Hot!TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it?

Author
NapaCab
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/12/13 18:26:04
  • Status: offline
2018/03/27 15:30:01 (permalink)
0

TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it?

Now that the standard has been ratified, how will the Fortigate D (CP8) and Fortigate E series (CP9) deal with TLSv1.3?
 
 
#1

15 Replies Related Threads

    x_member
    Silver Member
    • Total Posts : 120
    • Scores: 14
    • Reward points: 0
    • Joined: 2015/01/12 03:18:57
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/03/28 01:26:30 (permalink)
    #2
    Philippe Gagne
    Bronze Member
    • Total Posts : 35
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/09 16:01:51 (permalink)
    0
    Hi,
     
    On my side, I received a IPS Engine update file from the TAC. Executed two commands in CLI and reboot the fortigate. Deep-inspection is now working well with Facebook, Gmail and all other TLS 1.3 enabled sites! 
     
    I'm waiting for an answer about the file they gave me: is this file is model related or I can use it in all my Fortiges.
     
    Philippe
     
    #3
    bommi
    Gold Member
    • Total Posts : 143
    • Scores: 10
    • Reward points: 0
    • Joined: 2016/08/03 03:42:49
    • Location: Germany
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/09 22:04:21 (permalink)
    0
    Hi,
     
    can you tell us the version of ipsengine you got from TAC?
     
    Best Regards
    Dominik
    #4
    Philippe Gagne
    Bronze Member
    • Total Posts : 35
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/10 04:06:00 (permalink)
    0
    Hi Dominik,
     
    The file name is: flen-560-3.516.pkg. So, in the Fortigate, it's named Version 3.00516. 
     
    If I take a look in another 5.6.3 Fortigate, original version look like Version 3.00442.
     
    I receive the confirmation from the TAC: I can install this in any models. 
     
    Thanks
     
    Philippe
    #5
    kurtli_FTNT
    Bronze Member
    • Total Posts : 49
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/29 15:07:50
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/12 15:00:08 (permalink)
    0
    Hi guys,
       Thanks for the concern on Tls1.3. But the engine 3.00516/7 is not fully ready for tls1.3 yet, our IPS team is still working on it. 
     
     
    Regards
    #6
    Philippe Gagne
    Bronze Member
    • Total Posts : 35
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/12 18:53:03 (permalink)
    0
    Hi,
     
    Do you know if there is any new version/interim? Actually, the version 3.00516 is now the one deployed by Fortiguard. 
     
    Thanks
     
    Philippe
    #7
    kurtli_FTNT
    Bronze Member
    • Total Posts : 49
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/29 15:07:50
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/13 16:32:28 (permalink)
    0
    Hi Philippe,
       The latest version of IPS engine now is  3.00518.
     
     
    Thanks
    #8
    Philippe Gagne
    Bronze Member
    • Total Posts : 35
    • Scores: 2
    • Reward points: 0
    • Joined: 2015/06/25 17:55:25
    • Location: Trois-Rivieres
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/16 17:06:00 (permalink)
    0
    Hi,
     
    Is this version (or newer) will be released soon? 
     
    thanks
     
    Philippe
     
    #9
    romanr
    Platinum Member
    • Total Posts : 908
    • Scores: 30
    • Reward points: 0
    • Joined: 2004/06/08 08:29:56
    • Location: Vienna/Austria
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/17 00:56:26 (permalink)
    0
    Hey,
     
    I doubt that only the IPS engine will bring full TLS 1.3 compatibility.... I guess Fortigate is using mostly openssl and the new librarie will need to go into the firmware...
     
    Br,
    Roman
    #10
    kurtli_FTNT
    Bronze Member
    • Total Posts : 49
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/29 15:07:50
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/17 15:56:07 (permalink)
    0
    Hi Philippe,
       The engine "3.00518" is now available for download. However, like I said previously, for now the IPS engine is not fully ready with TLS 1.3, we are still working on it. 
     
     
     
    Regards
    #11
    NKL
    Bronze Member
    • Total Posts : 26
    • Scores: 6
    • Reward points: 0
    • Joined: 2006/06/04 04:00:19
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/04/17 23:16:10 (permalink)
    0
    Now I'm wondering where to download the engine-update file? For FortiOS V5.6, the Fortinet Support Portal only offers "Virus Definition", "Attack Definition", "Application Definition" and (depending on contract) "Mobile Malware" and "Industrial Definition".

    Is the engine packaged in one of the files mentioned above? Or am I missing something?
    #12
    BrianSTL
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/09/28 08:10:16
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/09/28 08:12:03 (permalink)
    0
    Have there been any updates or movement on fortigate support for TLS1.3?
    #13
    kurtli_FTNT
    Bronze Member
    • Total Posts : 49
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/03/29 15:07:50
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2018/09/28 10:18:00 (permalink)
    0
    There is no official support for TLS1.3 yet, it is still under the internal test. So far the deep-inspection works well with both chrome69 and firefox62 and most popular servers with TLS1.3 enabled. It will support all the 5 ciphers defined in RFC8446 as well as for 1-rtt, 0-rtt and 2-rtt (HelloRetryRequest). Unlike TLS1.2 to TLS1.1, TLS1.3 is really a big change. It takes more time to provide full features and stabilities. However, thanks for the hard work, I think it's coming soon.   
     
    Thanks
    #14
    Suchit_k2
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/03 03:43:07
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2019/01/04 03:23:04 (permalink)
    0
    I am facing the same issue and had raised ticket with fortinet support. They said it will be resolved in the firmware update. Please find the reply below by fortinet.
     
    "As per Engineering team, the current IPS engine branches 3.6 and 4.0 can only bypass TLS 1.3. WebFilter TLSv1.3 is supported, but no block page could be delivered. The session would be reset when blocked. Replacement messages are not supported. So you won't see a block page util the native TLS 1.3 support is implemented. Supposedly, session should be reset. But the session could go into BYPASS mode once the webfilter is done. 

    IPS engine doesn't change the client/server negotiation. It doesn't downgrade or upgrade any security factors. Without support of TLS 1.3, it couldn't intercept the process to inject block pages. The project to support TLSv1.3 in IPS engine is scheduled for FOS 6.2 having IPS engine Build: 4.205 

    SSL_INTERFERENCE_ERROR is fixed in IPS Engine 3.522. 

    You will have to wait for 6.2 firmware to get replacement block for TLSv1.3 connections. 6.2 is expected to release on Mar 22, 2019. Note: Release date may change. Please let me know if you have any questions."
     
    Waiting desperately for the update.
     
    Regards...
    #15
    boneyard
    Silver Member
    • Total Posts : 111
    • Scores: 4
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: TLSv1.3 is now an approved standard how will D & E series 5.6 Fortigates deal with it? 2019/03/19 12:14:19 (permalink)
    0
    we are two months further, anyone from Fortinet who could chime in on the current status?
     
    specially how TLS 1.3 will be handled in 5.6 and 6.0, to upgrade to 6.2 when it is just released for TLS 1.3 feels extreme.
    #16
    Jump to:
    © 2019 APG vNext Commercial Version 5.5