From 77a936e0df169542ac1488d9f695bd48a95df3c6 Mon Sep 17 00:00:00 2001 From: Mathieu Simon Date: Mon, 11 Sep 2023 18:35:19 +0200 Subject: [PATCH] Insert a FortiOS page --- Fortinet-FortiOS.md | 67 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 Fortinet-FortiOS.md diff --git a/Fortinet-FortiOS.md b/Fortinet-FortiOS.md new file mode 100644 index 0000000..b63a1b9 --- /dev/null +++ b/Fortinet-FortiOS.md @@ -0,0 +1,67 @@ +FortiOS is an embedded operating system used on various appliances from Fortinet. Depending on the version of FortiOS, not all command may be available, and if major differences are known, they are combined in a specific section. + +SSH into an appliance running FortiOS, or use a local serial connection in order to apply these options. + +## FortiOS >= 7.4.1 + +``` +config system global +set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com +set ssh-hostkey-algo ssh-ed25519 +set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org +set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com +end +``` + +**Checking the defaults** + +Unless you have modified the defaults, you don't need to these, but you may still want to check them: + * ``admin-ssh-v1``: Should be disabled by default since 6.4.5 + * ``string-crypto``: Should be enabled by default since 6.4.5 + +``` +get system global | grep "ssh\|strong-crypto" +admin-ssh-grace-time: 120 +admin-ssh-password : enable +admin-ssh-port : 22 +admin-ssh-v1 : disable +ssh-enc-algo : chacha20-poly1305@openssh.com aes256-gcm@openssh.com +ssh-hostkey-algo : ssh-ed25519 +ssh-kex-algo : diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org +ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com +strong-crypto : enable +``` + +## FortiOS 7.0.x / 7.2.x / 7.4.0 + +``` +config system global +set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com +set ssh-kex-algo curve25519-sha256@libssh.org +set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com +end +``` + +**Checking the defaults** + +Unless you have modified the defaults, you don't need to these, but you may still want to check them: + * ``admin-ssh-v1``: Should be disabled by default since 6.4.5 + * ``string-crypto``: Should be enabled by default since 6.4.5 + +``` +get system global | grep "ssh\|strong-crypto" +admin-ssh-grace-time: 120 +admin-ssh-password : enable +admin-ssh-port : 22 +admin-ssh-v1 : disable +ssh-enc-algo : chacha20-poly1305@openssh.com aes256-gcm@openssh.com +ssh-kex-algo : curve25519-sha256@libssh.org +ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com +strong-crypto : enable +``` + +## Limitations + +In most versions of FortiOS the available options don't permit reaching a perfect score, here are some of the reasons: + +* Host-key algorithms: Only pretty recent FortiOS 7.4.1 and later permit changing host keys algorithms, therefore ``rsa-sha2-256`` and ``rsa-sha2-512`` cannot be disabled in older releases. \ No newline at end of file