FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff & Editor
Staff & Editor
Article Id 363571
Description

 

This article provides a list of resources/links regarding Federal Information Processing Standards (FIPS) support with the FortiGate/FortiOS (aka FIPS 140-2/140-3 and FIPS-CC, or Common Criteria).

 

Scope

 

FortiGate, FIPS.

 

Solution

 

FIPS-related Knowledge Base Articles
Title and Links Description
Technical Tip: How to enable FIPS-CC mode Enabling FIPS-CC mode on a FortiGate for the first time.
Technical Tip: Enabling FIPS-Ciphers mode on FortiGate-VM deployed in AWS Enabling FIPS Ciphers mode on cloud-based FortiGate-VMs (a subset mode that is not equivalent to FIPS-CC mode and only enforces encryption cipher restrictions).
Technical Tip: Getting Started with FIPS-CC enabled Initial tips for getting started with FIPS-CC mode, including an expected-behavior where interfaces are administratively-down by default.

Technical Tip: Upgrading FortiOS Firmware when FIPS-CC is enabled

Information on the different types of FortiOS firmware that can be used (GA, FIPS Certified, and CVE-Patched) as well as guidance on performing firmware upgrades while in FIPS-CC mode.

Technical Tip: How to Verify if a FortiOS FIPS-CC Image is Certified or Patched

Guidance for finding, verifying, and obtaining the latest available FIPS Certified and CVE-Patched firmware builds for FortiOS.

Technical Tip: FIPS 140-2 Tamper Evident Seals for the FortiGate

Notes regarding tamper evident seals required on hardware FortiGates for FIPS 140-2/140-3 Level 2 compliance.

Technical Tip: Non-FIPS FortiSwitches are offline when managed by FortiGate configured in FIPS-CC m...

Known-behavior when managing non-FIPS enabled FortiSwitches with FIPS-enabled FortiGates.

Troubleshooting Tip: Unable to delete firewall policies with ID 5 or 6 in FIPS-CC Mode

Known-issue affecting certain Firewall Policies when upgrading from FortiOS 6.2 to 6.4 while FIPS-CC mode is enabled

Troubleshooting Tip: Cipher suites and TLS version are not supported by virtual servers in FIPS-CC ...

Known-issue where certain encryption ciphers do not work when used with Virtual Servers on FIPS-enabled FortiGates.

Technical Tip: FortiGate in FIPS-CC mode cannot import certificate if root/intermediate CA certific...

Known-behavior where FIPS-enabled FortiGates cannot import certificates if the Root/Intermediate CA certificates are not installed first.

Technical Tip: Unable to import remote certificate to FIPS-CC enabled FortiGate for SAML authentica...

Known-behavior where FIPS enabled FortiGates cannot import remote certificates from SAML IdPs (i.e. used for signing SAML assertions) if they are missing the Basic Constraints extension.

Troubleshooting Tip: Fixing the error 'Basic constraints is absent for CA/LOCAL/REMOTE cert'

Expected behavior where FIPS-enabled FortiGates cannot import local certificates that are missing the Basic Constraints extension.

Technical Tip: FIPS-CC enabled FortiGates do not support the private-data-encryption feature

Expected behavior where FIPS-enabled FortiGates do not support the private-data-encryption feature.

 

FIPS-related External Resources
Title and Links Description

Fortinet - Federal Information Processing Standards

Official Fortinet page regarding FIPS 140-2 and 140-3 certification, including the lists of products and firmware that is certified and links to their Security Policies/documentation.

NIST Cryptographic Module Validation Program (CMVP) Validated Modules

Link to the NIST CMVP database containing all validated modules (the link is preconfigured to search for all modules belonging to Vendor: Fortinet).

OpenSSL FIPS provider installed globally at startup (FortiOS 7.6.0 New Features)

New Feature in FortiOS 7.6.0 regarding OpenSSL FIPS Provider (ensures that any OpenSSL application within FortiOS is automatically complaint with FIPS regulations).

FIPS cipher mode for AWS, Azure, OCI, and GCP FortiGate-VMs

Administration Guide section regarding FIPS Ciphers mode, a unique sub-mode of FIPS-CC available for cloud-based FortiGate-VMs only (AWS, Azure, OCI, GCP). See also the FIPS-Ciphers KB article in above table.

FIPS 140-2 Non-Proprietary Security Policy Document (FortiOS 6.4/7.0)

FIPS Security Policy documentation (available on NIST CMVP) describing how FortiOS 6.4/7.0 meet FIPS 140-2 security requirements, as well as how to operate the modules in a FIPS compliant manner.

FIPS 140-2 Non-Proprietary Security Policy Document (FortiOS 6.2)

FIPS Security Policy documentation (available on NIST CMVP) describing how FortiOS 6.2 meets FIPS 140-2 security requirements, as well as how to operate the modules in a FIPS compliant manner.