Communication hardening
FortiManager allows you to customize the level of security and the encryption algorithms used to securely communicate with managed FortiGate devices.
FortiManager allows you to limit the cipher suites used by the device to prevent the possibility of a crypto downgrade attack such as that found in the Logjam vulnerability or other protocol downgrade attacks.
In the FortiManager CLI, you can change the supported cipher suites with the following command:
To change the supported cipher suites in the FortiManager CLI:
- In the FortiManager CLI, enter the following command:
config system global
set enc-algorithm {custom | high | medium | low}
end
The default value is
high.The following cipher suites are used for each level:
- LOW: EDH-RSA-DES-CDBC-SHA, DES-CBC-SHA, DES-CBC-MD5
- MEDIUM: RC4-SHA, RC4-MD5, RC4-MD
- HIGH: ECDHE-RSA-AES256-GCM-SHA384 , DHE-RSA-AES256-GCM-SHA384 , ECDHE-RSA-AES128-GCM-SHA256
Administrators can also choose to configure a custom list of preferred ciphers using the custom setting.
To configure custom ciphers:
- In the FortiManager CLI, enter the following command to use custom ciphers:
config system global
set enc-algorithm custom
- Enter the following CLI to configure the list of custom cipher suites:
config ssl-cipher-suites
edit priority <value to set order in the ssl-cipher-suites table>
set cipher <SSL cipher>
set version <SSL/TLS version>
next
end
|
For the certificate used to encrypt communications, both the FortiGate and the FortiManager use their BIOS certificate burned into their unit at the time of manufacture in order to prevent tampering of the certificate. This means an attacker can not forge valid certificates for FortiGate and FortiManager as they do not have access to the Fortinet root CA material. |