Known issue to:
FortiOS 5.2.x (can also apply to higher versions). But 5.4.x and later has already disabled weaker ciphers DES, RC4 and SSLv3, so Firewalls running on later version are less-prone to vulnerabilities.
Recommendations/Mitigations:
What does strong encryption do?
Enabling the use of strong encryption will only allow strong ciphers such as:
- AES
- 3DES
and digest
- SHA1
When strong encryption is enabled, HTTPS is supported by the following web browsers:
- Netscape 7.2 -8.0
- Firefox
- Microsoft Internet Explorer 7.0 – 8.0
Microsoft Internet Explorer 5.0 and 6.0 are not supported in strong encryption.
How to enable strong encryption
On Fortigate, to enable Strong Encryption run the following CLI command:
config sys global set strong-crypto enable end
To ”’disable”’ Strong Encryption run the following CLI command:
config sys global set strong-crypto disable end
The default setting for strong-crypto is disabled.
The pros and cons of using strong encryption
If strong encryption is better, why is the default setting for it disabled?
This is because while using strong encryption is a good thing most of the time, its benefit is not an absolute benefit for all situations. In fact, there can be situations where there may be some unintended consequences and the encryption level may not be the first thing that comes to mind when troubleshooting.
Strong encryption means that it is harder for someone to crack the encryption and read the traffic, however, stronger levels of encryption require an increase in CPU usage. It takes more CPU cycles to encrypt a packet with a 256 bit than it does with a 40-bit key. This doesn’t make much difference when the CPU performance is usually about 30% of capacity, but when the CPU is already working at a high percentage of capacity, that little bit extra usage may push the CPU to the level that triggers the FortiGate to go into conserve mode. On the plus side, if you have a FortiGate unit that you think is too close to the threshold to risk adding any additional CPU usage, you don’t have to forgo enabling strong encryption on the other FortiGates in your network. Except for FortiGates working in HA, where the configuration will be synchronized automatically, the use of strong encryption on a FortiGate is independent of other devices.
Another aspect with a potential unwanted consequence is the browser support for its usage. While most current browsers are capable of supporting the higher levels of encryption, there may still be people using a browser that do not support it, and if access is dependent on HTTPS or SSH, then access may be denied.
These potential downsides to using strong encryption are unlikely, but they should be taken into consideration before enabling it.
http://cookbook.fortinet.com/increasing-the-encryption-level/
===
Steps: (For SSH and SSL)
1. to change it to SSH V2.
–>Please configure the following , Supported SSH protocol versions, ciphers, and bit strengths include SSH version 2 with AES-128, 3DES, Blowfish, and SHA-1
config system global
set admin-ssh-v1 disable <—
end
2. to upgrade SSL V1 to higher one and encryption ciphers with a key length of at least 128 bits
config system global
set strong-crypto enable <——–
end
If Firewall has SSL-VPN enabled:
config vpn ssl setting
set algorithm high
set sslv3 disable
set sslv2 disable
end
marktugbo.com 