FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hhasny
Staff
Staff

Description


This article describes how to enable FIPS-CC mode on FortiGate.

Scope


FortiGate.


Solution

 

Only certain versions and models are FIPS-CC certified.
Browse to support.fortinet.com/Download/FirmwareImages.aspx for the FIPS-CC-Certified images.

Enable on non-FIPS-CC certified version but it does not guarantee compliance.


To enable FIPS-CC mode, configure it via a console connection.
It is not supported via GUI or SSH.

CLI launched through GUI:

 
Using console connection.
 
                                       vsahu_0-1661943330831.png

 

Steps To configure:

 

1) Login to the CLI through the console port. Use the default admin account or another account with a super_admin access profile. Enter the following commands.

 

mercury-kvm36 (fips-cc) # show full-configuration
config system fips-cc
set status enable
set entropy-token enable
end

mercury-kvm36 (fips-cc) # end

 
2) After that, it will prompt user to enter a new administrator password:
 

Please enter admin administrator password:
New password must confirm to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-al phanumeric

Please enter admin administrator password:**********
Please re-enter admin administrator password:**********

 

3) After that the CLI displays the below message: 
 
Warning: most configuration will be lost,
do you want to continue?(y/n) 
 
4) Enter y, the FortiGate unit restarts and is now running in FIPS-CC mode.
 

The system is going down NOW !!

FortiGate-VM64-KVM #
Please stand by while rebooting the system.
Restarting system.
hw perf events fixed 4 > max(3), clipping!

System is starting...

FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Self-tests passed
Serial number is FGVMXXXXXXXXX 

 

5) To Verify FIPS mode is enabled, run the below command after the firewall is UP.

 

FortiGate-VM64-KVM # get system status
Version: FortiGate-VM64-KVM v7.0.6,build0366,220606 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Serial-Number: FGVM02TM22000832
License Status: Warning
VM Resources: 1 CPU/2 allowed, 2007 MB RAM
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable  --------------------------------> 
Current HA mode: standalone
Branch point: 0366
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Aug 31 03:49:35 2022
Last reboot reason: warm reboot

 

Note: FIPS-cc mode can be enabled on units in HA mode (either Active-Active or Active-Passive). However, it needs to be enabled on both Primary and Secondary unit.

Contributors