FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 1 - What's New for FortiOS 5.2 > New features in FortiOS 5.2.8

New features in FortiOS 5.2.8

TLS 1.2 support for SSL offloading (241817)

You can use the following command to configure SSL offloading to support TLS 1.2:

config firewall vip

edit <name>

set type server-load-balance

set server-type https

set ssl-min-version tls-1.2

set ssl-max-version tls-1.2

...

 

The default ssl-min-version is still ssl-3.0 and the default ssl-max-version is still tls-1.0 so you have to specifically set at least ssl-max-version to tls-1.2 to enable TLS 1.2 support.

The following AES-GCM TLS 1.2-only cipher suites have also been added. These cipher suites are not supported by the CPx or NPx processors so if you select one of these, all processing is done without hardware acceleration.

note icon TLS 1.2 support does not require setting ssl-algorithm to custom and configuring a custom cipher suite.

TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

TLS-DHE-DSS-WITH-AES-128-GCM-SHA256

TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

TLS-DHE-DSS-WITH-AES-256-GCM-SHA384

TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384

TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256

TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384

TLS-RSA-WITH-AES-128-GCM-SHA256

TLS-RSA-WITH-AES-256-GCM-SHA384

 

You can use the following command to select one of these cipher suites:

config firewall vip

edit <name>

set type server-load-balance

set server-type https

set ssl-max-version tls-1.2

set ssl-algorithm custom

config ssl-cipher-suites

edit 100

set cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256

...