SSL
You can set strong cryptography and select which certificates are used by the FortiSwitch unit.
When you enable strong cryptography, the following ciphers and algorithms are supported:
-
Ciphers (encryption algorithms):
-
chacha20-poly1305@openssh.com
-
aes128-ctr
-
aes192-ctr
-
aes256-ctr
-
aes128-gcm@openssh.com
-
aes256-gcm@openssh.com
-
-
Key-exchange algorithms:
-
curve25519-sha256@libssh.org
-
diffie-hellman-group-exchange-sha256
-
-
Host-key algorithm:
-
ssh-ed25519
-
-
Message authentication code algorithms:
-
umac-128-etm@openssh.com
-
hmac-sha2-256-etm@openssh.com
-
hmac-sha2-512-etm@openssh.com
-
Using the GUI:
- Go to System > Config > SSL.
-
By default, the Strong Crypto checkbox is selected so that FortiSwitchOS uses strong cryptography for HTTPS and SSH access.
If you clear the Strong Crypto checkbox, FortiSwitchOS displays a warning that the switch will reboot and then requires you to confirm before rebooting the switch.
- Select one of the 802.1X certificate options:
- Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA. This is the default certificate for 802.1X authentication.
- Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
- Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
- Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
- Select one of the 802.1X certificate authority (CA) options:
- Entrust_802.1x_CA—Select this CA if you are using 802.1X authentication.
- Entrust_802.1x_G2_CA—Select this CA if you want to use the Google Internet Authority G2.
- Entrust_802.1x_L1K_CA—Select this CA if you want to use http://ocsp.entrust.net.
- Fortinet_CA—Select this CA if you want to use the factory-installed certificate.
- Fortinet_CA2—Select this CA if you want to use the factory-installed certificate.
- Select one of the GUI HTTPS certificate options:
- Entrust_802.1x—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a public CA.
- Fortinet_Factory—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
- Fortinet_Factory2—This certificate is embedded in the hardware at the factory and is unique to this unit. It has been signed by a proper CA.
- Fortinet_Firmware—This certificate is embedded in the firmware and is the same on every unit (not unique). It has been signed by a proper CA. It is not recommended to use it for server-type functionality since any other unit could use this same certificate to spoof the identity of this unit.
- Select Update.
Using the CLI:
config system global
set strong-crypto {enable | disable}
set 802.1x-certificate {Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}
set 802.1x-ca-certificate {Entrust_802.1x_CA | Entrust_802.1x_G2_CA | Entrust_802.1x_L1K_CA | Fortinet_CA | Fortinet_CA2}
set admin-server-cert {self-sign | Entrust_802.1x | Fortinet_Factory | Fortinet_Factory2 | Fortinet_Firmware}
end