This article describes how to enable FIPS-CC mode on FortiGate.
Only certain versions and models are FIPS-CC certified.
Browse to support.fortinet.com/Download/FirmwareImages.aspx for the FIPS-CC-Certified images.
Enable on non-FIPS-CC certified version but it does not guarantee compliance.
To enable FIPS-CC mode, configure it via a console connection. It is NOT supported via GUI or SSH.
FortiGate models that do NOT have a CP9/CP9XLite/CP9Lite will lack an "entropy source", which is required for generating strong encryption keys for FIPS-CC.
CLI launched through GUI:
Steps to Configure:
Enter the following commands.
mercury-kvm36 (fips-cc) # show full-configuration
config system fips-cc
set status enable
set entropy-token enable
mercury-kvm36 (fips-cc) # end
Please enter admin administrator password:
New password must confirm to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-al phanumeric
Please enter admin administrator password:**********
Please re-enter admin administrator password:**********
The system is going down NOW !!
Please stand by while rebooting the system.
hw perf events fixed 4 > max(3), clipping!
System is starting...
FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Serial number is FGVMXXXXXXXXX
5. Re-login back into firewall with the admin password set in step (2).
FortiGate-VM64-KVM login: admin
This is a private computer system. Unauthorized access or use
is prohibited and subject to prosecution and/or disciplinary
action. Any use of this system constitutes consent to
monitoring at all times and users are not entitled to any
expectation of privacy. If monitoring reveals possible evidence
of violation of criminal statutes, this evidence and any other
related information, including identification information about
the user, may be provided to law enforcement officials.
If monitoring reveals violations of security regulations or
unauthorized use, employees who violate security regulations or
make unauthorized use of this system are subject to appropriate
(Press 'a' to accept):
6. To Verify FIPS mode is enabled, run the below command after the firewall is UP.
FortiGate-VM64-KVM # get system status
Version: FortiGate-VM64-KVM v7.0.6,build0366,220606 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
License Status: Warning
VM Resources: 1 CPU/2 allowed, 2007 MB RAM
Log hard disk: Available
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable <--------------------------------
Current HA mode: standalone
Branch point: 0366
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Aug 31 03:49:35 2022
Last reboot reason: warm reboot
FIPS-cc mode can be enabled on units in HA mode (either Active-Active or Active-Passive). However, it needs to be enabled on both the Primary and Secondary units.