Description
This article describes how to enable FIPS-CC mode on FortiGate.
Scope
FortiGate.
Solution
Only certain versions and models are FIPS-CC certified.
Browse to support.fortinet.com/Download/FirmwareImages.aspx for the FIPS-CC-Certified images.
Enable on non-FIPS-CC certified version but it does not guarantee compliance.
To enable FIPS-CC mode, configure it via a console connection. It is NOT supported via GUI or SSH.
Note:
FIPS-CC mode is disabled by default after installing the firmware.
Follow the procedure below to enable FIPS-CC mode on your FortiGate.
FortiGate models that do NOT have a CP9/CP9XLite/CP9Lite will lack an "entropy source", which is required for generating strong encryption keys for FIPS-CC.
- For those models (such as the FortiGate-50E), a user would require a USB-based Entropy Token to be plugged in (you will otherwise get a repeating error message if you try to turn on FIPS-CC without an entropy source present).
- Otherwise, it is possible to adjust the config to not require the token, but doing so means the FortiGate is not acting in a FIPS-CC compliant fashion:
FGT51E # config sys fips
FGT51E (fips-cc) # set entropy-token
enable <----- Enable entropy token to be present during the boot process.
disable <----- Disable entropy token to be present during the boot process.
dynamic <----- Dynamic detects entropy token to be present during the boot process.
Any unit that has a CP9/CP10, for the entropy source will NOT show the 'set entropy-token' command in the CLI, since the token is not necessary.
CLI launched through GUI:
Using console connection.
Steps to Configure:
- Log in to the CLI through the console port. Use the default admin account or another account with a super_admin access profile.
Enter the following commands.
mercury-kvm36 (fips-cc) # show full-configuration
config system fips-cc
set status enable
set entropy-token enable
end
mercury-kvm36 (fips-cc) # end
2. After that, it will prompt the user to enter a new administrator password:
Please enter admin administrator password:
New password must confirm to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-al phanumeric
Please enter admin administrator password:**********
Please re-enter admin administrator password:**********
3. After that the CLI displays the below message:
Warning: most configuration will be lost,
do you want to continue?(y/n)
do you want to continue?(y/n)
4. Enter y, the FortiGate unit restarts and is now running in FIPS-CC mode.
The system is going down NOW !!
FortiGate-VM64-KVM #
Please stand by while rebooting the system.
Restarting system.
hw perf events fixed 4 > max(3), clipping!
System is starting...
FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Self-tests passed
Serial number is FGVMXXXXXXXXX
5. Re-login back into firewall with the admin password set in step (2).
FortiGate-VM64-KVM login: admin
Password:
Welcome!
POST WARNING:
This is a private computer system. Unauthorized access or use
is prohibited and subject to prosecution and/or disciplinary
action. Any use of this system constitutes consent to
monitoring at all times and users are not entitled to any
expectation of privacy. If monitoring reveals possible evidence
of violation of criminal statutes, this evidence and any other
related information, including identification information about
the user, may be provided to law enforcement officials.
If monitoring reveals violations of security regulations or
unauthorized use, employees who violate security regulations or
make unauthorized use of this system are subject to appropriate
disciplinary action.
(Press 'a' to accept):
6. To Verify FIPS mode is enabled, run the below command after the firewall is UP.
FortiGate-VM64-KVM # get system status
Version: FortiGate-VM64-KVM v7.0.6,build0366,220606 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Serial-Number: FGVM02TM22000832
License Status: Warning
VM Resources: 1 CPU/2 allowed, 2007 MB RAM
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable <--------------------------------
Current HA mode: standalone
Branch point: 0366
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Aug 31 03:49:35 2022
Last reboot reason: warm reboot
Note:
FIPS-cc mode can be enabled on units in HA mode (either Active-Active or Active-Passive). However, it needs to be enabled on both the Primary and Secondary units.
Related article:
Technical Tip: How to Verify if a FortiOS FIPS-CC Image is Certified or Patched.
