Technical Tip: FortiOS FIPS Resource List
Description
Â
This article provides a list of links to Knowledge Base (KB) articles and external documentation regarding Federal Information Processing Standards (FIPS) support on the FortiGate/FortiOS (aka FIPS 140-2/140-3 and FIPS-CC, or Common Criteria).
Â
Scope
Â
FortiGate, FIPS.
Â
Solution
Â
Important notes:
Added 2025-10-08: review the following KB article regarding extended technical support for the FortiOS 7.0 FIPS-CC Certified firmware branch:Â Technical Tip: Extended Support for v7.0 FIPS-CC Certified/CVE-Patched Firmware.
Administrators that are migrating FIPS-enabled FortiGates from FortiOS v7.0 to v7.2/v7.4 or later should review the following KB article before proceeding with upgrades, as it covers changes and potential incompatibilities to be aware of as FortiOS transitions from FIPS 140-2 to the newer FIPS 140-3 ruleset: Technical Tip: Key considerations when upgrading FIPS FortiGates from FIPS 140-2 (v7.0 and earlier) to FIPS 140-3 (v7.2, v7.4, and later).
For information on the current status of FIPS 140-3 and Common Criteria certification for FortiOS v7.2 and v7.4 (including explanations for the multiple firmware versions available for download), refer to the following KB article: Technical Tip: Differences between FIPS 140 and Common Criteria for FortiOS firmware (and info regarding FIPS FortiOS v7.2 and v7.4)
Â
FIPS First-Time Setup KB articles | |
Title and Links | Description |
Enabling FIPS-CC mode on a FortiGate for the first time. | |
Technical Tip: Enabling FIPS-Ciphers mode on FortiGate-VM deployed in AWS | Enabling FIPS Ciphers mode on cloud-based FortiGate-VMs (a subset mode that is not equivalent to FIPS-CC mode and only enforces encryption cipher restrictions). |
Initial tips for getting started with FIPS-CC mode, including an expected behavior where interfaces are administratively down by default. | |
Technical Tip: Upgrading FortiOS Firmware when FIPS-CC is enabled | Information on the different types of FortiOS firmware that can be used (GA, FIPS Certified, and CVE-Patched) as well as guidance on upgrade paths and performing firmware upgrades while in FIPS-CC mode. |
Technical Tip: How to Verify if a FortiOS FIPS-CC Image is Certified or Patched | Guidance for finding, verifying, and obtaining the latest available FIPS Certified and CVE-Patched firmware builds for FortiOS. |
Technical Tip: Understanding FIPS 140-2 Compliance for FortiGate, FIPS-CC and Special Build | This article explains how to determine if a FortiGate device meets FIPS 140-2 standards and the importance of using NIST-approved encryption and authentication algorithms. |
Technical Tip: FIPS 140-2 Tamper Evident Seals for the FortiGate | Notes regarding tamper-evident seals required on hardware FortiGates for FIPS 140-2/140-3 Level 2 compliance. |
Describes how to configure an Automation Stitch that triggers when inbound/outbound bandwidth exceeds a targeted rate (only available when the FortiGate is running in FIPS-CC mode). | |
Technical Tip: FortiGate FIPS-CC enabled to send log to FortiAnalyzer | Describes the additional considerations required to have a FIPS-enabled FortiGate successfully send logs to FortiAnalyzer/FortiAnalyzer-Cloud. |
Â
FIPS Known-Issues/Expected Behaviors KB articles | |
Title and Links | Description |
Known behavior when managing non-FIPS-enabled FortiSwitches with FIPS-enabled FortiGates. | |
Troubleshooting Tip: Unable to delete firewall policies with ID 5 or 6 in FIPS-CC Mode | Known-issue affecting certain Firewall Policies when upgrading from v6.2 tov 6.4 while FIPS-CC mode is enabled |
Known issue where certain encryption ciphers do not work when used with Virtual Servers on FIPS-enabled FortiGates. | |
Known behavior where FIPS-enabled FortiGates cannot import certificates if the Root/Intermediate CA certificates are not installed first. | |
Known behavior where FIPS-enabled FortiGates cannot import remote certificates from SAML IdPs (i.e., used for signing SAML assertions) if they are missing the Basic Constraints extension. | |
Troubleshooting Tip: Fixing the error 'Basic constraints is absent for CA/LOCAL/REMOTE cert' | Expected behavior where FIPS-enabled FortiGates cannot import local certificates that are missing the Basic Constraints extension. |
This article provides steps to resolve fatal errors that appear in OFTP debugs on FortiGate with v7.2.5. | |
Technical Tip: FIPS-CC enabled FortiGates do not support the private-data-encryption feature | Expected behavior where FIPS-enabled FortiGates do not support the private-data-encryption feature. |
Describes an expected behavior for FIPS-enabled FortiGates where IPsec Phase 1 encryption algorithm settings can have an impact on the options available for Phase 2 encryption algorithms. | |
Describes a known limitation where virtual servers have reduced support for TLS versions and cipher suites when running FortiOS v7.0 or earlier in FIPS-CC mode. | |
Â
FIPS-Related External Resources | |
Title and Links | Description |
Official Fortinet page regarding FIPS 140-2 and 140-3 certification, including the lists of products and firmware that are certified and links to their Security Policies/documentation. | |
NIST Cryptographic Module Validation Program (CMVP) Validated Modules | Link to the NIST CMVP database containing all validated modules (the link is preconfigured to search for all modules belonging to Vendor: Fortinet). |
OpenSSL FIPS provider installed globally at startup (FortiOS 7.6.0 New Features) | New Feature in FortiOS v7.6.0 regarding OpenSSL FIPS Provider (ensures that any OpenSSL application within FortiOS is automatically compliant with FIPS regulations). |
Administration Guide section regarding FIPS Ciphers mode, a unique sub-mode of FIPS-CC available for cloud-based FortiGate-VMs only (AWS, Azure, OCI, GCP). See also the FIPS-Ciphers KB article in the above table. | |
FIPS 140-2 Non-Proprietary Security Policy Document (FortiOS 6.4/7.0) | FIPS Security Policy documentation (available on NIST CMVP) describing how FortiOS v6.4/v7.0 meets FIPS 140-2 security requirements, as well as how to operate the modules in a FIPS-compliant manner. |
FIPS 140-2 Non-Proprietary Security Policy Document (FortiOS 6.2) | FIPS Security Policy documentation (available on NIST CMVP) describing how FortiOS 6.2 meets FIPS 140-2 security requirements, as well as how to operate the modules in a FIPS-compliant manner. |