diff --git a/Fortinet-FortiOS.md b/Fortinet-FortiOS.md index 086d5cf..10a5378 100644 --- a/Fortinet-FortiOS.md +++ b/Fortinet-FortiOS.md @@ -5,7 +5,7 @@ SSH into an appliance running FortiOS, or use a local serial connection in order ## FortiOS >= 7.4.1 ``` -# config system global +config system global set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com set ssh-hostkey-algo ssh-ed25519 set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org @@ -20,7 +20,7 @@ Unless you have modified the defaults, you don't need to these, but you may stil * ``strong-crypto``: Should default to **enabled** since 6.4.5 ``` -# get system global | grep "ssh\|strong-crypto" +get system global | grep "ssh\|strong-crypto" admin-ssh-grace-time: 120 admin-ssh-password : enable admin-ssh-port : 22 @@ -32,10 +32,12 @@ ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.co strong-crypto : enable ``` -## FortiOS 7.0.x / 7.2.x / 7.4.0 +## FortiOS >= 7.0.2 / 7.2.x / 7.4.0 + +Starting FortiOS 7.0.2 several options have been renamed compared to previous releases. ``` -# config system global +config system global set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com set ssh-kex-algo curve25519-sha256@libssh.org set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com @@ -49,7 +51,8 @@ Unless you have modified the defaults, you don't need to these, but you may stil * ``strong-crypto``: Should default to **enabled** since 6.4.5 ``` -# get system global | grep "ssh\|strong-crypto" +get system global | grep "ssh\|strong-crypto" + admin-ssh-grace-time: 120 admin-ssh-password : enable admin-ssh-port : 22 @@ -60,6 +63,19 @@ ssh-mac-algo : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.co strong-crypto : enable ``` +## FortiOS >= 6.4.5 < 7.0.2 + +After FortiOS 6.4.5 ``strong-crypto`` defaults to **enable**. + +``` +# config system global +set ssh-cbc-cipher disable +set ssh-hmac-md5 disable +set ssh-kex-sha1 disable +set ssh-mac-weak disable +end +``` + ## Limitations In most versions of FortiOS the available options don't permit reaching a perfect score, here are some of the reasons: