Technical Tip: How to Verify if a FortiOS FIPS-CC Image is Certified or Patched

FortiOS FIPS-CC releases come in two types, officially certified releases as well as patched versions of those officially certified releases. These patched versions include backported vulnerability patches, but the nature of them being patched means they are no longer technically certified.

Multiple builds may exist that correspond to the same certificate, due to the need to support different models like FortiGate-VM and physical FortiGates.

FortiOS FIPS releases since 6.4 also have their versioning system separate from the normal FortiOS versions (6.4.14, 7.0.12, 7.2.6, etc.). FIPS release numbers follow the following syntax: FIPS-CC-XX-Y. XX corresponds to the general availability release the FIPS build is based on, so for FortiOS builds based on 7.0 firmware this would be '70'.

Y is a sequentially assigned number and is independent of the FortiOS release patch number (7.0.12).

If using only FIPS-CC-certified builds is required for compliance reasons, then the process for checking if a build is certified or not is as follows.

1. Go to the NIST Cryptographic Module Validation Program search page, accessible here: https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules/search

2. Enter 'Fortinet' into the ‘Vendor’ search bar and hit search. A list of Fortinet CMVP certificates should appear like so: 

3. Find the certificate corresponding to the FortiOS FIPS-CC version that needs to be installed. For FortiOS FIPS-CC 7.0.7, the certificate would be #4443 marked as ‘FortiOS 6.4/7.0’:

4. Select the certificate number (4443 in this case) to open up the certificate information. Once here, note the value in the ‘Firmware Versions’ field. Only versions that are listed here in the certificate are officially certified by NIST.

5. Once the firmware version is noted, go to the firmware download portal at https://support.fortinet.com/download/firmwareimages.aspx. Switch to the ‘Download’ page and then browse to the firmware version corresponding to the active certificate. For this example, the applicable version is either v6.4 or v7.0, and v7.0 will be used. There is a FIPS-CC folder under the v7.0 branch that contains the versions that are either certified or patched.

6. Within the FIPS-CC-Certified folder, there may be multiple firmware branches(7.0.x) as well as individual builds within those branches(b8489 for example). Verifying a build’s status requires going to the individual build folder and downloading the ‘ReadMe’ PDF file.

The ReadMe file and filename will both include a FIPS-CC version number, FIPS-CC-70-6 in this case. Only the FIPS-CC version listed on the NIST certificate from Step 4 is officially certified. If the FIPS-CC version is newer, then that FIPS-CC version is a patched version and not a certified version.

It is also possible to check the latest updated Patch version under different firmware branches as shown below:

It is possible to see the latest patched available firmware versions.