FortiOS is an embedded operating system used on various appliances from Fortinet. Depending on the version of FortiOS, not all command may be available, and if major differences are known, they are combined in a specific section.
SSH into an appliance running FortiOS, or use a local serial connection in order to apply these options.
FortiOS >= 7.4.0
Individual FortiOS 7.4.x versions have sometimes introduced changes or added features, they are summarized into a single section referencing only the latest version but are outlined here and recommendations apply to the latest (known) version:
- 7.4.4: Most commands related to SSH have been moved from
config system global
toconfig system ssh-config
, one subcommand was renamed - 7.4.2:
set ssh-hostkey-algo
changed, more configurable SSH host key algorithms became available - 7.4.1:
set ssh-kex-algo
changed, more configurable KEX algorithms became available - 7.4.0:
set ssh-hostkey-algo
added, it allows configuring one or more SSH host key algorithms
config system global
# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable
# These commands do change default settings
set dh-params 8192
end
config system ssh-config
# These commands do change default settings
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
set ssh-hsk-algo ssh-ed25519
set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
end
References:
- Fortinet document library: FortiGate / FortiOS 7.4.4 CLI Reference > config system global and config system ssh-config :
- Commands moved from
global
tossh-config
:ssh-enc-algo
,ssh-kex-algo
andssh-mac-algo
- Commands moved from
global
tossh-config
and renamed:ssh-hostkey-algo
becamessh-hsk-algo
- Commands moved from
- Fortinet document library: FortiGate / FortiOS 7.4.2 CLI Reference > config system global:
ssh-hostkey-algo
allows enabling or disabling 7 HostKeyAlgorithms
- Fortinet document library: FortiGate / FortiOS 7.4.1 CLI Reference > config system global:
ssh-hostkey-algo
allows enabling or disabling 5 HostKeyAlgorithmsssh-kex-algo
allows enabling or disabling 11 KEX algorithms
- Fortinet document library: FortiGate / FortiOS 7.4.0 CLI Reference > CLI reference > config system global:
ssh-hostkey-algo
becomes availablessh-kex-algo
allows enabling or disabling 8 KEX algorithms
- Fortinet document library: FortiGate / FortiOS 7.2.5 CLI Reference > CLI reference > config system global:
ssh-hostkey-algo
is not available
FortiOS >= 7.0.2 <= 7.4.0
Starting with FortiOS 7.0.2 some ciphers became individually configurable, several options have been renamed compared to previous versions.
config system global
# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable
# These commands do change default settings
set dh-params 8192
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
set ssh-kex-algo curve25519-sha256@libssh.org
set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
end
References
- Fortinet document library: FortiGate / FortiOS 7.0.0 > New Features > Enabling individual ciphers in the SSH administrative access protocol
- Fortinet document library: FortiGate / FortiOS 7.0.2 > CLI reference > config system global:
- Previous commands like
set ssh-kex-sha1
are not available anymore. - New commands like
set ssh-kex-algo
have been introduced.
- Previous commands like
- Fortinet document library: FortiGate / FortiOS 7.0.1 > CLI reference > config system global:
- Commands like
set ssh-key-sha1
are still available.
- Commands like
FortiOS >= 5.6.0 <= 7.0.1
Starting with FortiOS 5.6 strong-crypto
defaults to enable while SSHv1 defaults to disable since at least FortiOS 5.0.
config system global
# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable
# These commands do change default settings
set dh-params 8192
set ssh-cbc-cipher disable
set ssh-hmac-md5 disable
set ssh-kex-sha1 disable
set ssh-mac-weak disable
end
References
- Fortinet document library: FortiGate / FortiOS 5.6.0 > CLI Reference: Page 569,
strong-crypto
defaults to enable - Fortinet document library: FortiGate / FortiOS 5.4.0 > CLI Reference: Page 163-164,
strong-crypto
defaults to disable - Fortinet document library: FortiGate / FortiOS 5.0.0 > CLI Reference: Page 527,
admin-ssh-v1
defaults to disable. This is the earliest reference found, newer versions stick to the same default.
Limitations
In most versions of FortiOS the configuration options available don't permit reaching a perfect score, here are some of the reasons:
- Ciphers: Only after FortiOS 7.0.2 certain ciphers can be individually enabled and disabled.
- Host-key algorithms: Only after FortiOS 7.4.1 allows configuring host keys algorithms, therefore
rsa-sha2-256
andrsa-sha2-512
cannot be disabled in older releases.
Validated versions
footer2