Block Sweet32 attacks on a Fortigate

fortigate

I have a Fortigate product running FortiOS 5.4.x and I can't mitigate the Sweet32 vulnerability.

I've already enabled the high security algorithms and disabled the SSL3 / TLS1.0 for Beast & Crime as shown below.

config system global 
  set strong-crypto enable 
  end

config vpn ssl setting 
   set sslv3 disable 
   set tls1-0 disable

How can I address this?

Best Answer

According to the FortiOS 5.4.1 CLI Reference it is possible to block specific cipher suites such as 3DES from being used. There is little documentation on the use of this option but I have verified it does indeed function as needed. Unfortunately there doesn't appear to be a matching command in 5.2 or earlier.

config vpn ssl setting 
   banned-cipher 3DES

Related Solutions

IPSec VPN Shrew to Fortigate

I can see in your configuration you have different cipher types for phase2:

set proposal 3des-sha1 aes128-sha1

and for Shrewsoft VPN

s:phase2-transform:esp-3des
s:phase2-hmac:sha1

Pur both either AES-128 or 3DES. This should solve the problem.

Fortigate Firmware Upgrade

1) You will not have an issue manually upgrading the firmware if you have the file, however, you should renew the support for that unit, as you won't receive signature updates or have access to the FortiGuard services. Also it's ultimately a violation of the licensing agreement, but no one is going to be knocking on your door over it. The reason you are able to download the firmware manually is because you have a unit with an active license on your account, if they were both expired you would be denied download access.

2) You are correct, if you choose to upload to the second partition and not boot, it will simply upload and store it.

Best Answer

Related Solutions

IPSec VPN Shrew to Fortigate

Fortigate Firmware Upgrade

Related Topic