According to the FIPS 140-2/140-3 'Physical Security' requirements section, FortiGates that require Security Level 2 compliance must have tamper-evident seals applied by the administrator/Crypto Officer after purchase (i.e., the seals are not applied at the factory before shipping). Note that these seals are not required for Security Level 1 environments, so it is not always necessary to acquire/apply these seals.

These red wax/plastic seals can be requested through a regional Fortinet Sales contact (Fortinet TAC is unable to provide these seals), and administrators may reference the FIPS-SEAL-RED SKU associated with these seals. When reaching out to Fortinet Sales, take care to provide sufficient contact information (i.e. full name, phone number, and mailing address) as well as a list of the FortiGate models and the number of units requiring seals, as this will expedite the process of getting the seals shipped out.

Each FortiGate model requires a different number and placement of these seals, so consult with the 'FIPS 140-2 Non-Proprietary Security Policy' documentation provided by Fortinet for instructions for seal installation and placement. This documentation can be found in multiple places:

• Federal Information Processing Standards (FIPS 140-2 and 140-3) (refer to the Security Policies section near the middle/end of the page).
• v6.4 and v7.0 are certified for up to FIPS 140-2 Level 2 (with certified firmware and hardware). The associated Security Policy can be found here (refer to Page 43 for the Physical Security section): FIPS 140-2 Non-Proprietary Security Policy FortiOS v6.4/v7.0 Level 2 - Security Policy.
• NIST Cryptographic Module Validation Program (filtered for Vendor: Fortinet).
  Within the certificate entry, scroll down to Related Files -> Security Policy to find the associated documentation.