Description
This article answers some frequently asked questions concerning low encryption (LENC) devices.
Scope
FortiGate, FortiCache, FortiMail.
Solution
What is a Low Encryption Device (LENC)? What are the restrictions?
Low Encryption means that the FortiGate, FortiMail or FortiCache device cannot use or inspect high encryption protocols such as 3DES and AES. It only uses a 56-BIT DES encryption to work with SSL VPN and IPSec VPN and it is not able to perform SSL Inspection.
FortiGate can use security profiles but they cannot assess or take action on encrypted traffic.
Why are LENC devices needed and who uses them?
Low Encryption devices are typically offered to government end-users that must buy an export license from the U.S. government when acquiring a standard strong crypto product. The countries which require an export strong-crypto device license are those that are outside of the following list:
Austria, Australia, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland, United Kingdom, Canada and the U.S.
For example: In Latin America (including Mexico), Middle East, Africa, Eastern Europe (outside the EU), or the Asia Pacific region (except Japan) then a sale to a government end-user would require an export license for the strong encryption version of the product, or the new FG-1000-A-LENC-xx low encryption version can be purchased and a license exemption applies.
Can a LENC device be upgraded to a high encryption device?
Yes, all LENC devices can upgrade to a full encryption device by acquiring a strong encryption upgrade license key. This license additionally has to be approved by the U.S. government if the government end-user is not resident in any of the countries shown above. Contact the usual sales channel for more information.
Are LENC devices available for all Fortinet models?
No, LENC versions are not available for all models in the Fortinet product range. LENC versions may also be released at a later time from the equivalent model. Contact the usual sales channel for more information.
How can I identify if a FortiGate model is LENC?
Usually, LENC devices are identified with a LENC suffix on the model number of the FortiGate, for example:
FG-310B-LENC
FG-50B-LENC
Also, the 'get system status' output command will display the License Status as Low-Encryption (LENC):
FortiGate
# get system status | grep "License Status"
License Status: Low-Encryption(LENC) <---
Many LENC devices have the prefix LF in the FortiGate serial number as well. For example,
LF310BXXXXXXXX instead of FG310BXXXXXXXX.
Related Articles:
https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-register-the-LENC-license-in-a-For...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Option-to-set-Algorithm-and-ban-cipher-is-...