Configuring encryption key algorithms
The FortiGate unit supports a range of cryptographic cipher suites to match the capabilities of various web browsers. The web browser and the FortiGate unit negotiate a cipher suite before any information (for example, a user name and password) is transmitted over the SSL link. You can only configure encryption key algorithms for SSL VPN in the CLI.
To configure encryption key algorithms - CLI:
Use the following CLI command,
config vpn ssl settings
set algorithm <cipher_suite>
end
where one of the following variables replaces <cipher_suite>:
Variable |
Description |
---|---|
|
Use any cipher suite; AES, 3DES, RC4, DES, or ChaCha. |
|
Use a 128-bit or greater cipher suite; AES, 3DES, RC4, or ChaCha. |
|
Use a cipher suite greater than 128 bits; AES or ChaCha. |
Note that the algorithm <cipher_suite>
syntax is only available when the sslvpn-enable
attribute is set to enable.
Controlling the use of specific cipher suites
Administrators can ban the use of specific cipher suites in the CLI for SSL VPN, so PCI-DSS (Payment Card Industry Data Security Standard) certification can be met.
To ban the use of specific cipher suites for SSL VPN - CLI:
config vpn ssl settings
set banned-cipher [RSA | DH | DHE | ECDH | ECDHE | DSS | ECDSA | AES | AESGCM | CAMELLIA | 3DES | SHA1 | SHA256 | SHA384 | STATIC]