SSL

You can set strong cryptography and select which certificates are used by the FortiSwitch unit.

When you enable strong cryptography, the following ciphers and algorithms are supported:

• Ciphers (encryption algorithms):

  • chacha20-poly1305@openssh.com

  • aes128-ctr

  • aes192-ctr

  • aes256-ctr

  • aes128-gcm@openssh.com

  • aes256-gcm@openssh.com

• Key-exchange algorithms:

  • curve25519-sha256@libssh.org

  • diffie-hellman-group-exchange-sha256

• Host-key algorithm:

  • ssh-ed25519

• Message authentication code algorithms:

  • umac-128-etm@openssh.com

  • hmac-sha2-256-etm@openssh.com

  • hmac-sha2-512-etm@openssh.com

Using the GUI:

1. Go to System > Config > SSL.

2. By default, the Strong Crypto checkbox is selected so that FortiSwitchOS uses strong cryptography for HTTPS and SSH access.

   If you clear the Strong Crypto checkbox, FortiSwitchOS displays a warning that the switch will reboot and then requires you to confirm before rebooting the switch.

3. Select one of the 802.1X certificate options:
   • Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA. This is the default certificate for 802.1X authentication.
   • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
   • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
   • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
4. Select one of the 802.1X certificate authority (CA) options:
   • Entrust_802.1x_CA—Select this CA if you are using 802.1X authentication.
   • Entrust_802.1x_G2_CA—Select this CA if you want to use the Google Internet Authority G2.
   • Entrust_802.1x_L1K_CA—Select this CA if you want to use http://ocsp.entrust.net.
   • Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
   • Fortinet_CA2—Select this CA if you want to use the factory-installed certificate.
5. Select one of the GUI HTTPS certificate options:
   • Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA.
   • Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
   • Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
   • Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
6. Select Update.

Using the CLI:

config system global

set strong-crypto {enable | disable}

set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}

set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}

end