TLS 1.3 support


FortiOS supports TLS 1.3 for SSL VPN.


TLS 1.3 support requires IPS engine 4.205 or later and endpoints running FortiClient 6.2.0 or later.

To establish a client SSL VPN connection with TLS 1.3 to the FortiGate:
  1. Enable TLS 1.3 support using the CLI:

    config vpn ssl setting

    set ssl-max-proto-ver tls1-3

    set ssl-min-proto-ver tls1-3


  2. Configure the SSL VPN and firewall policy:
    1. Configure the SSL VPN settings and firewall policy as needed.
  3. For Linux clients, ensure OpenSSL 1.1.1a is installed:
    1. Run the following commands in the Linux client terminal:

      root@PC1:~/tools# openssl

      OpenSSL> version

      If OpenSSL 1.1.1a is installed, the system displays a response like the following:

      OpenSSL 1.1.1a 20 Nov 2018

  4. For Linux clients, use OpenSSL with the TLS 1.3 option to connect to SSL VPN:
    1. Run the following command in the Linux client terminal:

      #openssl s_client -connect -tls1_3

  5. Ensure the SSL VPN connection is established with TLS 1.3 using the CLI:

    # diagnose debug application sslvpn -1

    # diagnose debug enable

    The system displays a response like the following:

    [207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

Deep inspection (flow-based)

FortiOS supports TLS 1.3 for policies that have the following security profiles applied:

  • Web filter profile with flow-based inspection mode enabled.
  • Deep inspection SSL/SSH inspection profile.

For example, when a client attempts to access a website that supports TLS 1.3, FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3 and the client is able to access the website.