Description
This article describes how to enable FIPS-CC mode on FortiGate.
Scope
FortiGate.
Solution
Only certain versions and models are FIPS-CC certified.
Browse to support.fortinet.com/Download/FirmwareImages.aspx for the FIPS-CC-Certified images.
Enable on non-FIPS-CC certified version but it does not guarantee compliance.
To enable FIPS-CC mode, configure it via a console connection. It is NOT supported via GUI or SSH.
Note:
The default 'admin' administrator account must be present in the FortiGate configuration before enabling FIPS-CC mode, or the FortiGate will be inaccessible after FIPS-CC mode is enabled. A firmware restore via TFTP over a console connection is the only way to restore access to the device if FIPS-CC mode is enabled without the default admin account being present. Refer to Technical Tip: Formatting and loading FortiGate firmware image using TFTP for instructions on uploading the FortiGate firmware via the console port:
FortiGate models that do NOT have a CP9/CP9XLite/CP9Lite will lack an 'entropy source', which is required for generating strong encryption keys for FIPS-CC.
config sys fips
(fips-cc) set entropy-token
enable <- Enable entropy token to be present during the boot process.
disable <- Disable entropy token to be present during the boot process.
dynamic <- Dynamic detects entropy token to be present during the boot process.
Any unit that has a CP9/CP10, for the entropy source will NOT show the 'set entropy-token' command in the CLI, since the token is not necessary.
CLI launched through GUI:
Steps to Configure:
Enter the following commands.
show full-configuration
config system fips-cc
set status enable
set entropy-token enable
end
end
Please enter admin administrator password:
New password must confirm to the password policy enforced on this device:
minimum-length=8; must contain upper-case-letter lower-case-letter number non-al phanumeric
Please enter admin administrator password:**********
Please re-enter admin administrator password:**********
The system is going down NOW !!
Please stand by while rebooting the system.
Restarting system.
hw perf events fixed 4 > max(3), clipping!
System is starting...
FIPS-CC mode: Starting self-tests.
Running Configuration/VPN Bypass test... passed
Running AES test... passed
Running SHA1 HMAC test... passed
Running SHA256 HMAC test... passed
Running SHA384/512 HMAC test... passed
Running RSA test... passed
Running ECDSA test... passed
Running Primitive-Z test... passed
Running Firmware integrity test... passed
Running RBG-instantiate test... passed
Running RBG-reseed test... passed
Running RBG-generate test... passed
Self-tests passed
Serial number is FGVMXXXXXXXXX
5. Re-login back into firewall with the admin password set in step (2).
FortiGate-VM64-KVM login: admin
Password:
Welcome!
POST WARNING:
This is a private computer system. Unauthorized access or use
is prohibited and subject to prosecution and/or disciplinary
action. Any use of this system constitutes consent to
monitoring at all times and users are not entitled to any
expectation of privacy. If monitoring reveals possible evidence
of violation of criminal statutes, this evidence and any other
related information, including identification information about
the user, may be provided to law enforcement officials.
If monitoring reveals violations of security regulations or
unauthorized use, employees who violate security regulations or
make unauthorized use of this system are subject to appropriate
disciplinary action.
(Press 'a' to accept):
6. To Verify FIPS mode is enabled, run the below command after the firewall is UP.
get system status
Version: FortiGate-VM64-KVM v7.0.6,build0366,220606 (GA.F)
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
Serial-Number: FGVM02TM22000832
License Status: Warning
VM Resources: 1 CPU/2 allowed, 2007 MB RAM
Log hard disk: Available
Hostname: FortiGate-VM64-KVM
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable <--------------------------------
Current HA mode: standalone
Branch point: 0366
Release Version Information: GA
FortiOS x86-64: Yes
System time: Wed Aug 31 03:49:35 2022
Last reboot reason: warm reboot
Note:
FIPS-CC mode can be enabled on units in HA mode (either Active-Active or Active-Passive). However, it needs to be enabled on both the Primary and Secondary units.
After enabling FIPS mode and restore the configuration, be aware that all firewall policies are disabled. Please be sure to note down the name or ID of the firewall policies to enable later on.
Related article:
Technical Tip: How to Verify if a FortiOS FIPS-CC Image is Certified or Patched.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.