TLS 1.3 support
FortiOS supports TLS 1.3 for SSL VPN.
TLS 1.3 support requires IPS engine 4.205 or later and endpoints running FortiClient 6.2.0 or later. |
To establish a client SSL VPN connection with TLS 1.3 to the FortiGate:
- Enable TLS 1.3 support using the CLI:
config vpn ssl setting
set ssl-max-proto-ver tls1-3
set ssl-min-proto-ver tls1-3
end
- Configure the SSL VPN settings (see SSL VPN full tunnel for remote user).
- Configure the firewall policy (see Policies).
- For Linux clients, ensure OpenSSL 1.1.1a is installed:
- Run the following commands in the Linux client terminal:
root@PC1:~/tools# openssl
OpenSSL> version
If OpenSSL 1.1.1a is installed, the system displays a response like the following:
OpenSSL 1.1.1a 20 Nov 2018
- Run the following commands in the Linux client terminal:
- For Linux clients, use OpenSSL with the TLS 1.3 option to connect to SSL VPN:
- Run the following command in the Linux client terminal:
#openssl s_client -connect 10.1.100.10:10443 -tls1_3
- Run the following command in the Linux client terminal:
- Ensure the SSL VPN connection is established with TLS 1.3 using the CLI:
# diagnose debug application sslvpn -1
# diagnose debug enable
The system displays a response like the following:
[207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
Deep inspection (flow-based)
FortiOS supports TLS 1.3 for policies that have the following security profiles applied:
- Web filter profile with flow-based inspection mode enabled.
- Deep inspection SSL/SSH inspection profile.
For example, when a client attempts to access a website that supports TLS 1.3, FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3 and the client is able to access the website.