- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL renegotiation
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL renegotiation
Hi,
I have a FortiWiFi 60 C
v4.0,build0672,130904 (MR3 Patch 15)
and I' m trying to get it to pass PCI intrusion detection.
It has been suggested that I disable TLS renegotiation but how?
The What' s new FortiOS 4.0 MR3 documnet says the following to disable
config firewall vip
set ssl-client-renegotiation {allow | deny}
end
The problem is that I get an Unknown action 0 error when I try the command.
Any suggestions?
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure that command is available in V4 firmware? From V4.3.14:
FORTIGATE $ conf firewall vip FORTIGATE (vip) $ set command parse error before ' set' FORTIGATE (vip) $ edit " VIP_Definition" FORTIGATE (VIP_Definition) $ set ssl-client-renegotiation command parse error before ' ssl-client-renegotiation' Command fail. Return code -61 FORTIGATE (VIP_Definition) $ set ? id custom defined id comment comments type vip type: static NAT, load balance, server load balance src-filter source IP filter (x.x.x.x/x x.x.x.x-y.y.y.y) *extip start-external-IP [-end-external-IP] *mappedip start-mapped-IP [-end mapped-IP] *extintf external interface arp-reply enable ARP reply nat-source-vip whether to force NAT as VIP when server goes out portforward enable port forward gratuitous-arp-interval interval between sending gratuitous arps (seconds)(0 to disable) color Set GUI icon color. FORTIGATE (VIP_Definition) $ end
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the reply.
So I' m not crazy? I also didn' t see the command in the CLI help so I figured I was doing something wrong.
I have version 4 MR3
This is a link for the What' s new in version 4 MR3
http://docs.fortinet.com/uploaded/files/1054/fortigate-whatsnew-40-mr3.pdf
On page 98 it states
SSL renegotiation for SSL offloading provides allow/deny client
renegotiation
and has the example.
The configuration is in the CLI:
config firewall vip
set ssl-client-renegotiation {allow | deny}
end
As you know it doesn' t seem to be there. I guess it' s time to contact support.
Thanks again.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the word offloading in there, perhaps you need an NP chip to do that. Our units don' t have the chip to offload to... hence no menu option.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just curious (for both of you); is your Fortinet set up for SSL/TLS offloading? Those commands only become available after the Fortinet has been set up (and rebooted, if I recall correctly, in 4.0, don' t believe so in 5.0).
Here is a discussion specific to disabling that due to a vulnerability...
http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/ldb.134.29.html
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I' m new to all this firewall stuff but I looked up the off loading and I' m sure we are not setup for it or have the hardware in place for it.
What' s happening is that I' m failing a PCI audit scan for the renegotiation and I have over 100 60 B & Cs in a POS environment that I have to make pass the scan.
Any ideas of how I can approach this would be very welcome.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have over 200 forti-devices that get audited quarterly, so I can assist.
1) Are you sure it was the IP address of the Fortinet itself that failed SSL (and specifically port 443)?
2) If yes, do you have the admin/login page set to allow access from all IPs (unrestricted)?
3) Or have you remapped the login page' s HTTPS to another port, and VIP' d 443 into an internal device?
I' d like to start by determining it is actually the Fortinet' s SSL implementation itself that is being flagged.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My background is software development so firewall configs are a BIG mystery for me at this point. I' m also new to the company/industry and I' m replacing the network expert that left for greener pastures. (I really didn' t expect to be doing this stuff) Okay end of whining. I just wanted to establish my cluelessness.
The ISP IP address is failing. It' s a cable modem connected directly to Wan1 on the Fortinet.
I have a public facing portal setup on port 10443 which is failing.
Four failures on that. Specifically:
tcp Self-signed TLS/SSL certificate
tcp TLS Session Renegotiation Vulnerability
tcp TLS/SSL Server Supports SSLv2
tcp TLS/SSL Server Supports Weak Cipher Algorithms
On port 8080 I get two failures.
tcp TLS Session Renegotiation Vulnerability
tcp Untrusted TLS/SSL server X.509 certificate
I also get these but I believe we are disputing these based on input from the audit team.
port 8080 tcp X.509 Certificate Subject CN Does Not Match the Entity Name
port 10443 tcp X.509 Certificate Subject CN Does Not Match the Entity Name
port 22 tcp SSSD Local Handler Callback Unauthorized Login Vulnerability.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, that sounds like the ISP modem is in route mode, versus PassThrough, or the security group is scanning the wrong IP.
1) go into the firewall, on the left side, click Network, then Interface. Double click the word WAN1. Under addressing mode, is it set to Manual, DHCP, or PPPoE?
2) If it is Manual (or DHCP), is the IP address in there a 192.168.x.x, 10.x.x.x or 172.16.x.x IP address?
If yes, the ISP modem is in route mode. You need to ask them to put it into passthrough mode, then either get the static IP address from them for the firewall and plug it into here, or get the PPPoE login info and also plug it into here.
If no, is the IP address listed the IP address that got audited? If no, give the auditors the IP address you see in this screen. We have sometimes accidently given the scanners the gateway IP instead of our firewall, which typically fails miserably.
Be aware, if you do make a change, you need to then go down to the lower left corner of the webpage, click the word Router, static route, and double click the 0.0.0.0/0.0.0.0 line. Change the gateway in there to whatever your ISP says needs to be your gateway (the exception to this is if they give you PPPoE information. There will be a check box in the WAN1 area to ' Retrieve default gateway from Server' check that.
Let' s see what you discover.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for the reply.
All our firewalls are setup for a manual IP.
The listed IP in the audit report is the same as the manual IP.
The gateway is set to the value provided by the ISP.
Related Posts
- Microsoft Update Secure Server CA 2.1... 874 Views
- Fortigate local authentication for external users... 1176 Views
- SSL VPN speed is very poor 434 Views
- IPsec VPN Datasheet 1856 Views
- Fortigate SSL Offloading with SNI 3568 Views
Labels
-
FortiGate
6,507 -
FortiClient
1,300 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
413 -
5.6
362 -
FortiAP
333 -
FortiSwitch
332 -
FortiClient EMS
262 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
149 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiGateCloud
87 -
FortiSIEM
86 -
FortiCloud Products
82 -
IPsec
71 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
58 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
FortiAuthenticator
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Security profile
5 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.