FortiOS 5.6.3 Supported Cipher Suites

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

A Cipher suite is a collection of encryption and authentication algorithms that two participants in secure communication can select from to negotiate a secure transaction.

FortiOS uses cipher suites to select encryption and authentication algorithms to use for SSL VPN, IPsec VPN, SSL inspection, SSL offloading, administrator authentication, user authentication, secure communication with FortiGuard, and so on. Each of these secure transactions selects the encryption and authentication algorithms to use for the transaction from the cipher suites supported for that transaction. 

The cipher suites available for each transaction vary depending on the software settings and on the FortiGate hardware platform.

Here is the list of cipher suites available on most FortiGate hardware platforms for FortiOS 5.6.3:

TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256

TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256

TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256   

TLS-DHE-RSA-WITH-AES-128-CBC-SHA            

TLS-DHE-RSA-WITH-AES-256-CBC-SHA            

TLS-DHE-RSA-WITH-AES-128-CBC-SHA256         

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256         

TLS-DHE-RSA-WITH-AES-256-CBC-SHA256         

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384         

TLS-DHE-DSS-WITH-AES-128-CBC-SHA             

TLS-DHE-DSS-WITH-AES-256-CBC-SHA            

TLS-DHE-DSS-WITH-AES-128-CBC-SHA256         

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256         

TLS-DHE-DSS-WITH-AES-256-CBC-SHA256         

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384         

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA          

TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256       

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256       

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA          

TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384       

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384       

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA        

TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256     

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256     

TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384     

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384     

TLS-RSA-WITH-AES-128-CBC-SHA                

TLS-RSA-WITH-AES-256-CBC-SHA                

TLS-RSA-WITH-AES-128-CBC-SHA256             

TLS-RSA-WITH-AES-128-GCM-SHA256             

TLS-RSA-WITH-AES-256-CBC-SHA256             

TLS-RSA-WITH-AES-256-GCM-SHA384             

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA           

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA           

TLS-RSA-WITH-CAMELLIA-128-CBC-SHA256        

TLS-RSA-WITH-CAMELLIA-256-CBC-SHA256        

TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA           

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA       

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA       

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA       

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA       

TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA256    

TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA256    

TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA256    

TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA256    

TLS-ECDHE-RSA-WITH-RC4-128-SHA              

TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA         

TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA            

TLS-RSA-WITH-3DES-EDE-CBC-SHA               

TLS-RSA-WITH-RC4-128-MD5                    

TLS-RSA-WITH-RC4-128-SHA                    

TLS-DHE-RSA-WITH-DES-CBC-SHA                

TLS-DHE-DSS-WITH-DES-CBC-SHA                

TLS-RSA-WITH-DES-CBC-SHA   

Viewing the cipher suites supported by your FortiGate

You can use the following command to view the cipher sites that are available on your FortiGate. This command is used to select the cipher suites to apply to SSL offloading. Other implements that require cipher suites may support a subset of this list.

config firewall vip
   edit <vip-name>
      set type server-load-balance
      set server-type https
      set ssl-algorithm custom
         config ssl-cipher-suites
           edit 1
              set cipher ?

Bill Dickie

Technical Writer at Fortinet
After completing a science degree at the University of Waterloo, Bill began his professional life teaching college chemistry in Corner Brook, Newfoundland and fell into technical writing after moving to Ottawa in the mid '80s. Tech writing stints at all sorts of companies finally led to joining Fortinet to write the first FortiGate-300 Administration Guide.

Latest posts by Bill Dickie (see all)

  • Was this helpful?
  • Yes   No