Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Best Practices

    8.0.0
    8.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0
    6.0.0

    Quantum cryptography

    Quantum cryptography

    FortiGates offer several quantum-safe capabilities designed to protect IPsec VPNs against future quantum attacks, including Harvest Now, Decrypt Later threats. With this risk rapidly approaching, the need to adopt post quantum cryptography (PQC) should be evaluated based on the urgency created by an organization’s data sensitivity and regulatory exposure.

    Urgency

    Administrators should still begin preparing for PQC adoption as early as possible. For organizations with lower urgency, FortiGate provides a hybrid mode that supports a gradual transition with minimal operational disruption.

    High urgency

    Organizations that handle long lived data, such as medical records, intellectual property, or classified government information, face the greatest risk. These data types must remain confidential for decades, which makes them prime targets for Harvest Now, Decrypt Later attacks, where adversaries steal encrypted data today with the intention of decrypting it once quantum capabilities mature.

    Medium urgency

    Organizations with short lived data operating in highly regulated industries, such as finance, healthcare, energy, or critical infrastructure, will soon face compliance requirements tied to NIST’s PQC standards. Even if data does not require decades of protection, regulators will mandate PQC adoption as part of broader modernization and risk management frameworks. These organizations should begin planning for hybrid PQC deployments, updating cryptographic inventories, and ensuring their infrastructure can support PQC capable protocols.

    Low urgency

    Organizations with minimal confidentiality requirements, short lived data, or environments dominated by legacy systems may not need immediate PQC adoption. More pressing priorities may include addressing existing vulnerabilities, improving basic security hygiene, or modernizing outdated infrastructure. PQC adoption can be deferred until systems are upgraded or compliance requirements evolve.

    FortiGate quantum features

    IPsec keying

    • Quantum Key Distribution (QKD) uses a server to distribute the quantum-generated Security Association keys to FortiGates, eliminating the key exchange process.

    • Hybrid Key Exchange allows IKEv2 to perform multiple key exchanges in a single IKE SA establishment by adding one or more post quantum Key Exchange Mechanisms (KEMs) to these exchanges.

    Agentless VPN

    TLS groups can be set to use pure and hybrid PQC algorithms in addition to traditional algorithms. This requires the user’s browser to support these algorithms. See Post-Quantum Cryptography for Agentless VPN for more details.

    HTTPS management

    FortiGate management interfaces support PQC algorithms in addition to existing traditional algorithms in a hybrid approach. No configuration is required, and browsers without PQC capabilities will fall back to classical cryptography. See Enhanced HTTPS management security with post-quantum TLS algorithms for more details.

    Quantum scanning in SSL deep inspection

    • Both proxy and flow inspection modes support PQC key changes in SSL deep inspection, enabling secure traffic inspection for clients accessing PQC algorithm enabled web servers.

    • Proxy mode additionally supports DNS over TLS, POP3, IMAPS, and SMTPS.

    Previous
    Next

    Quantum cryptography

    Quantum cryptography

    FortiGates offer several quantum-safe capabilities designed to protect IPsec VPNs against future quantum attacks, including Harvest Now, Decrypt Later threats. With this risk rapidly approaching, the need to adopt post quantum cryptography (PQC) should be evaluated based on the urgency created by an organization’s data sensitivity and regulatory exposure.

    Urgency

    Administrators should still begin preparing for PQC adoption as early as possible. For organizations with lower urgency, FortiGate provides a hybrid mode that supports a gradual transition with minimal operational disruption.

    High urgency

    Organizations that handle long lived data, such as medical records, intellectual property, or classified government information, face the greatest risk. These data types must remain confidential for decades, which makes them prime targets for Harvest Now, Decrypt Later attacks, where adversaries steal encrypted data today with the intention of decrypting it once quantum capabilities mature.

    Medium urgency

    Organizations with short lived data operating in highly regulated industries, such as finance, healthcare, energy, or critical infrastructure, will soon face compliance requirements tied to NIST’s PQC standards. Even if data does not require decades of protection, regulators will mandate PQC adoption as part of broader modernization and risk management frameworks. These organizations should begin planning for hybrid PQC deployments, updating cryptographic inventories, and ensuring their infrastructure can support PQC capable protocols.

    Low urgency

    Organizations with minimal confidentiality requirements, short lived data, or environments dominated by legacy systems may not need immediate PQC adoption. More pressing priorities may include addressing existing vulnerabilities, improving basic security hygiene, or modernizing outdated infrastructure. PQC adoption can be deferred until systems are upgraded or compliance requirements evolve.

    FortiGate quantum features

    IPsec keying

    • Quantum Key Distribution (QKD) uses a server to distribute the quantum-generated Security Association keys to FortiGates, eliminating the key exchange process.

    • Hybrid Key Exchange allows IKEv2 to perform multiple key exchanges in a single IKE SA establishment by adding one or more post quantum Key Exchange Mechanisms (KEMs) to these exchanges.

    Agentless VPN

    TLS groups can be set to use pure and hybrid PQC algorithms in addition to traditional algorithms. This requires the user’s browser to support these algorithms. See Post-Quantum Cryptography for Agentless VPN for more details.

    HTTPS management

    FortiGate management interfaces support PQC algorithms in addition to existing traditional algorithms in a hybrid approach. No configuration is required, and browsers without PQC capabilities will fall back to classical cryptography. See Enhanced HTTPS management security with post-quantum TLS algorithms for more details.

    Quantum scanning in SSL deep inspection

    • Both proxy and flow inspection modes support PQC key changes in SSL deep inspection, enabling secure traffic inspection for clients accessing PQC algorithm enabled web servers.

    • Proxy mode additionally supports DNS over TLS, POP3, IMAPS, and SMTPS.

    Previous
    Next