Created on
03-25-2021
03:13 AM
Edited on
04-17-2023
05:15 AM
By
Jean-Philippe_P
Description
This article describes how to enable FIPS-CC mode on FortiGate.
Scope
FortiGate.
Solution
Only certain versions and models are FIPS-CC certified.
Browse to support.fortinet.com/Download/FirmwareImages.aspx for the FIPS-CC-Certified images.
Enable on non-FIPS-CC certified version but it does not guarantee compliance.
To enable FIPS-CC mode, configure it via a console connection.
It is not supported via GUI or SSH.
Note:
CLI launched through GUI:
Steps To configure:
1) Login to the CLI through the console port. Use the default admin account or another account with a super_admin access profile. Enter the following commands.
mercury-kvm36 (fips-cc) # show full-configuration
config system fips-cc
set status enable
set entropy-token enable
end
mercury-kvm36 (fips-cc) # end
Please enter admin administrator password:
New password must confirm to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-al phanumeric
Please enter admin administrator password:**********
Please re-enter admin administrator password:**********
The system is going down NOW !!
FortiGate-VM64-KVM #
Please stand by while rebooting the system.
Restarting system.
hw perf events fixed 4 > max(3), clipping!
System is starting...
FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Self-tests passed
Serial number is FGVMXXXXXXXXX
5) To Verify FIPS mode is enabled, run the below command after the firewall is UP.
FortiGate-VM64-KVM # get system status
Version: FortiGate-VM64-KVM v7.0.6,build0366,220606 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Serial-Number: FGVM02TM22000832
License Status: Warning
VM Resources: 1 CPU/2 allowed, 2007 MB RAM
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable -------------------------------->
Current HA mode: standalone
Branch point: 0366
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Aug 31 03:49:35 2022
Last reboot reason: warm reboot
Note: FIPS-cc mode can be enabled on units in HA mode (either Active-Active or Active-Passive). However, it needs to be enabled on both the Primary and Secondary units.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.