Insert a FortiOS page

2024-11-16 21:45:39 +01:00 · 2023-09-11 18:35:19 +02:00 · 2023-09-11 18:35:19 +02:00 · 77a936e0df
commit 77a936e0df
parent a255119450
1 changed files with 67 additions and 0 deletions
--- a/Fortinet-FortiOS.md
+++ b/Fortinet-FortiOS.md
@ -0,0 +1,67 @@
+FortiOS is an embedded operating system used on various appliances from Fortinet. Depending on the version of FortiOS, not all command may be available, and if major differences are known, they are combined in a specific section.
+
+SSH into an appliance running FortiOS, or use a local serial connection in order to apply these options.
+
+## FortiOS >= 7.4.1
+
+```
+config system global
+set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
+set ssh-hostkey-algo ssh-ed25519
+set ssh-kex-algo diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
+set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
+end
+```
+
+**Checking the defaults**
+
+Unless you have modified the defaults, you don't need to these, but you may still want to check them:
+  * ``admin-ssh-v1``: Should be disabled by default since 6.4.5
+  * ``string-crypto``: Should be enabled by default since 6.4.5
+
+```
+get system global | grep "ssh\|strong-crypto"
+admin-ssh-grace-time: 120
+admin-ssh-password  : enable
+admin-ssh-port      : 22
+admin-ssh-v1        : disable
+ssh-enc-algo        : chacha20-poly1305@openssh.com aes256-gcm@openssh.com
+ssh-hostkey-algo    : ssh-ed25519
+ssh-kex-algo        : diffie-hellman-group16-sha512 diffie-hellman-group18-sha512 curve25519-sha256@libssh.org
+ssh-mac-algo        : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
+strong-crypto       : enable
+```
+
+## FortiOS 7.0.x / 7.2.x / 7.4.0
+
+```
+config system global
+set ssh-enc-algo chacha20-poly1305@openssh.com aes256-gcm@openssh.com
+set ssh-kex-algo curve25519-sha256@libssh.org
+set ssh-mac-algo hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
+end
+```
+
+**Checking the defaults**
+
+Unless you have modified the defaults, you don't need to these, but you may still want to check them:
+  * ``admin-ssh-v1``: Should be disabled by default since 6.4.5
+  * ``string-crypto``: Should be enabled by default since 6.4.5
+
+```
+get system global | grep "ssh\|strong-crypto"
+admin-ssh-grace-time: 120
+admin-ssh-password  : enable
+admin-ssh-port      : 22
+admin-ssh-v1        : disable
+ssh-enc-algo        : chacha20-poly1305@openssh.com aes256-gcm@openssh.com
+ssh-kex-algo        : curve25519-sha256@libssh.org
+ssh-mac-algo        : hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com
+strong-crypto       : enable
+```
+
+## Limitations
+
+In most versions of FortiOS the available options don't permit reaching a perfect score, here are some of the reasons:
+
+* Host-key algorithms: Only pretty recent FortiOS 7.4.1 and later permit changing host keys algorithms, therefore ``rsa-sha2-256`` and ``rsa-sha2-512`` cannot be disabled in older releases.