Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hhasny
Staff
Staff

Created on ‎03-25-2021 03:13 AM Edited on ‎02-20-2025 06:39 AM By Moderator

Article Id 196629

Technical Tip: How to enable FIPS-CC mode

Description


This article describes how to enable FIPS-CC mode on FortiGate.

Scope


FortiGate.


Solution

 

It is important to note that FIPS-CC mode can be enabled on all FortiOS versions (which enables FIPS compliant behavior) but only a subset of firmware is considered to be certified for FIPS-CC (or a CVE-Patched build derived from the Certified build, see here for more information: Technical Tip: Upgrading FortiOS Firmware when FIPS-CC is enabled). 

 

FIPS-CC Certified and/or CVE-Patched builds can be downloaded from the Fortinet Support site (look for the 'FIPS-CC-Certified' folder within a given major branch of firmware, such as FortiOS 7.0).

 

Note that even when using Certified builds, FIPS-CC mode is disabled by default after installing the firmware. Additionally, FIPS-CC mode can only be activated/configured using a serial console connection (it is not possible to enable it when connected via the Web GUI or SSH).

 

CLI launched through GUI (note that lack of the status option):

pjang_0-1736549543877.png

 

 
 
Using console connection.

vsahu_0-1661943330831.png
 
To enable FIPS-CC mode on the FortiGate, use the following procedure:
 

Note1:

There have been some reports that the FortiGate may be inaccessible after enabling FIPS-CC mode if the default 'admin' account is deleted beforehand (i.e. creating a new super_admin and removing the default 'admin').

 

The issue has not been reproducible when lab testing several FortiOS 7.0 Certified and CVE-Patched builds. After enabling FIPS-CC mode and rebooting, FortiGate's expected and tested behavior is to modify/re-add the 'admin' account to the configuration and delete all other existing administrator accounts. Administrators can then log in to the FIPS-enabled FortiGate using 'admin' and the password they specified during FIPS-CC setup.

 

Nevertheless, the cautious recommendation is to ensure that the default 'admin' account is present on the FortiGate before enabling FIPS-CC mode. This account will exist by default on new FortiGates and should not be a concern if FIPS mode is being enabled on new/factory-reset FortiGates. If the issue does occur for some reason then the recommended remediation is to perform a firmware restore/reinstall using TFTP and a serial console connection. Refer to Technical Tip: Formatting and loading FortiGate firmware image using TFTP for instructions on performing this restore operation.

 

Note2:

FortiGate models that do NOT have a CP9/CP9XLite/CP9Lite will lack an 'entropy source', which is required for generating strong encryption keys for FIPS-CC.

  • For those models (such as the FortiGate-50E), a user would require a USB-based Entropy Token to be plugged in (otherwise, a repeating error message will occur when trying to turn on FIPS-CC without an entropy source present).
  • Otherwise, it is possible to adjust the config to not require the token, though doing so will mean that the FortiGate is not acting in a FIPS-CC compliant fashion:

config sys fips
(fips-cc) set entropy-token
enable     <----- Enable entropy token to be present during the boot process.
disable    <----- Disable entropy token to be present during the boot process.
dynamic    <----- Dynamic detects entropy tokens to be present during the boot process.

 

Any FortiGate models that are equipped with a CP9/CP10 will NOT show the 'set entropy-token' command in the CLI, since the additional token is not necessary.

 

Steps to enable FIPS-CC Mode:

 

  1. Log in to the CLI through the console port. Use the default admin account or another account with a super_admin access profile.

     Enter the following commands.

 

show full-configuration

config system fips-cc

set status enable
set entropy-token enable

end

end

 
     2. After that, a prompt will appear asking to set a new administrator password for the 'admin' account:
 

Please enter admin administrator password:
New password must confirm to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-al phanumeric

Please enter admin administrator password:**********
Please re-enter admin administrator password:**********

 

     3. After that, the CLI displays the following message warning: 
 
Warning: most configuration will be lost,
do you want to continue?(y/n) 
 
     4. Type y, then hit Enter to confirm. The FortiGate will restart and will run in FIPS-CC mode afterward.
 

The system is going down NOW !!

Please stand by while rebooting the system.
Restarting system.
hw perf events fixed 4 > max(3), clipping!

System is starting...

FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Self-tests passed
Serial number is FGVMXXXXXXXXX 

 

     5. Re-login back into FortiGate using username 'admin' and the password set in Step 2.

 

    FortiGate-VM64-KVM login: admin
    Password:
    Welcome!


    POST WARNING:
    This is a private computer system. Unauthorized access or use
    is prohibited and subject to prosecution and/or disciplinary
    action. Any use of this system constitutes consent to
    monitoring at all times and users are not entitled to any
    expectation of privacy. If monitoring reveals possible evidence
    of violation of criminal statutes, this evidence and any other
    related information, including identification information about
    the user, may be provided to law enforcement officials.
    If monitoring reveals violations of security regulations or
    unauthorized use, employees who violate security regulations or
    make unauthorized use of this system are subject to appropriate
    disciplinary action.


   (Press 'a' to accept):

 

     6. To verify that FIPS mode is enabled, run get system status after logging into the FortiGate.

 

get system status
Version: FortiGate-VM64-KVM v7.0.6,build0366,220606 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Serial-Number: FGVM02TM22000832
License Status: Warning
VM Resources: 1 CPU/2 allowed, 2007 MB RAM
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable  <--------------------------------
Current HA mode: standalone
Branch point: 0366
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Aug 31 03:49:35 2022
Last reboot reason: warm reboot

 

Note: 

FIPS-CC mode can be enabled on units in HA mode (either Active-Active or Active-Passive). However, it needs to be enabled individually on all cluster members (i.e. separately on the Primary and Secondary units).

 

After enabling FIPS mode and restore the configuration, be aware that all firewall policies are disabled. Be sure to note down the name or ID of the firewall policies to enable later on.

 

Additionally, all network interfaces on the FortiGate will be administratively-disabled by default (set status down). To obtain GUI access to the FortiGate after enabling FIPS-CC, consult the following document document: GUI access after enabling FIPS-CC

Additional information:

Going forward, see the main NIST CMVP database (filtered for 'Fortinet' specifically) for FIPS-certified FortiOS firmware.

This will provide an accurate publicly-accessible list of all Fortinet products (including FortiOS and the specific FortiGate models) that have completed the FIPS 140-2/3 certification process. For example, the FIPS 140-2 certification entry for the original FortiOS 6.4 and 7.0 specialty builds can be found here.

The list of available FIPS-CC Certified builds (as well as CVE-Patched builds) can also be found on the Fortinet Support site's Firmware Download section. Each major version (6.2, 6.4, 7.0, etc.,) will have a 'FIPS-CC-Certified' folder containing any FIPS-certified firmware for that version (assuming one exists). If the folder does not exist, then no certified firmware exists for that major branch.


Related article:
Technical Tip: How to Verify if a FortiOS FIPS-CC Image is Certified or Patched.

Labels:
27796
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.