| Description | This article describes how to change the BIOS security level on FortiGate G series models. |
| Scope | FortiGate-50G, 70G, 90G (Gen2), 120G, and 200G series and their variants. |
| Solution |
On most FortiGate models (including the FortiGate and FortiWiFi 30G/31G, as well as the Gen 1 versions of the 90G and 120G), it is possible to change the security level setting to allow the installation of unsigned firmware images. This is typically done from the BIOS (i.e., during boot-up and using a serial console connection), and is documented in more detail here:
However, for entry- to mid-level G-series FortiGates (including the FortiGate 50G, 70G, 90G Gen2, 120G Gen2, 200G, and 700G), it is no longer possible to change the security level from within the BIOS (the '[U]' option in the System Information section of the menu no longer exists). Instead, the security level is controlled by a special physical switch located on the FortiGate hardware, which is secured from tampering by a metal cover that is screwed to the casing.
Note: In earlier versions, FortiOS supported three security levels: 0, 1, and 2. As of FortiOS v7.0.16, v7.2.11, v7.4.6, and v7.6.1, levels 0/1 are interpreted as Low, whereas level 2 is interpreted as High (see Change 1063233 in the FortiOS Release Notes: Changes in default behavior).
To summarize the locations of the security level switches (labelled as 'Signed Firmware'):
For more information on the location of the Signed Firmware switch, consult the Quick Start Guides (QSGs) for the specific FortiGate model being worked on, available generally in the Hardware Guide section of the Fortinet Document Library:
To access the switch, remove/loosen the screw that secures the metal cover to the FortiGate's casing, then change the switch to either High or Low:
Note: When the value of the switch is adjusted, the BIOS security value will not update until the FortiGate is next rebooted. The command get system status can be used to verify the current BIOS security level against the physical switch security level setting.
For example, the FortiGate 50G, 70G, and 90G Gen2 series have the signed firmware cover on the back of the appliance (opposite to the panel with the system LEDs). When the screw is removed from the Signed Firmware panel, a switch will be revealed that can be set to Low [L] or High [H]. The following screenshots show a FortiGate-50G:
On the front of the unit are the system LEDs, and the 'Signed Firmware' LED will also indicate the current security mode (red being Low, green being High). The following image shows the LED on a FortiGate 70G as an example:
For comparison, the FortiGate 200G and 700G series place the Signed Firmware switch and LED together on the front of the appliance:
Note regarding multi-generation hardware: As noted in the corresponding QuickStart guide, the FortiGate 90G has several different generations. The Gen 2 models (identified with Part Numbers Pxxxxx-11-01 and above) include the Signed Firmware switch on the rear of the appliance and the system LED on the front, whereas older Gen 1 models (Pxxxxx-10-01 and below) do not.
Similarly, the FortiGate 120G series also has multiple generations, with Gen 2 models (Part Numbers Pxxxxx-2x-01 and above) including the Signed Firmware switch and system LED both on the front of the appliance, and older Gen 1 models (Pxxxxx-19-01 and below) not having these features.
Note regarding logging: When this switch is moved from high (default) to low, this will generate a System Event log on the FortiGate with the following ID: 22906 - LOG_ID_SECURITY_LEVEL_CHANGE. |
