Hi @robinh007 ,
FortiOS introduces an enhanced security framework focused on the BIOS and runtime integrity of FortiGate devices. The improvements aim to detect unauthorized changes and ensure trustworthiness at the firmware level. This includes:
- Stronger file signature validation during firmware upgrades.
- Improved runtime integrity checking, verifying system files and binaries are not tampered with.
- Enhanced protection against persistent threats at the BIOS or bootloader level.
Changing the security level to 1 increases the strictness of file and BIOS validation. Here's why it's important:
- Level 0: Default — less strict. Signature and file checks occur, but are not enforced at runtime.
- Level 1: Enforced — BIOS-level and file integrity checks are strictly applied at boot and during runtime. Any deviation may prevent system operation or trigger alerts.
- Level 2: It enforces the highest file and firmware integrity by requiring all system files to be signed by both Fortinet’s CA and a trusted third-party CA; if a file has only Fortinet’s signature, FortiOS will run but show warnings, while any unsigned or invalid file prevents the system from running entirely.
Why set the security level to 1 in the FortiGate BIOS configuration:
- Enforces Zero Trust posture on firmware and system files.
- Crucial for high-security environments (e.g., finance, government, defense).
- Provides strong assurance against bootkits, firmware tampering, or supply-chain attacks.
You can set the enhanced integrity checking level using CLI (console access only) but reboot required for this process.
https://docs.fortinet.com/document/fortigate/7.2.9/fortios-release-notes/661811/bios-level-signature-and-file-integrity-checking-during-downgrade
BR.
If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.
CCIE #68781
