Description
This article describes the configuration of enabling FIPS Cipher mode on FortiGate VM deployed in AWS.
Scope
FortiGate-VM deployed in AWS VPC.
Solution
For context: Cloud-based FortiGate-VMs (e.g. hosted in AWS, Azure, Oracle Cloud, Google Cloud) support both FIPS-CC mode and also a sub-type mode called FIPS Cipher mode.
FIPS Cipher mode is a subset of FIPS-CC mode that specifically restricts the list of encryption ciphers available to the FortiGate-VM for services like HTTPS and SSH admin access, IPsec and SSL-VPN ciphers, and outgoing connections to FortiGuard and other Fortinet services. The mode was introduced in FortiOS 6.4.3 and later (for AWS and Azure) and also FortiOS 7.0.1 and later (for Oracle Cloud/OCI and Google Cloud/GCP).
Notably, FIPS-CC mode (set status enable under config system fips-cc) can be enabled on cloud-based FortiGate-VMs (though only via serial console connection), whereas FIPS Ciphers mode can be enabled from an HTTPS, SSH, or serial console session to the FortiGate-VM.
To enable FIPS Ciphers mode on an AWS FortiGate-VM, use the following procedure:
- Connect to FortiGate-VM deployed in AWS using serial/console connection.
For details on launching and connecting to instance via AWS serial console, refer to the following article: Technical Tip: How to connect to a FortiGate VM de... - Fortinet Community
- Use the below commands to enable FIPS Cipher mode on FortiGate VM.
FortiGate # config system fips-cc
FortiGate (fips-cc)# set status fips-ciphers
FortiGate (fips-cc)# end
A warning message will be displayed warning the administrator if they want to continue with enabling FIPS Ciphers. Selecting 'y' will reboot the FortiGate-VM and enable FIPS Ciphers mode.
Related documents:
Technical Tip: How to connect to a FortiGate VM deployed in AWS using a serial/console connection
