SSL Security Settings

(2019-03-13)

Problem

Standard configuration for (more) secure crypto

Solution

config sys global
  set admin-https-ssl-versions tlsv1-2
  set fds-statistics disable
  set strong-crypto enable
end

For each vDom with SSLVPN active in it:

config vpn ssl setting
  set algorithm high
  set banned-cypher 3DES AESGCM CAMELLIA
  set tlsv1-0 disable
  set tlsv1-1 disable
end

Notes:

• set strong-crypto enable appears to be a default in 5.6
• set fds-statistics isn't about crypto, but FortiNet recommends turning it off.