| Description | This article describes how to change the BIOS Security Level on FortiGate 90G and 91G, Gen1 and Gen2. |
| Scope | FortiGate-90G, 91G, Gen1 and Gen2. |
| Solution |
The BIOS-level validation process has been strengthened by requiring the FortiOS GA firmware images to carry two digital signatures: one from the Fortinet CA and another from an external certificate authority. During startup, the BIOS confirms that every file corresponds to the secure hash specified in its certificate. If any integrity check fails, the user receives an alert, and depending on the severity and the BIOS security settings, the device may be blocked from completing the boot sequence. The final result of these integrity and signature checks is determined by the BIOS security mode in use and which certificate authority signed the file.
For the FortiGate-90G and 91G, the steps to change the BIOS Security Level differ from Gen1 to Gen2.
To determine the hardware revision, the following commands can be used:
FGT90G-1 # get hard status
FGT90G-1 # get sys status
FortiGate-90G Gen1 devices use part numbers Pxxxxx-10-01 and lower, while Gen2 devices use part numbers Pxxxxx-11-01 and higher (for additional details, refer to the FortiGate 90G quick reference guide).
To change the FortiGate-90G/91G Gen1 BIOS Security Level, the following steps must be performed:
Connect to the console port of the FortiGate. Reboot the FortiGate (execute reboot) and enter the BIOS menu.
Please stand by while rebooting the system. Restarting system
FortiGate-90G (22:39-08.01.2023) Ver:06000100 Serial number: FGT90Gxxxxxxxxxx CPU: 1600 MHz Total RAM: 8 GB Initializing boot device... Initializing MAC... Please wait for OS to boot, or press any key to display configuration menu.
[C]: Configure TFTP parameters. [R]: Review TFTP parameters. [T]: Initiate TFTP firmware transfer. [F]: Format boot device. [I]: System information. [B]: Boot with backup firmware and set as default. [Q]: Quit menu and continue to boot. [H]: Display this list of options.
Enter C,R,T,F,I,B,Q,or H:
Press [I] to enter the System Information menu:
[S]: Set serial port baudrate. [R]: Set restricted mode. [T]: Set menu timeout. [U]: Set security level. [C]: Set FortiCare registration. [I]: Display system information. [E]: Reset system configuration. [P]: Normal POST test. [Q]: Quit this menu. [H]: Display this list of options.
Enter S,R,T,U,C,I,E,P,Q,or H:
Press [U] to enter the Set security level menu.
Enter S,R,T,U,C,I,E,P,Q,or H: [0]: Level 0 - Check image silently [1]: Level 1 - Check image with result only [2]: Level 2 - Check image and reinforce validity Enter security level setting [2]:
Enter the required security level. Continue to boot the device.
To change the FortiGate-90G/91G Gen2 BIOS Security Level, the following steps must be performed:
The front panel of the 90G (Gen2) models includes an LED that shows whether the device is operating in security mode L or H.
The signed-firmware panel is positioned on the back of the device and becomes accessible once the screw is removed, allowing the switch to be used to select either Low [L] or High [H] security mode.
When the switch is changed from High (default) to Low, a log entry is generated with the following ID:
22906 - LOG_ID_SECURITY_LEVEL_CHANGE
Note: After changing the switch position, the BIOS security level will only update after the FortiGate is rebooted. The command get system status can be used to view both the active BIOS security level and the current setting of the physical security-mode switch.
Current Security Level: Low |
