TLS configuration
The minimum TLS version that is used for local out connections from the FortiProxy can be configured in the CLI:
config system global set ssl-min-proto-version {SSLv3 | TLSv1 | TLSv1-1 | TLSv1-2 | TLSv1-3} end
By default, the minimum version is TLSv1.2. The FortiProxy will try to negotiate a connection using the configured version or higher. If the server that FortiProxy is connecting to does not support the version, then the connection will not be made. Some FortiCloud and FortiGuard services do not support TLSv1.3.
Minimum SSL/TLS versions can also be configured individually for the following settings, not all of which support TLSv1.3:
Setting |
CLI |
TLSv1.3 Support |
---|---|---|
Email server |
config system email-server |
No |
Certificate |
config vpn certificate setting |
No |
FortiSandbox |
config system fortisandbox |
No |
FortiGuard |
config log fortiguard setting |
No |
FortiAnalyzer |
config log fortianalyzer setting |
Yes |
Syslog |
config log syslogd setting |
No |
User Authentication |
config user setting |
Yes |
LDAP server |
config user ldap |
Yes |
POP3 server |
config user pop3 |
No |
Exchange server |
config user exchange |
No |