Git
/
ssh-audit
mirror of https://github.com/jtesta/ssh-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Page: Fortinet FortiOS
Pages
ArubaOS Switch (AOS S) 16.11 Dropbear 2022.83 Fortinet FortiOS FreeBSD OpenSSH Hardening Guide ‐ FreeBSD Blog FreeBSD Home Mikrotik RouterOS OPNsense 20.7 and newer Proxmox VE 7.3 6 SSH Hardening Guides Index Synology DSM Ubuntu 22.04 LTS Client Linux Mint 21 Client Void Linux Windows 11 macOS 13 (Ventura) & 14 (Sonoma)
24 Fortinet FortiOS
Mathieu Simon edited this page 2024-01-10 16:56:39 +01:00
Table of Contents

FortiOS is an embedded operating system used on various appliances from Fortinet. Depending on the version of FortiOS, not all command may be available, and if major differences are known, they are combined in a specific section.

SSH into an appliance running FortiOS, or use a local serial connection in order to apply these options.

FortiOS >= 7.4.0

FortiOS 7.4 releases have introduced changes with individual releases, they are summarized into a single section:

  • 7.4.2: set ssh-hostkey-algo modified, it allows configuring more KEX algorithms than in previous releases
  • 7.4.1: set ssh-kex-algo modified, it allows configuring more KEX algorithms than in previous releases
  • 7.4.0: set ssh-hostkey-algo added, it allows configuring one or more SSH host key algorithms
config system global

# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable

# These commands do change default settings
set dh-params 8192
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
set ssh-hostkey-algo ssh-ed25519
set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com

end

References:

FortiOS >= 7.0.2 <= 7.4.0

Starting with FortiOS 7.0.2 some ciphers became individually configurable, several options have been renamed compared to previous versions.

config system global

# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable

# These commands do change default settings
set dh-params 8192
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
set ssh-kex-algo curve25519-sha256@libssh.org
set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com

end

References

FortiOS >= 5.6.0 <= 7.0.1

Starting with FortiOS 5.6 strong-crypto defaults to enable while SSHv1 defaults to disable since at least FortiOS 5.0.

config system global

# These commands shoulnd't change default settings
set admin-ssh-v1 disable
set strong-crypto enable

# These commands do change default settings
set dh-params 8192
set ssh-cbc-cipher disable
set ssh-hmac-md5 disable
set ssh-kex-sha1 disable
set ssh-mac-weak disable

end

References

Limitations

In most versions of FortiOS the configuration options available don't permit reaching a perfect score, here are some of the reasons:

  • Ciphers: Only after FortiOS 7.0.2 certain ciphers can be individually enabled and disabled.
  • Host-key algorithms: Only pretty recent FortiOS version 7.4.1 or later permit configuring host keys algorithms, therefore rsa-sha2-256 and rsa-sha2-512 cannot be disabled in older releases.

Validated versions

FortiOS ssh-audit
7.4.1 master @ 02ab487232de438c0811116f2676cb1c9b5f3d62
7.2.5 master @ 02ab487232de438c0811116f2676cb1c9b5f3d62
7.0.12 master @ 02ab487232de438c0811116f2676cb1c9b5f3d62
7.0.11 master @ 02ab487232de438c0811116f2676cb1c9b5f3d62