SSL Security Settings
(2019-03-13)
Problem
Standard configuration for (more) secure crypto
Solution
config sys global
set admin-https-ssl-versions tlsv1-2
set fds-statistics disable
set strong-crypto enable
end
For each vDom with SSLVPN active in it:
config vpn ssl setting
set algorithm high
set banned-cypher 3DES AESGCM CAMELLIA
set tlsv1-0 disable
set tlsv1-1 disable
end
Notes:
- set strong-crypto enable appears to be a default in 5.6
- set fds-statistics isn't about crypto, but FortiNet recommends turning it off.