Troubleshooting Tip: TLS Version difference post enabling FIPS-CC mode for GUI access

Description

This article describes the likely outcome of TLS version difference post-enabling FIPS-CC mode for GUI access.

Scope

FortiOS v7.2, v7.0.

Solution

By default, FortiGate supports tlsv1-1, tlsv1-2, tlsv1-3 for GUI access.

Once enabling FIPS-CC mode, tlsv1-3 will no longer be available to config running on versions 7.0 and 7.2.

Lab-Device login: admin
Password:
Welcome!

Lab-Device # c g

Lab-Device (global) # config system global

Lab-Device (global) # set admin-https-ssl-versions
tlsv1-1 TLS 1.1.
tlsv1-2 TLS 1.2.
tlsv1-3 TLS 1.3.
Lab-Device (global) # end

Lab-Device (global) # config system fips-cc

Lab-Device (fips-cc) # set status enable

Lab-Device (fips-cc) # end

Please enter admin administrator password:******
New password must confirm to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-alphanumeric

Please enter admin administrator password:************
Please re-enter admin administrator password:************

Warning: most configuration will be lost,
do you want to continue?(y/n) y

system will reboot

FortiGate-501E # config system global

FortiGate-501E (global) # set admin-https-ssl-versions
tlsv1-1 TLS 1.1.
tlsv1-2 TLS 1.2.
FortiGate-501E (global) # end