Technical Tip: How to enable FIPS-CC mode
Description
This article describes how to enable FIPS-CC mode on FortiGate.
Scope
FortiGate.
Solution
Important: while FIPS-CC mode can be enabled on all FortiOS versions, only a subset of firmware is considered to be certified for FIPS-CC, those being the FIPS Certified firmware builds, as well as the CVE-Patched builds that are derived from the Certified firmware. For more information on the sub-types of FortiOS firmware that are relevant to FIPS-CC operation (including FIPS 'Candidate' builds), refer to the following KB article: Technical Tip: Upgrading FortiOS Firmware when FIPS-CC is enabled.
Administrators may still enable FIPS-CC mode on General Availability (GA) builds of FortiOS, but be aware that these builds are not guaranteed to be fully-compliant with FIPS-CC, and so the general recommendation is to use the FIPS Certified/CVE-Patched builds for environments that require FIPS compliance.
FIPS-CC Certified and/or CVE-Patched builds can be downloaded from Fortinet Support (look for the 'FIPS-CC-Certified' folder within a given major branch of firmware, such as FortiOS v7.0).
Note that even when using Certified builds, FIPS-CC mode is disabled by default after installing the firmware. Additionally, FIPS-CC mode can only be activated/configured using a serial console connection (it is not possible to enable it when connected via the Web GUI or SSH).
CLI launched through GUI (note the lack of the status option):
Steps to enable FIPS-CC Mode:
- Log in to the CLI through the console port using the default admin account or another account with a super_admin access profile, then enter the following commands. Note that entropy-token will not be present for FortiGates that have built-in entropy sources (see notes below for more information):
FortiGate # config system fips-cc
FortiGate (fips-cc) # set status enable
FortiGate (fips-cc) # show
config system fips-cc
set status enable
set entropy-token enable
end
FortiGate (fips-cc) # end
- After entering the commands, a prompt will appear asking to set a new administrator password for the 'admin' account:
Please enter admin administrator password:
New password must confirm to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-alphanumeric
Please enter admin administrator password:**********
Please re-enter admin administrator password:**********
- The CLI then displays the following warning message:
do you want to continue?(y/n)
- Type y, then hit Enter to confirm. The FortiGate will restart and will run in FIPS-CC mode afterward.
The system is going down NOW !!
Please stand by while rebooting the system.
Restarting system.
hw perf events fixed 4 > max(3), clipping!
System is starting...
FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Self-tests passed
Serial number is FGVMXXXXXXXXX
-
Re-login back into FortiGate using username 'admin' and the password set in Step 2.
FortiGate-VM64-KVM login: admin
Password:
Welcome!
POST WARNING:
This is a private computer system. Unauthorized access or use
is prohibited and subject to prosecution and/or disciplinary
action. Any use of this system constitutes consent to
monitoring at all times and users are not entitled to any
expectation of privacy. If monitoring reveals possible evidence
of violation of criminal statutes, this evidence and any other
related information, including identification information about
the user, may be provided to law enforcement officials.
If monitoring reveals violations of security regulations or
unauthorized use, employees who violate security regulations or
make unauthorized use of this system are subject to appropriate
disciplinary action.
(Press 'a' to accept):
-
To verify that FIPS mode is enabled, run get system status after logging into the FortiGate. Note that on the FIPS Certified firmware for FortiOS v7.4 and later, an '(STS)' suffix will be displayed in the CLI. This is expected behavior, see: Special Technical Support firmware.
FortiGate (STS) # get system status
Version: FortiGate-VM64-KVM v7.0.6,build0366,220606 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Serial-Number: FGVM02TM22000832
License Status: Warning
VM Resources: 1 CPU/2 allowed, 2007 MB RAM
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable <---
Current HA mode: standalone
Branch point: 0366
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Aug 31 03:49:35 2022
Last reboot reason: warm reboot
Disabling FIPS-CC mode:
In order to disable FIPS-CC mode on a FortiGate, a factory-reset must be executed. This can be performed using the execute factoryreset command in the CLI (it is strongly recommended to only do this when the FortiGate is physically accessible, as this will wipe the configuration). For more information on factory resets on the FortiGate, refer to Technical Tip: How to reset a FortiGate with the default factory settings/without losing management access.
Important Notes before Enabling FIPS-CC:
Ensure that the default admin account is present in the configuration before enabling FIPS-CC:
There have been some reports that the FortiGate may be inaccessible after enabling FIPS-CC mode if the default 'admin' account is deleted beforehand (i.e., creating a new super_admin and removing the default 'admin').
The issue has not been reproducible when lab testing several v7.0 Certified and CVE-Patched builds. After enabling FIPS-CC mode and rebooting, FortiGate's expected and tested behavior is to modify/re-add the 'admin' account to the configuration and delete all other existing administrator accounts. Administrators can then log in to the FIPS-enabled FortiGate using 'admin' and the password they specified during FIPS-CC setup.
The cautious recommendation is to ensure that the default 'admin' account is present on the FortiGate before enabling FIPS-CC mode.
This account will exist by default on new FortiGates and should not be a concern if FIPS mode is being enabled on new/factory-reset FortiGates.
If the issue does occur for some reason, then the recommended remediation is to perform a firmware restore/reinstall using TFTP and a serial console connection. Refer to Technical Tip: Formatting and loading FortiGate firmware image using TFTP for instructions on performing this restore operation.
Note regarding Single Sign-On (SSO) admin accounts:
After enabling FIPS-CC mode, SSO admin accounts with super_admin profiles will only have read_only permissions even if they are configured with a super_admin profile.
Note regarding Entropy requirement for FIPS-CC (Updated - March 2026):
In FortiOS v7.0 and earlier (which were certified for FIPS 140-2), the FortiGate required a hardware-based source of entropy for the purposes of random number generation. Hardware models that included CP9-based Content Processors (namely CP9/CP9XLite/CP9Lite) will automatically utilize this onboard hardware as the entropy source, whereas models that did not include this hardware (such as the FortiGate-50E or FortiGate-VMs) would require a USB-based Entropy Token to be plugged in if the entropy-token setting was set to enable.
To temporarily workaround this earlier restriction, administrators can adjust the configuration to not mandate an entropy source, though doing so will mean that the FortiGate is not acting in a FIPS-CC-compliant fashion. Note that this is only necessary and visible for FortiGate models that do not have an onboard source of entropy available:
FortiGate # config system fips-cc
FortiGate (fips-cc) # set entropy-token ?
enable <--- Enable the entropy token to be present during the boot process.
disable <--- Disable the entropy token to be present during the boot process.
dynamic <--- Dynamic detects entropy tokens to be present during the boot process.
However, as of FortiOS v7.2 and v7.4 (which are targeting certification for FIPS 140-3), it is no longer necessary for a hardware-based entropy source to be utilized. Instead, all FortiGate models (including VMs) running this version of FIPS Certified firmware will now only use a FIPS-compliant software-based source of entropy called jitterentropy (AKA JitterEnt), rather than relying on the Content Processor or a USB token for entropy. This also means that there is no need to manually configure the entropy-token setting going forward.
Note regarding High Availability (HA):
FIPS-CC mode can be enabled on units in HA mode (either Active-Active or Active-Passive). However, it needs to be enabled individually on all cluster members (i.e., separately on the Primary and Secondary units).
Note Regarding REST API admin account: The REST API admin account option is not available for FIPS-CC mode. For more details, see Technical Tip: REST API admin account option is not available for if FIPS-CC mode.
Note regarding Configuration Restoration after enabling FIPS-CC:
When enabling FIPS-CC, the FortiGate warns that 'most configuration will be lost', which implies that some configuration may be retained. This is technically true, as certain configurations (especially those relating to encryption ciphers) will be removed in order to enforce the FIPS-CC requirements.
For example, be aware that after enabling FIPS mode, all firewall policies are disabled by default, and also all network interfaces on the FortiGate will be administratively disabled by default (set status down). Be sure to note down the name or ID of the firewall policies that need to be re-enabled
With that being said, Fortinet makes no guarantees that any specific aspect of an existing non-FIPS configuration will be retained or function correctly after FIPS-CC is enabled. For example, consider the situation discussed in the following KB article: Technical Tip: Cannot reach Admin HTTPS GUI after enabling FIPS-CC mode on FortiGate with existing configuration.
Additionally, while it is technically possible to restore a configuration backup from a non-FIPS-enabled FortiGate to a FIPS-enabled FortiGate, there are still no guarantees that all aspects of the configuration will be restored correctly due to potential incompatibilities with FIPS regulations. Take care to separate configuration backups for FIPS-enabled FortiGates from non-FIPS-enabled FortiGates when it comes to potential restore operations.
All in all, the safest recommendation is to assume that the FortiGate configuration will need to be rebuilt when enabling FIPS-CC mode on an existing FortiGate. Instead of enabling FIPS-CC mode on an existing FortiGate, consider taking a spare FortiGate and building a fresh configuration with FIPS-CC enabled, then swapping the spare FortiGate with the existing FortiGate during a maintenance window.
Additional information:
Going forward, see the Cryptographic Module Validation Program CMVP for FIPS-certified FortiOS firmware.
This will provide an accurate, publicly-accessible list of all Fortinet products (including FortiOS and the specific FortiGate models) that have completed the FIPS 140-2/3 certification process. For example, the FIPS 140-2 certification entry for the original FortiOS 6.4 and 7.0 specialty builds can be found there: Cryptographic Module Validation Program CMVP.
The list of available FIPS-CC Certified builds (as well as CVE-Patched builds) can also be found on the Fortinet Support site's Firmware Download section. Each major version (6.2, 6.4, 7.0, etc.) will have a 'FIPS-CC-Certified' folder containing any FIPS-certified firmware for that version (assuming one exists). If the folder does not exist, then no certified firmware exists for that major branch.
For more information regarding firmware upgrades while in FIPS-CC mode, refer to the following KB article: Technical Tip: Upgrading FortiOS Firmware when FIPS-CC is enabled.
Related articles:
- Technical Tip: How to Verify if a FortiOS FIPS-CC Image is Certified or Patched.
- Technical Tip: Understanding FIPS 140-2 Compliance for FortiGate, FIPS-CC and Special Build
- Technical Tip: FortiOS FIPS Resource List
- Technical Tip: Extended Support for v7.0 FIPS-CC Certified/CVE-Patched Firmware
- Technical Tip: Upgrading FortiOS Firmware when FIPS-CC is enabled