE-RSA-AES256-GCM-SHA384 , ECDHE-RSA-AES128-GCM-SHA256

For the certificate used to encrypt communications, the FortiManager uses the BIOS certificate burned into the unit at time of manufacture in order to prevent tampering of the certificate.