Fortinet white logo
Fortinet white logo

Administration Guide

TLS 1.3 support

TLS 1.3 support

FortiOS supports TLS 1.3 for SSL VPN.

Note

TLS 1.3 support requires IPS engine 4.205 or later and endpoints running FortiClient 6.2.0 or later.

To establish a client SSL VPN connection with TLS 1.3 to the FortiGate:
  1. Enable TLS 1.3 support using the CLI:

    config vpn ssl setting

    set ssl-max-proto-ver tls1-3

    set ssl-min-proto-ver tls1-3

    end

  2. Configure the SSL VPN and firewall policy:
    1. Configure the SSL VPN settings and firewall policy as needed.
  3. For Linux clients, ensure OpenSSL 1.1.1a is installed:
    1. Run the following commands in the Linux client terminal:

      root@PC1:~/tools# openssl

      OpenSSL> version

      If OpenSSL 1.1.1a is installed, the system displays a response like the following:

      OpenSSL 1.1.1a 20 Nov 2018

  4. For Linux clients, use OpenSSL with the TLS 1.3 option to connect to SSL VPN:
    1. Run the following command in the Linux client terminal:

      #openssl s_client -connect 10.1.100.10:10443 -tls1_3

  5. Ensure the SSL VPN connection is established with TLS 1.3 using the CLI:

    # diagnose debug application sslvpn -1

    # diagnose debug enable

    The system displays a response like the following:

    [207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

Deep inspection (flow-based)

FortiOS supports TLS 1.3 for policies that have the following security profiles applied:

  • Web filter profile with flow-based inspection mode enabled.
  • Deep inspection SSL/SSH inspection profile.

For example, when a client attempts to access a website that supports TLS 1.3, FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3 and the client is able to access the website.

Related Videos

sidebar video

Support TLS 1.3 in Flow Based Deep Inspection

  • 2,071 views
  • 5 years ago

TLS 1.3 support

TLS 1.3 support

FortiOS supports TLS 1.3 for SSL VPN.

Note

TLS 1.3 support requires IPS engine 4.205 or later and endpoints running FortiClient 6.2.0 or later.

To establish a client SSL VPN connection with TLS 1.3 to the FortiGate:
  1. Enable TLS 1.3 support using the CLI:

    config vpn ssl setting

    set ssl-max-proto-ver tls1-3

    set ssl-min-proto-ver tls1-3

    end

  2. Configure the SSL VPN and firewall policy:
    1. Configure the SSL VPN settings and firewall policy as needed.
  3. For Linux clients, ensure OpenSSL 1.1.1a is installed:
    1. Run the following commands in the Linux client terminal:

      root@PC1:~/tools# openssl

      OpenSSL> version

      If OpenSSL 1.1.1a is installed, the system displays a response like the following:

      OpenSSL 1.1.1a 20 Nov 2018

  4. For Linux clients, use OpenSSL with the TLS 1.3 option to connect to SSL VPN:
    1. Run the following command in the Linux client terminal:

      #openssl s_client -connect 10.1.100.10:10443 -tls1_3

  5. Ensure the SSL VPN connection is established with TLS 1.3 using the CLI:

    # diagnose debug application sslvpn -1

    # diagnose debug enable

    The system displays a response like the following:

    [207:root:1d]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384

Deep inspection (flow-based)

FortiOS supports TLS 1.3 for policies that have the following security profiles applied:

  • Web filter profile with flow-based inspection mode enabled.
  • Deep inspection SSL/SSH inspection profile.

For example, when a client attempts to access a website that supports TLS 1.3, FortiOS sends the traffic to the IPS engine. The IPS engine then decodes TLS 1.3 and the client is able to access the website.