Technical Tip: Enable FIPS mode on FortiManager/Analyzer VM

The FIPS mode in In FortiManager/FortiAnalyzer VM is disabled by default and can only be enabled from the VM console via the virtualization platform's interface (i.e. vSphere Web client, Azure portal, etc.).

• Enabling FIPS mode performs a factory reset.
• A backup file from a non-FIPS device cannot be used to restore/migrate on a FIPS-enabled device.
• A new password is required to be set, minimum-length=8; must contain upper-case-letter lower-case-letter number non-alphanumeric.
• Also requires to set Entropy-token:
  • Disable -> Disable entropy-token.
  • Dynamic -> Dynamically detect entropy token during bootup.
  • Enable -> Enable entropy-token
• A factory reset is required to restore the FortiManager/FortiAnalyzer to normal mode or VM snapshot revert.
• To enable FIPS mode, connect to FortiManager/FortiAnalyzer via VM Console. Use the below commands:

config system fips
(fips)# set entropy-token {disable | dynamic | enable}
(fips)# set status enable
(fips)# end

• After the reboot, FortiManager/FortiAnalyzer shows that the FIPS mode tests were successful.

• Status shows FIPS mode enabled:

Note:

FortiManager/FortiAnalyzer v5.2 and v6.2 are FIPS 140-2 Level1 certified: Fortinet Federal Information Processing Standards

Related documents:

FortiAnalyzer FIPS CLI Reference

Technical Tip: FortiGate FIPS-CC enabled to send log to FortiAnalyzer

Technical Tip: Certificate Generation with FIPS Enabled on FortiAnalyzer and FortiGate