FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hhasny
Staff
Staff
Article Id 196629

Description


This article describes how to enable FIPS-CC mode on FortiGate.

Scope


FortiGate.


Solution

 

Only certain versions and models are FIPS-CC certified.
Browse to support.fortinet.com/Download/FirmwareImages.aspx for the FIPS-CC-Certified images.

Enable on non-FIPS-CC certified version but it does not guarantee compliance.


To enable FIPS-CC mode, configure it via a console connection. It is NOT supported via GUI or SSH.

 

Note:

 

FIPS-CC mode is disabled by default after installing the firmware.
Follow the procedure below to enable FIPS-CC mode on your FortiGate.

 

The default 'admin' administrator account must be present in the FortiGate configuration before enabling FIPS-CC mode, or the FortiGate will be inaccessible after FIPS-CC mode is enabled. A firmware restore via TFTP over a console connection is the only way to restore access to the device if FIPS-CC mode is enabled without the default admin account being present. Refer to this article for instructions on uploading the Fortigate firmware via the console port: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Formatting-and-loading-FortiGate-firmware-...

 

FortiGate models that do NOT have a CP9/CP9XLite/CP9Lite will lack an "entropy source", which is required for generating strong encryption keys for FIPS-CC.

  • For those models (such as the FortiGate-50E), a user would require a USB-based Entropy Token to be plugged in (you will otherwise get a repeating error message if you try to turn on FIPS-CC without an entropy source present).
  • Otherwise, it is possible to adjust the config to not require the token, but doing so means the FortiGate is not acting in a FIPS-CC compliant fashion:

FGT51E # config sys fips
FGT51E (fips-cc) # set entropy-token
enable     
<----- Enable entropy token to be present during the boot process.
disable   
<----- Disable entropy token to be present during the boot process.
dynamic   
<----- Dynamic detects entropy token to be present during the boot process.

 

Any unit that has a CP9/CP10, for the entropy source will NOT show the 'set entropy-token' command in the CLI, since the token is not necessary.

 

CLI launched through GUI:

 
Using console connection.

vsahu_0-1661943330831.png

 

Steps to Configure:

 

  1. Log in to the CLI through the console port. Use the default admin account or another account with a super_admin access profile.

     Enter the following commands.

 

mercury-kvm36 (fips-cc) # show full-configuration
config system fips-cc
set status enable
set entropy-token enable
end

mercury-kvm36 (fips-cc) # end

 
     2. After that, it will prompt the user to enter a new administrator password:
 

Please enter admin administrator password:
New password must confirm to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-al phanumeric

Please enter admin administrator password:**********
Please re-enter admin administrator password:**********

 

     3. After that the CLI displays the below message: 
 
Warning: most configuration will be lost,
do you want to continue?(y/n) 
 
     4. Enter y, the FortiGate unit restarts and is now running in FIPS-CC mode.
 

The system is going down NOW !!

FortiGate-VM64-KVM #
Please stand by while rebooting the system.
Restarting system.
hw perf events fixed 4 > max(3), clipping!

System is starting...

FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Self-tests passed
Serial number is FGVMXXXXXXXXX 

 

     5. Re-login back into firewall with the admin password set in step (2).

 

    FortiGate-VM64-KVM login: admin
    Password:
    Welcome!


    POST WARNING:
    This is a private computer system. Unauthorized access or use
    is prohibited and subject to prosecution and/or disciplinary
    action. Any use of this system constitutes consent to
    monitoring at all times and users are not entitled to any
    expectation of privacy. If monitoring reveals possible evidence
    of violation of criminal statutes, this evidence and any other
    related information, including identification information about
    the user, may be provided to law enforcement officials.
    If monitoring reveals violations of security regulations or
    unauthorized use, employees who violate security regulations or
    make unauthorized use of this system are subject to appropriate
    disciplinary action.


   (Press 'a' to accept):

 

     6. To Verify FIPS mode is enabled, run the below command after the firewall is UP.

 

FortiGate-VM64-KVM # get system status
Version: FortiGate-VM64-KVM v7.0.6,build0366,220606 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Serial-Number: FGVM02TM22000832
License Status: Warning
VM Resources: 1 CPU/2 allowed, 2007 MB RAM
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable  <--------------------------------
Current HA mode: standalone
Branch point: 0366
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Aug 31 03:49:35 2022
Last reboot reason: warm reboot

 

Note:

FIPS-cc mode can be enabled on units in HA mode (either Active-Active or Active-Passive). However, it needs to be enabled on both the Primary and Secondary units.

Related article:
Technical Tip: How to Verify if a FortiOS FIPS-CC Image is Certified or Patched.