Description
This article describes how to enable FIPS-CC mode on FortiGate.
Scope
FortiGate.
Solution
Only certain versions and models are FIPS-CC certified.
Browse to support.fortinet.com/Download/FirmwareImages.aspx for the FIPS-CC-Certified images.
Enable on non-FIPS-CC certified version but it does not guarantee compliance.
To enable FIPS-CC mode, configure it via a console connection.
It is not supported via GUI or SSH.
Note:
FIPS-CC mode is disabled by default after installing the firmware.
Follow the procedure below to enable FIPS-CC mode on your FortiGate.
CLI launched through GUI:
Using console connection.
Steps To configure:
1) Login to the CLI through the console port. Use the default admin account or another account with a super_admin access profile. Enter the following commands.
mercury-kvm36 (fips-cc) # show full-configuration
config system fips-cc
set status enable
set entropy-token enable
end
mercury-kvm36 (fips-cc) # end
2) After that, it will prompt the user to enter a new administrator password:
Please enter admin administrator password:
New password must confirm to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-al phanumeric
Please enter admin administrator password:**********
Please re-enter admin administrator password:**********
3) After that the CLI displays the below message:
Warning: most configuration will be lost,
do you want to continue?(y/n)
do you want to continue?(y/n)
4) Enter y, the FortiGate unit restarts and is now running in FIPS-CC mode.
The system is going down NOW !!
FortiGate-VM64-KVM #
Please stand by while rebooting the system.
Restarting system.
hw perf events fixed 4 > max(3), clipping!
System is starting...
FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Self-tests passed
Serial number is FGVMXXXXXXXXX
5) To Verify FIPS mode is enabled, run the below command after the firewall is UP.
FortiGate-VM64-KVM # get system status
Version: FortiGate-VM64-KVM v7.0.6,build0366,220606 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Serial-Number: FGVM02TM22000832
License Status: Warning
VM Resources: 1 CPU/2 allowed, 2007 MB RAM
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable -------------------------------->
Current HA mode: standalone
Branch point: 0366
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Aug 31 03:49:35 2022
Last reboot reason: warm reboot
Note: FIPS-cc mode can be enabled on units in HA mode (either Active-Active or Active-Passive). However, it needs to be enabled on both the Primary and Secondary units.
