This is an ongoing blog, and one that I will update often will things that come up in security audits.
Companies are always getting external audits to make sure they comply with policies and have no outstanding vulnerabilities with their systems. This is great, but sometime the Fortigate will get pinged on SSL/SSH encryption level issues. The following blog is a few helpful commands that can get the Fortinet to pass inspection by disabling the lowest or least secure SSL and SSH protocols. Also below I have put in excerpts from a few scans.
Error: TLS Version 1 Protocol Detection – So the above was an issue with TLS Version 1.0 being enabled on port 443 (My SSL VPN port). So, we need to remove TLS 1.0 from the accepted protocols on the VPN.
The commands to do that are:
config vpn ssl settings set tlsv1-1 disable end
The disables TLSv1 from the SSL VPN
Vulnerability Details 116818
This host is susceptible to the SSL version 3 POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. By using SSL version 3 and CBC Mode ciphers this host can allow an attacker to expose encrypted data in a connection between the client and server. Impact: Over time, an attacker can steal sensitive information between the client and the server using this man in the middle attack. Hosts may default to a more secure protocol (TLS 1.2, for example), but a network attacker could potentially trigger a reconnection causing the browser to retry older protocols (SSL version 3).
The above error basically says that SSL Version 3 was enabled on SSL VPN port. Just like before we will disable that
config vpn ssl settings set sslv3 disable
set tlsv1-0 disable
set tlsv1-1 disable
This turns of SSLV3 from the SSL VPN supported protocols.
This Entry will be updated as I find more from going through audits.