Articles > Information Security
Printer Friendly Version
Views: 10501

Protect your Fortinet (Fortigate and Fortimail) from SSLv3 POODLE exploit

Last Updated: 10/15/14

disable SSLv3 for SSL VPN:

config vpn ssl settings
set sslv3 disable




Disable SSLv3 for Admin HTTPS management access:

conf sys global
set strong-crypto enable

this is what the fortinet CLI guide says about this setting:

Enable to use strong encryption and only allow strong ciphers
(AES, 3DES) and digest (SHA1) for HTTPS/SSH admin access.
When strong encryption is enabled, HTTPS is supported by the
following web browsers: Netscape 7.2, Netscape 8.0, Firefox,
and Microsoft Internet Explorer 7.0 (beta).
Note that Microsoft Internet Explorer 5.0 and 6.0 are not
supported in strong encryption.


Disable SSLv3 for Fortimail


conf sys global
set strong-crypto enable


Related Info / Sources:

FortiGuard.com | SSL v3 "POODLE" Vulnerability
http://www.fortiguard.com/advisory/SSL-v3--POODLE--Vulnerability/

FYI: I disable TLS within Firefox and confirmed that I could not access the Fortigate admin page (thus confirming that SSLv3 was disabled). Also, interesting is that when I configured firefox to only support TLS 1.1+ I could not reach the Fortigate admin page. Apparently FortiOS 4.3 uses TLS 1.0. FortiOS 5.2.x appears to use TLS 1.2.




Keywords: none