Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff & Editor
Staff & Editor

Created on ‎08-11-2025 11:03 PM

Article Id 405988

Technical Tip: Cannot reach Admin HTTPS GUI after enabling FIPS-CC mode on FortiGate with existing configuration

Description

This article discusses a known/expected issue with Admin HTTPS access that can occur when enabling FIPS-CC mode on a FortiGate with an existing configuration. Expected symptoms are as follows:

  • FortiGate Web GUI does not load when visited (for example, an error stating ERR_CONNECTION_REFUSED is received), but the FortiGate is reachable via other network protocols (ICMP ping, SSH, etc.)
  • FIPS-CC mode was recently enabled (see: Technical Tip: How to enable FIPS-CC mode)
  • Debugs run on the node daemon (diagnose debug application node -1) either produce no output or produce a recurring error after being restarted (fnsysctl killall node) that states:

 

ENOENT: no such file or directory, open '/tmp/admin_server.key'
Scope FortiGate, FIPS, Admin Web GUI.
Solution

Enabling FIPS-CC mode on the FortiGate will result in any existing configuration being removed. This is to ensure that FIPS compliance is met by removing any configurations that could be non-compliant (especially those involving configurable encryption algorithms). This does not mean that all configurations are cleared, and, the warning message presented when enabling FIPS-CC mode states this:

 

Warning: most configuration will be lost,
do you want to continue?(y/n)

 

One observed side-effect of this is that X.509 certificates installed by administrators on the FortiGate before enabling FIPS-CC are preserved after the mode is enabled. Additionally, if the Admin HTTPS GUI is configured to use one of these certificates, then that setting is preserved as well (i.e. set admin-server-cert under config system global will still point to the admin-uploaded certificate).

 

However, there are differences with how FIPS-mode and non-FIPS-mode FortiGates handle encrypting and storing certificate private keys on the device, and a side effect of this behavior is that processes like the node daemon will be unable to load the certificate's corresponding private key for functions like the Admin HTTPS GUI. 

The end-result is that the node daemon will not be able to start properly due to being unable to load the Admin HTTPS GUI certificate and corresponding private key, and so the Admin HTTPS GUI will not work correctly.

 

Resolution:

To resolve this issue, delete and then re-upload/re-deploy any admin-uploaded certificates to the FortiGate AFTER enabling FIPS-CC mode. Additionally, it is generally recommended to avoid trying to preserve configurations from non-FIPS FortiGates when enabling FIPS-CC for the first time, and instead treat the new FIPS-CC mode FortiGate as a new deployment (i.e. after enabling FIPS-CC mode, the FortiGate requires full reconfiguration).

 

Workaround:

Built-in certificates for FortiOS appear to load without issue after enabling FIPS-CC mode, so one option for a workaround is to change the Admin HTTPS certificate to a built-in certificate like Fortinet_Factory to re-enable GUI access, then fix the admin-uploaded certificates afterwards:

 

config sys global

set admin-server-cert Fortinet_Factory

end

 

Related articles:

Technical Tip: FortiOS FIPS Resource List

Troubleshooting Tip: Cannot access the FortiGate web admin interface (GUI)
288
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.