diff --git a/Fortinet-FortiOS.md b/Fortinet-FortiOS.md index e86a506..865ded9 100644 --- a/Fortinet-FortiOS.md +++ b/Fortinet-FortiOS.md @@ -4,10 +4,17 @@ SSH into an appliance running FortiOS, or use a local serial connection in order ## FortiOS >= 7.4.1 -Starting with FortiOS 7.4.1 SSH host key algorithms become configurable and more key exchange algorithms (KEX) are available. +Starting with FortiOS 7.4.1 SSH host key algorithms become configurable and more key exchange algorithms (KEX) are configurable. ``` config system global + +# These commands shoulnd't change default settings +set admin-ssh-v1 disable +set strong-crypto enable + +# These commands represent the default settings +set dh-params 8192 set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com set ssh-hostkey-algo ssh-ed25519 set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org @@ -15,62 +22,50 @@ set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com end ``` -**Checking the defaults** +**References:** -Unless you have modified the defaults, you don't need to these, but you may still want to check them: - * ``admin-ssh-v1``: Should default to **disabled** since 6.4.5 - * ``strong-crypto``: Should default to **enabled** since 6.4.5 - -``` -get system global | grep "ssh\|strong-crypto" -admin-ssh-grace-time: 120 -admin-ssh-password : enable -admin-ssh-port : 22 -admin-ssh-v1 : disable -ssh-enc-algo : chacha20-poly1305@openssh.com aes256-gcm@openssh.com -ssh-hostkey-algo : ssh-ed25519 -ssh-kex-algo : diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org -ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com -strong-crypto : enable -``` + * [Fortinet document library: FortiGate / FortiOS 7.4.1 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.4.1/cli-reference/1620) + * [Fortinet document library: FortiGate / FortiOS 7.4.0 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.4.0/cli-reference/1620) ## FortiOS >= 7.0.2 / 7.2.x / 7.4.0 -Starting FortiOS 7.0.2 several options have been renamed compared to previous releases. +Starting with FortiOS 7.0.2 ciphers become individually configurable, several options have been renamed compared to previous releases. ``` config system global + +# These commands shoulnd't change default settings +set admin-ssh-v1 disable +set strong-crypto enable + +# These commands change default settings +set dh-params 8192 set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com set ssh-kex-algo curve25519-sha256@libssh.org set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com + end ``` -**Checking the defaults** +**References** -Unless you have modified the defaults, you don't need to these, but you may still want to check them: - * ``admin-ssh-v1``: Should default to **disabled** since 6.4.5 - * ``strong-crypto``: Should default to **enabled** since 6.4.5 +* [Fortinet document library: FortiGate / FortiOS 7.0.0 > New Features > Enabling individual ciphers in the SSH administrative access protocol](https://docs.fortinet.com/document/fortigate/7.0.0/new-features/765236/enabling-individual-ciphers-in-the-ssh-administrative-access-protocol-7-0-2) +* [Fortinet document library: FortiGate / FortiOS 7.0.2 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.0.2/cli-reference/1620) +* [Fortinet document library: FortiGate / FortiOS 7.0.1 CLI Reference > CLI reference > config system global](https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/1620) -``` -get system global | grep "ssh\|strong-crypto" +## FortiOS >= 5.6.0 <= 7.0.1 -admin-ssh-grace-time: 120 -admin-ssh-password : enable -admin-ssh-port : 22 -admin-ssh-v1 : disable -ssh-enc-algo : chacha20-poly1305@openssh.com aes256-gcm@openssh.com -ssh-kex-algo : curve25519-sha256@libssh.org -ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com -strong-crypto : enable -``` - -## FortiOS >= 6.4.5 < 7.0.2 - -After FortiOS 6.4.5 ``strong-crypto`` defaults to **enable**. +Starting with _at least_ FortiOS 5.6.0 ``strong-crypto`` defaults to **enable** and SSHv1 defaults to disabled. ``` config system global + +# These commands shoulnd't change default settings +set admin-ssh-v1 disable +set strong-crypto enable + +# These commands change default settings +set dh-params 8192 set ssh-cbc-cipher disable set ssh-hmac-md5 disable set ssh-kex-sha1 disable @@ -78,8 +73,16 @@ set ssh-mac-weak disable end ``` +**References** + +* [Fortinet document library: FortiGate / FortiOS 6.4.0 > Hardening your FortiGate > Building security into FortiOS](http://docs.fortinet.com/document/fortigate/6.4.0/hardening-your-fortigate/995103/building-security-into-fortios) +* [Fortinet document library: FortiGate / FortiOS 6.2.0 > Hardening your FortiGate > Building security into FortiOS](https://docs.fortinet.com/document/fortigate/6.0.0/hardening-your-fortigate/995103) +* [Fortinet document library: FortiGate / FortiOS 6.0.0 > Hardening your FortiGate > Building security into FortiOS](https://docs.fortinet.com/document/fortigate/6.0.0/hardening-your-fortigate/995103) +* [Fortinet document library: FortiGate / FortiOS 5.6.0 > Hardening your FortiGate](https://docs.fortinet.com/document/fortigate/5.6.0/hardening-your-fortigate/995103) + ## Limitations -In most versions of FortiOS the available options don't permit reaching a perfect score, here are some of the reasons: +In most versions of FortiOS the configuration options available don't permit reaching a perfect score, here are some of the reasons: -* Host-key algorithms: Only pretty recent FortiOS 7.4.1 and later permit changing host keys algorithms, therefore ``rsa-sha2-256`` and ``rsa-sha2-512`` cannot be disabled in older releases. \ No newline at end of file +* Ciphers: Only after FortiOS 7.0.2 certain ciphers can be individually enabled and disabled. +* Host-key algorithms: Only pretty recent FortiOS version 7.4.1 or later permit configuring host keys algorithms, therefore ``rsa-sha2-256`` and ``rsa-sha2-512`` cannot be disabled in older releases. \ No newline at end of file