Created on
08-19-2023
06:56 AM
Edited on
12-09-2024
10:06 PM
By
Anthony_E
This article describes the configuration of enabling FIPS Cipher mode on FortiGate VM deployed in AWS.
FortiGate-VM deployed in AWS VPC.
For context: Cloud-based FortiGate-VMs (e.g. hosted in AWS, Azure, Oracle Cloud, Google Cloud) support both FIPS-CC mode and also a sub-type mode called FIPS Cipher mode.
FIPS Cipher mode is a subset of FIPS-CC mode that specifically restricts the list of encryption ciphers available to the FortiGate-VM for services like HTTPS and SSH admin access, IPsec and SSL-VPN ciphers, and outgoing connections to FortiGuard and other Fortinet services. The mode was introduced in FortiOS 6.4.3 and later (for AWS and Azure) and also FortiOS 7.0.1 and later (for Oracle Cloud/OCI and Google Cloud/GCP).
Notably, FIPS-CC mode (set status enable under config system fips-cc) can be enabled on cloud-based FortiGate-VMs (though only via serial console connection), whereas FIPS Ciphers mode can be enabled from an HTTPS, SSH, or serial console session to the FortiGate-VM.
To enable FIPS Ciphers mode on an AWS FortiGate-VM, use the following procedure:
For details on launching and connecting to instance via AWS serial console, refer to the following article: Technical Tip: How to connect to a FortiGate VM de... - Fortinet Community
FortiGate # config system fips-cc
FortiGate (fips-cc)# set status fips-ciphers
FortiGate (fips-cc)# end
A warning message will be displayed warning the administrator if they want to continue with enabling FIPS Ciphers. Selecting 'y' will reboot the FortiGate-VM and enable FIPS Ciphers mode.
Related documents:
Technical Tip: How to connect to a FortiGate VM deployed in AWS using a serial/console connection
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.