Fortinet FortiOS

FortiOS is an embedded operating system used on various appliances from Fortinet. Depending on the version of FortiOS, not all command may be available, and if major differences are known, they are combined in a specific section.

SSH into an appliance running FortiOS, or use a local serial connection in order to apply these options.

FortiOS >= 7.4.1

Starting with FortiOS 7.4.1 SSH host key algorithms become configurable and more key exchange algorithms (KEX) are configurable.

config system global

# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable

# These commands represent the default settings
set dh-params 8192
set ssh-enc-algo [email protected] [email protected]
set ssh-hostkey-algo ssh-ed25519
set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 [email protected]
set ssh-mac-algo [email protected] [email protected]

end

References:

• Fortinet document library: FortiGate / FortiOS 7.4.1 CLI Reference > CLI reference > config system global
• Fortinet document library: FortiGate / FortiOS 7.4.0 CLI Reference > CLI reference > config system global

FortiOS >= 7.0.2 <= 7.4.0

Starting with FortiOS 7.0.2 ciphers become individually configurable, several options have been renamed compared to previous releases.

config system global

# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable

# These commands change default settings
set dh-params 8192
set ssh-enc-algo [email protected] [email protected]
set ssh-kex-algo [email protected]
set ssh-mac-algo [email protected] [email protected]

end

References

• Fortinet document library: FortiGate / FortiOS 7.0.0 > New Features > Enabling individual ciphers in the SSH administrative access protocol
• Fortinet document library: FortiGate / FortiOS 7.0.2 > CLI reference > config system global
• Fortinet document library: FortiGate / FortiOS 7.0.1 > CLI reference > config system global

FortiOS >= 5.6.0 <= 7.0.1

Starting with FortiOS 5.6 strong-crypto defaults to enable while SSHv1 defaults to disable since at least FortiOS 5.0.

config system global

# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable

# These commands change default settings
set dh-params 8192
set ssh-cbc-cipher disable
set ssh-hmac-md5 disable
set ssh-kex-sha1 disable
set ssh-mac-weak disable

end

References

• Fortinet document library: FortiGate / FortiOS 5.6.0 > CLI Reference: Page 569, strong-crypto defaults to enable
• Fortinet document library: FortiGate / FortiOS 5.4.0 > CLI Reference: Page 163-164, strong-crypto defaults to disable
• Fortinet document library: FortiGate / FortiOS 5.0.0 > CLI Reference: Page 527, admin-ssh-v1 defaults to disable. This is the earliest reference found, newer versions stick to the same default.

Limitations

In most versions of FortiOS the configuration options available don't permit reaching a perfect score, here are some of the reasons:

• Ciphers: Only after FortiOS 7.0.2 certain ciphers can be individually enabled and disabled.
• Host-key algorithms: Only pretty recent FortiOS version 7.4.1 or later permit configuring host keys algorithms, therefore rsa-sha2-256 and rsa-sha2-512 cannot be disabled in older releases.